cbcvebase.
CVE-2004-1558
published 2004-12-31

CVE-2004-1558: Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly…

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.11%
99.3th percentile
Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.

Affected

10 ranges
VendorProductVersion rangeFixed in
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsypops
ypopsemailypops_!

Detection & IOCsextracted from sources · hover to see the quote

port110
command220 YahooPOPs
  • Detect exploit attempts by monitoring for SMTP banner string 'YahooPOPs! Simple Mail Transfer Service Ready' followed by oversized payloads exceeding 503 bytes on the SMTP port.
  • Alert on connections to TCP port 101 after an SMTP session to a YahooPOPs server, as the shellcode binds a shell on port 101 post-exploitation.
  • Detect the JMP EBX opcode (\xff\xe3) appended after a large NOP sled and shellcode in SMTP traffic to YahooPOPs servers; the exploit constructs a payload of exactly 508 bytes minus shellcode size filled with \x90 NOPs.
  • The Metasploit module uses a fixed offset of 503 bytes before the return address across all targets; monitor for SMTP payloads of ~503+ bytes sent to YahooPOPs SMTP service.
  • The exploit leverages a JMP EBX gadget in ws2_32.dll; monitor for EIP control redirecting to ws2_32.dll address space on Windows hosts running YahooPOPs.
  • For POP3 exploitation (CVE-2004-1558 related), monitor for requests exceeding 180 bytes on TCP port 110 to YahooPOPs, which can overwrite EAX and ECX.
  • ·The JMP ESP return address (\x23\x9b\x02\x10) is sourced from libcurl.dll bundled with YahooPOPs, making it version-specific and not requiring an offset update per the exploit author.
  • ·The SMTP overflow exploit cannot be directly adapted for POP3 (port 110) with a full bind/reverse shell due to insufficient buffer space; only a limited payload may fit on POP3.
  • ·The Metasploit module targets YPOPS 0.6 (and possibly 0.5, 0.4.5.1, 0.4.5) via the POP3 service, while the standalone exploits (577, 582) target SMTP on version 1.6; detection rules should account for both service vectors.
  • ·Bad characters for payload encoding are \x00 and \x25; payloads containing these bytes will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.