cbcvebase.
CVE-2007-4607
published 2007-08-31

CVE-2007-4607: Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.38%
98.9th percentile
Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.

Affected

1 ranges
VendorProductVersion rangeFixed in
gate_comm_softwarepostcast_server_pro

Detection & IOCsextracted from sources · hover to see the quote

filenameemsmtp.dll
otherCLSID:68AC0D5F-0424-11D5-822F-00C04F6BA8D9
otherEasyMail.SMTP.6
commandEasyMailSMTPObj.SubmitToExpress <long_argument>
other0x7E412C78 jmp esp user32.dll
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
  • Detect instantiation of the vulnerable ActiveX control by its ProgID 'EasyMail.SMTP.6' or CLSID '68AC0D5F-0424-11D5-822F-00C04F6BA8D9' in browser/script contexts.
  • Alert on calls to the 'SubmitToExpress' method of the EasyMailSMTPObj ActiveX control with an argument length exceeding normal bounds (PoC uses 539+ 'A' characters plus shellcode).
  • Detect heap spray targeting address 0x0a0a0a0a with large allocation (0x40000) in JavaScript, a pattern used by the Metasploit module for this CVE.
  • Monitor for presence of emsmtp.dll version 6.0.1 loaded in browser processes (iexplore.exe); versions prior to 6.0.3.15 are considered vulnerable.
  • The exploit uses a JMP ESP gadget at 0x7E412C78 in user32.dll; detect stack pivots or return-address overwrites pointing to this address on Windows XP/Vista targets.
  • ·The JMP ESP ROP gadget address (0x7E412C78 in user32.dll) is specific to Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 / IE 7; it will differ on other OS/patch levels.
  • ·The vulnerability may have been silently patched in emsmtp.dll version 6.0.3.15; detections targeting the DLL version should account for this boundary.
  • ·The Metasploit module applies JavaScript obfuscation (ObfuscateJS) to variable names and shellcode, so static string-based signatures on variable names will have low reliability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.