cbcvebase.
CVE-2003-0264
published 2003-05-27

CVE-2003-0264: Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.48%
99.3th percentile
Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.

Affected

1 ranges
VendorProductVersion rangeFixed in
seattle_lab_softwareslmail

Detection & IOCsextracted from sources · hover to see the quote

port110
processslmail.exe
path%SYSTEM%\system32\SLMFC.DLL
commandPASS <oversized buffer>
otherReturn address 0x5f4a358f (jmp esp, SLMFC.DLL, all Windows versions/SPs)
otherReturn address 0x783d6ddf (jmp esp, Win2k SP4)
otherReturn address 0x773a459f (jmp esp, Win2k Server SP4)
otherReturn address 0x7CB41010 (JMP ESP, Windows XP)
otherStack fix stub: \x81\xc4\xff\xef\xff\xff\x44 followed by \xe9\xcb\xfd\xff\xff
otherBadChars: \x00\x0a\x0d\x20
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66\x1c\xc2
bytes
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
  • Detect oversized PASS command on POP3 port 110: buffer offset of 2606 or 4654 bytes before EIP overwrite; any PASS argument exceeding ~2600 bytes is malicious.
  • Monitor POP3 (port 110) for PASS commands containing long runs of 0x41 ('A') padding followed by a return address and NOP sled (0x90) bytes — characteristic of this stack overflow exploit.
  • Alert on POP3 PASS commands where the password field length exceeds 2600 bytes; the vulnerability is unauthenticated and triggers before any credential check.
  • After exploitation, the POP3 port 110 becomes unusable until slmail.exe service is restarted — monitor for sudden POP3 service unavailability following a large PASS request.
  • Detect known shellcode byte sequence at start of payload: FC 6A EB 4D E8 F9 FF FF FF 60 8B 6C 24 24 8B 45 (reverse shell / bind shell loader used across multiple exploits for this CVE).
  • Monitor for outbound bind-shell connections on port 4444 from the SLMail server host following a large POP3 PASS request.
  • Inspect for the Metasploit banner regex match failure pattern: POP3 banner must match /^\+OK POP3 server (.*) ready/ — anomalous banners may indicate a crashed/exploited service.
  • ·The return address 0x5f4a358f (from SLMFC.DLL) works across all Windows versions and service packs tested; defenders should not assume a specific OS version for this exploit.
  • ·Older versions of SLMail prior to 5.5 may also be vulnerable with the same exploit; testing was not performed on older versions.
  • ·Null bytes (0x00), newlines (0x0a, 0x0d), and spaces (0x20) are bad characters and cannot appear in the payload; shellcode must be encoded to avoid these bytes.
  • ·SLMFC.DLL last modification date is 06/02/99, suggesting the vulnerable code path has been unchanged for years and the DLL is a stable gadget source.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.