<<< prev :: next >>>


Installing SLMail

With our lab environment set up, it’s time to install the vulnerable software on the Victim VM, then establish First Contact with the vulnerability.

In this tutorial, we’re targeting SLMail, which can be downloaded from the Exploit Database. Simply click the download box next to the words “Vulnerable App”:

Download Server

Be sure to save the file in the folder you shared between your VMs, and name it something memorable, such as Vulnerable-SLMail.exe. Once downloaded, it should appear in the share drive on the Victim VM. Let’s go ahead and boot the VM up and take a look:

Installer Available

Good. Now I double-click the Vulnerable-SLMail.exe application to install SLMail to the system. I click “Next” on every prompt, accepting all default values and dismissing any warnings I see. At the end, the computer reboots, and when it starts back up again, I discover SLMail in the Start menu:

SLMail Installed

Excellent! We’re almost ready to begin developing our Buffer Overflow exploit! But there’s one last bit of information we’ll need: The Victim VM’s IP address. I start cmd.exe and use the ipconfig command to determine the Victim’s IP:

IPConfig

The Victim’s IP is 10.10.10.101. With that, we’re ready to get to work!


Are You Being Served?

The next step is to connect to SLMail and see how it operates normally. According to the CVE, one of the vulnerable vectors involves sending a long password to the server. After doing a little research on how the POP3 protocol works, I spin up the Kali VM. I want to communicate with the SLMail server, so I ensure that the host-only network on eth1 is active:

eth1 connected

Next, I check my IP address to ensure I’m on the same subnet:

eth1 ifconfig

Nice. The Attacker VM has IP 10.10.10.100.

Returning to the Victim VM, I click Start > All Programs > SL Products > SLMail > SLMail Configuration to bring up the SLMail Configuration utility. I click the Control tab and ensure that the system is running:

SLMail Running

Good. Next, I run Immunity Debugger, then click File > Attach (or hit Ctrl+F1) to bring up the attachment window. I type slmail and attach to the process:

SLMail Attached

After a moment, Immunity successfully attaches to the process, though execution is paused:

Immunity Paused

To start the application, I click Debug > Run (or hit F9). Now that the SLMail server is running on our Victim VM, let’s connect and see how it works! On the Attacker VM, I open a command terminal and use nmap to ensure that the SLMail server is visible over the host-only network:

root@haxys:~# nmap -p 110 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-25 12:45 EDT
Nmap scan report for 10.10.10.101
Host is up (0.00038s latency).

PORT    STATE    SERVICE
110/tcp filtered pop3
MAC Address: 08:00:27:F2:C4:86 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

The service is filtered, which means I probably forgot to turn off Windows Firewall. I return to the Victim VM, click Start > Control Panel, search for “Firewall”, click Windows Firewall, then click the Turn Windows Firewall on or off link on the left. I disable the firewall:

Disable Firewall

I click “OK”, then close the Settings menu. Returning to the Attacker VM, I run the portscan again:

root@haxys:~# nmap -p 110 -sV 10.10.10.101
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-25 12:51 EDT
Nmap scan report for 10.10.10.101
Host is up (0.00090s latency).

PORT    STATE SERVICE VERSION
110/tcp open  pop3    BVRP Software SLMAIL pop3d
MAC Address: 08:00:27:F2:C4:86 (Oracle VirtualBox virtual NIC)
Service Info: Host: IEWIN7

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds

Nice. I connect to the server with netcat, and attempt to log in:

root@haxys:~# nc 10.10.10.101 110
+OK POP3 server IEWIN7 ready <00002.3426827@IEWIN7>
USER test
+OK test welcome here
PASS test
-ERR unable to lock mailbox
QUIT
+OK POP3 server IEWIN7 signing off.

Excellent! Using the username and password test, I successfully failed to login.


Am I Getting Through?

Now I know how the service behaves, I can write a simple Python script to connect to the service and communicate:

#!/usr/bin/env python3.7

"""SLMail BoF PoC: First Contact."""

import socket

# Target IP and Port.
TARGET_ADDR = "10.10.10.101"
TARGET_PORT = 110

# How many seconds should we wait for a reply before we raise an error?
SOCKET_TIMEOUT = 10

try:
    print("[*] Connecting...")
    SOCKET = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    SOCKET.settimeout(SOCKET_TIMEOUT)
    SOCKET.connect((TARGET_ADDR, TARGET_PORT))
    REPLY = SOCKET.recv(1024)
    print(f"[>] Banner: {REPLY.decode().strip()}")
    print("[<] Sending username...")
    SOCKET.send(b"USER test\r\n")
    REPLY = SOCKET.recv(1024)
    print(f"[>] Response: {REPLY.decode().strip()}")
    print("[<] Sending password...")
    SOCKET.send(b"PASS test\r\n")
    REPLY = SOCKET.recv(1024)
    print(f"[>] Response: {REPLY.decode().strip()}")
    SOCKET.send(b"QUIT\r\n")
    print("[*] Disconnected.")
except (socket.timeout, ConnectionResetError):
    print(f"[!] Connection timed out or reset. Did the server crash?")
except ConnectionRefusedError:
    print("[!] Connection refused. Is the server running?")
finally:
    SOCKET.close()

I save the script as slmail_bof_0.py. Running the script, I get the following output:

root@haxys:~/ShareDrive/BoF-SLMail# chmod +x slmail_bof_0.py
root@haxys:~/ShareDrive/BoF-SLMail# ./slmail_bof_0.py
[*] Connecting...
[>] Banner: +OK POP3 server IEWIN7 ready <00003.4146662@IEWIN7>
[<] Sending username...
[>] Response: +OK test welcome here
[<] Sending password...
[>] Response: -ERR unable to lock mailbox
[*] Disconnected.

Great! As you can see, the script performed the same tasks I did when I connected using netcat. Namely, it receives the banner, sends the username, receives a reply, sends the password, receives another reply, and finally sends the QUIT command to disconnect.

We’ll use this script as the foundation for the proof-of-concept (PoC) code we develop throughout the rest of the tutorial.


<<< prev :: next >>>