cbcvebase.
CVE-2005-2287
published 2005-07-18

CVE-2005-2287: SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space…

PriorityP429medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
56.83%
98.9th percentile
SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.

Affected

2 ranges
VendorProductVersion rangeFixed in
softiacomwmailserver
softiacomwmailserver

Detection & IOCsextracted from sources · hover to see the quote

command" " + rand_text_alpha_upper(5115) + [SEH payload] + rand_text_alpha_upper(200) + "\r\n\r\n"
bytes
\x81\xc4\xff\xef\xff\xff\x44
bytes
\xeb\x06
  • Exploit targets SMTP port 25 with a large buffer beginning with a leading space character, followed by ~5115+ bytes of filler, then a SEH overwrite payload, terminated with \r\n\r\n. Detect oversized SMTP banner/greeting-stage TCP payloads with a leading space on port 25.
  • The exploit prepends a stack-pivot stub \x81\xc4\xff\xef\xff\xff\x44 before the encoded payload. Presence of this byte sequence in SMTP traffic on port 25 is a strong indicator of exploitation.
  • The DoS exploit sends a raw buffer of ~539 bytes of 0x41 ('A') characters directly to TCP port 25 without any SMTP command prefix. Monitor for non-SMTP-conformant large payloads of repeated 0x41 bytes on port 25.
  • SEH overwrite exploit uses a short JMP (\xeb\x06) followed by a packed return address. Detect this 6-byte pattern (EB 06 + 4-byte address) within large SMTP payloads as a SEH chain overwrite indicator.
  • Known SEH overwrite return addresses used in exploitation: 0x75022ac4 (Windows 2000), 0x71aa32ad (Windows XP SP0/SP1), 0x776a1799 (Windows NT 4.0). Flag SMTP payloads containing these 4-byte little-endian values.
  • Bad characters filtered by the exploit encoder are \x00\x0a\x0d\x20 (null, LF, CR, space) plus colon, equals, plus, and double-quote in the older module. Encoded shellcode in exploit traffic will not contain these bytes.
  • ·The Metasploit module targets only Windows platforms (win32, winnt, win2000, winxp). The exploit is not applicable to non-Windows deployments of wMailServer.
  • ·Payload space is limited to 600 bytes due to buffer constraints; shellcode must fit within this space after encoding.
  • ·The exploit uses EXITFUNC=thread, meaning the shellcode exits via thread termination rather than process exit, which may affect post-exploitation stability and detection via process monitoring.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.