lib/msf/core/exploit/remote/imap.rb

# -*- coding: binary -*-
module Msf


###
#
# This module exposes methods that may be useful to exploits that deal with
# servers that speak the IMAP protocol.
#
###
module Exploit::Remote::Imap

  include Exploit::Remote::Tcp

  #
  # Creates an instance of an IMAP exploit module.
  #
  def initialize(info = {})
    super

    # Register the options that all IMAP exploits may make use of.
    register_options(
      [
        Opt::RHOST,
        Opt::RPORT(143),
        OptString.new('IMAPUSER', [ false, 'The username to authenticate as']),
        OptString.new('IMAPPASS', [ false, 'The password for the specified username'])
      ], Msf::Exploit::Remote::Imap)
  end

  #
  # This method establishes a IMAP connection to host and port specified by
  # the RHOST and RPORT options, respectively.  After connecting, the banner
  # message is read in and stored in the 'banner' attribute.
  #
  def connect(global = true)
    fd = super

    # Wait for a banner to arrive...
    self.banner = fd.get_once(-1, 30)

    # Return the file descriptor to the caller
    fd
  end

  #
  # Connect and login to the remote IMAP server using the credentials
  # that have been supplied in the exploit options.
  #
  def connect_login(global = true)
    ftpsock = connect(global)


    if !(user and pass)
      print_status("No username and password were supplied, unable to login")
      return false
    end

    print_status("Authenticating as #{user} with password #{pass}...")
    res = raw_send_recv("a001 LOGIN #{user} #{pass}\r\n")

    if (res !~ /^a001 OK/)
      print_status("Authentication failed")
      return false
    end

    return true
  end

  #
  # This method transmits an IMAP command and waits for a response.  If one is
  # received, it is returned to the caller.
  #
  def raw_send_recv(cmd, nsock = self.sock)
    nsock.put(cmd)
    nsock.get_once
  end


  ##
  #
  # Wrappers for getters
  #
  ##

  #
  # Returns the user string from the 'IMAPUSER' option.
  #
  def user
    datastore['IMAPUSER']
  end

  #
  # Returns the user string from the 'IMAPPASS' option.
  #
  def pass
    datastore['IMAPPASS']
  end

protected

  #
  # This attribute holds the banner that was read in after a successful call
  # to connect or connect_login.
  #
  attr_accessor :banner

end

end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 00:18:28 -05:00			`# -- coding: binary --`
Imap exploits 2005-12-05 05:00:27 +00:00			`module Msf`


			`###`
			`#`
			`# This module exposes methods that may be useful to exploits that deal with`
			`# servers that speak the IMAP protocol.`
			`#`
			`###`
			`module Exploit::Remote::Imap`

			`include Exploit::Remote::Tcp`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
Thanks Rhys 2006-11-07 14:39:13 +00:00			`# Creates an instance of an IMAP exploit module.`
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
			`def initialize(info = {})`
			`super`
Retab lib 2013-08-30 16:28:33 -05:00
Thanks Rhys 2006-11-07 14:39:13 +00:00			`# Register the options that all IMAP exploits may make use of.`
Imap exploits 2005-12-05 05:00:27 +00:00			`register_options(`
			`[`
			`Opt::RHOST,`
			`Opt::RPORT(143),`
switch to use a service specific user/pass datastore option to avoid payload conflicts 2006-02-08 01:07:47 +00:00			`OptString.new('IMAPUSER', [ false, 'The username to authenticate as']),`
			`OptString.new('IMAPPASS', [ false, 'The password for the specified username'])`
Thanks Rhys 2006-11-07 14:39:13 +00:00			`], Msf::Exploit::Remote::Imap)`
Imap exploits 2005-12-05 05:00:27 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
			`# This method establishes a IMAP connection to host and port specified by`
			`# the RHOST and RPORT options, respectively. After connecting, the banner`
			`# message is read in and stored in the 'banner' attribute.`
			`#`
			`def connect(global = true)`
			`fd = super`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`# Wait for a banner to arrive...`
Add pop3/imap4 scanners 2010-02-26 19:06:26 +00:00			`self.banner = fd.get_once(-1, 30)`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`# Return the file descriptor to the caller`
			`fd`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
Add pop3/imap4 scanners 2010-02-26 19:06:26 +00:00			`# Connect and login to the remote IMAP server using the credentials`
Imap exploits 2005-12-05 05:00:27 +00:00			`# that have been supplied in the exploit options.`
			`#`
			`def connect_login(global = true)`
			`ftpsock = connect(global)`
Retab lib 2013-08-30 16:28:33 -05:00

Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(user and pass)`
Imap exploits 2005-12-05 05:00:27 +00:00			`print_status("No username and password were supplied, unable to login")`
			`return false`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`print_status("Authenticating as #{user} with password #{pass}...")`
fix for connect_login 2006-12-29 11:33:16 +00:00			`res = raw_send_recv("a001 LOGIN #{user} #{pass}\r\n")`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`if (res !~ /^a001 OK/)`
			`print_status("Authentication failed")`
			`return false`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`return true`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
			`# This method transmits an IMAP command and waits for a response. If one is`
			`# received, it is returned to the caller.`
			`#`
			`def raw_send_recv(cmd, nsock = self.sock)`
			`nsock.put(cmd)`
			`nsock.get_once`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00

Imap exploits 2005-12-05 05:00:27 +00:00			`##`
			`#`
			`# Wrappers for getters`
			`#`
			`##`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
switch to use a service specific user/pass datastore option to avoid payload conflicts 2006-02-08 01:07:47 +00:00			`# Returns the user string from the 'IMAPUSER' option.`
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
			`def user`
switch to use a service specific user/pass datastore option to avoid payload conflicts 2006-02-08 01:07:47 +00:00			`datastore['IMAPUSER']`
Imap exploits 2005-12-05 05:00:27 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
missed option 2006-02-08 01:12:26 +00:00			`# Returns the user string from the 'IMAPPASS' option.`
Imap exploits 2005-12-05 05:00:27 +00:00			`#`
			`def pass`
missed option 2006-02-08 01:12:26 +00:00			`datastore['IMAPPASS']`
Imap exploits 2005-12-05 05:00:27 +00:00			`end`

			`protected`

			`#`
			`# This attribute holds the banner that was read in after a successful call`
			`# to connect or connect_login.`
			`#`
			`attr_accessor :banner`

			`end`

Add pop3/imap4 scanners 2010-02-26 19:06:26 +00:00			`end`