Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server (CVE-2003-0264). Shouts to Mutts at #offsec

****************************************************************************

SLMail 5.5 + Crack Keygen/Serial Date added: Jan 2018 ScreenShot Review this Software Name. Website Comment You may use these HTML tags and attributes. Slmail 5.5 Serial Serial Quantity Key. To enhance your results for Slmail 5.5 do not consist of words like as serial quantity key etc. In your search, eliminating those words will end result in better results. Make certain your spelling for Slmail 5.5 is usually right, you might furthermore need to try searching without including the edition. Slmail 5.5 Serial Numbers. Convert Slmail 5.5 trail version to full software. SLMail 5.5 + Crack Keygen/Serial Date added: Jan 2018. Download SLMail 5.5 + keygen crack. Review this Software. Name. Email. Website. This release was created for you, eager to use SLMail 2.5 full and with without limitations.

1. Fuzzing

We begin by fuzzing the application. It seems to crash at 'A'*2700.

***********************************************************

2. The Crash

When we view the program in Immunity we see it has crashed; EBP is overwritten, stack pointer points to a location in memory full of 'A', and EIP appears to be overwritten.

***********************************************************

4. Controlling EIP

We use pattern_create to generate a 2700-byte unique string to send to the application so we can determine the exact offset of characters that overwrite EIP.

***********************************************************

5. Redirect Execution Flow

Now we look for unprotected modules that were loaded with our application in order to ultimately find a JMP ESP instruction mnemonic if possible in order to jump flow control to the memory address where we will eventually place our shellcode.

***********************************************************

6. Exploit - EIP Redirect

After finding the memory address of a JMP ESP instruction in a loaded module, we update our script so that memory address put in EIP, and thus is the next address to which the program will go. Once there it will execute the JMP ESP and jump back to the ESP and the location in memory where we will place our shellcode.

The buffer: We know we need 'A'*2606 to get us right up to EIP, then we place the memory address of the JMP ESP command we found but in little endian format, then we calculate how much padding we need to place after increasing our buffer to 3500 bytes in order to overwrite a large block of memory to comfortably find a place for shellcode.

****************************************************************************

7. Shellcode

All that's left to do now is to embed some shellcode into the script which will be placed in the 'C' buffer and executed after the JMP ESP is executed.

A simple TCP reverse shell created with msfvenom should work nicely.

****************************************************************************

Slmail 5.5 Serial Key

Reference:

https://www.exploit-db.com/exploits/638/

http://www.securityfocus.com/bid/7519/discuss

https://www.exploit-db.com/exploits/646/

Slmail 5.5 Serial Key

http://www.cvedetails.com/cve/cve-2003-0264