CVE-2003-1200
published 2003-12-29CVE-2003-1200: Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.10%
99.2th percentile
Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90 * 242 followed by jmp_short(61) then return address
- →Detect HTTP GET requests to /form2raw.cgi with a From parameter exceeding 249 bytes, indicative of exploitation attempt against CVE-2003-1200. ↗
- →Monitor for WorldClient HTTP server banner matching WDaemon/6.8.[0-5] as the Metasploit check uses this regex to confirm a vulnerable target. ↗
- →Alert on creation of new .raw files in C:\MDaemon\RawFiles\ following inbound HTTP requests to form2raw.cgi, as the exploit payload is written to the Raw Queue and executed by MDaemon.exe. ↗
- →Flag HTTP traffic on port 3000 containing the pattern 'GET /form2raw.cgi?From=' with a large From value as the exploit targets WorldClient's default port. ↗
- →The exploit payload uses bad characters \x00\x0a\x0d%\x20@<>&?|,;=`()${}\ #!~"\xff\/\\ — NOP sleds and shellcode in the Body parameter will avoid these bytes; use this to tune signature matching. ↗
- →Detect MDaemon.exe crashes or unexpected process restarts, especially recurring ones, as the exploit causes repeated execution until the raw file is manually removed. ↗
- ·X-FromCheck must be enabled (default) for the overflow in MDaemon.exe to trigger; if disabled, the CGI data is not processed by MDaemon and the overflow does not occur. ↗
- ·WorldClient HTTP server must be installed (default) for the vulnerable CGI endpoint to be exposed; installations without WorldClient are not reachable via this attack vector. ↗
- ·The Raw Queue is processed every 1 minute by default, up to 60 minutes; payload execution is delayed and WfsDelay must be set accordingly when using Metasploit. ↗
- ·The Metasploit module uses a direct memory jump into a NOP sled, which is noted as unreliable; detection based on crash patterns may be more consistent than payload execution indicators. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alt-N MDaemon 6.8.5 - WorldClient 'form2raw.cgi' Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-07-01
CVE-2003-1200 Alt-N MDaemon 6.8.5 - WorldClient 'form2raw.cgi' Remote Stack Buffer Overflow (Metasploit)
Alt-N MDaemon 6.8.5 - WorldClient 'form2raw.cgi' Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: mdaemon_worldclient_form2raw.rb 9653 2010-07-01 23:33:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MDaemon %q{
This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for
versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),
a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,
by writing the CGI output to the Raw Queue. When X-FromCheck is enab
Exploit-DB
Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (2)
exploitdb·2003-12-29
CVE-2003-1200 Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (2)
Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/9317/info
It has been reported that MDaemon/WorldClient mail server may be prone to a buffer overflow vulnerability when handling certain messages with a 'From' field of over 249 bytes. This issue may allow a remote attacker to gain unauthorized access to a system.
Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the vulnerable software in order to gain unauthorized access.
#include
#include
#include
#include
// Darn fucking 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))
#define offset 267 //;267 //1024
// hmm :D
#define NOPS "\x90\x90\x90\x90\x90\x90\x90"
struct sh_fix
{
unsigned long _wsa
Exploit-DB
Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (1)
exploitdb·2003-12-29
CVE-2003-1200 Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (1)
Alt-N MDaemon 6.x/WorldClient - Form2Raw Raw Message Handler Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/9317/info
It has been reported that MDaemon/WorldClient mail server may be prone to a buffer overflow vulnerability when handling certain messages with a 'From' field of over 249 bytes. This issue may allow a remote attacker to gain unauthorized access to a system.
Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the vulnerable software in order to gain unauthorized access.
#include
#include
#include
#pragma comment (lib,"ws2_32")
#define RET 0x1dff160
#define PORT 3000
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc \n", argv[0]);
printf("%d",argc);
exit(0);
}
WSAStartup(MA
Metasploit
MDaemon WorldClient form2raw.cgi Stack Buffer Overflow
metasploit
MDaemon WorldClient form2raw.cgi Stack Buffer Overflow
MDaemon WorldClient form2raw.cgi Stack Buffer Overflow
This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once th
No writeups or analysis indexed.
http://hat-squad.com/bugreport/mdaemon-raw.txthttp://marc.info/?l=bugtraq&m=107936753929354&w=2http://secunia.com/advisories/10512http://www.osvdb.org/3255http://www.securityfocus.com/archive/1/348454http://www.securityfocus.com/bid/9317https://exchange.xforce.ibmcloud.com/vulnerabilities/14097http://hat-squad.com/bugreport/mdaemon-raw.txthttp://marc.info/?l=bugtraq&m=107936753929354&w=2http://secunia.com/advisories/10512http://www.osvdb.org/3255http://www.securityfocus.com/archive/1/348454http://www.securityfocus.com/bid/9317https://exchange.xforce.ibmcloud.com/vulnerabilities/14097
2003-12-29
Published