cbcvebase.
CVE-2004-1638
published 2004-10-16

CVE-2004-1638: Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.76%
99.1th percentile
Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.

Detection & IOCsextracted from sources · hover to see the quote

port101
commandEHLO <oversized_buffer>
commandEHLO <5095-byte NOP sled + RET + shellcode>
bytes
0x0fa14c63
bytes
0x0fa14ccf
bytes
0x7c2ee21b
bytes
0x7d17dd13
bytes
\xD3\x39\xD3\x77
bytes
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x81\x59\x47
  • Detect oversized EHLO/HELO commands on SMTP port 25 targeting MailCarrier 2.51; exploit payloads use buffers of ~5093–5106 bytes followed by a return address.
  • Fingerprint vulnerable MailCarrier 2.51 SMTP banners containing the string 'ESMTP TABS Mail Server for Windows NT' to identify exposed targets.
  • Alert on post-exploitation reverse shell connections to port 31337 originating from SMTP servers running MailCarrier.
  • The exploit bad characters for payload encoding are null byte, LF, CR, and colon (\x00\x0a\x0d:); use these to tune SMTP content inspection signatures.
  • The return address used in exploitation points into expsrv.dll (jmp esp gadget); monitor for abnormal execution flow involving expsrv.dll on Windows SMTP servers.
  • ·Return addresses are platform-specific; the Metasploit module targets Windows 2000 SP0 through XP SP2 (EN/FR/GR) only, using gadgets inside expsrv.dll.
  • ·The Metasploit payload space is limited to 300 bytes and requires LHOST to be set because the overflow length is calculated as 5106 minus the LHOST string length.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.