cbcvebase.
CVE-2009-1029
published 2009-03-20

CVE-2009-1029: Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows remote POP3 servers to execute arbitrary code via a long Date header, related to Imap.dll.

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.84%
98.1th percentile
Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows remote POP3 servers to execute arbitrary code via a long Date header, related to Imap.dll.

Affected

4 ranges
VendorProductVersion rangeFixed in
poppeeperpop_peeper<= 3.4.0.0
poppeeperpop_peeper
poppeeperpop_peeper
poppeeperpop_peeper

Detection & IOCsextracted from sources · hover to see the quote

port110
registry0x10014e39
commandDate: AAAA...132 bytes + nextSEH + SEH + NOP sled + shellcode
pathC:\Program Files\POP Peeper
commandsploit = "+OK\r\n1 " + rand_text_alpha_upper(1072) + generate_seh_payload(target.ret) + "\r\n.\r\n"
commandsploit = "Date: " + rand_text_alpha_upper(132) + generate_seh_payload(target.ret) + "\r\n.\r\n"
bytes
0x909006EB (JMP 6 next SEH)
bytes
0x10014E39 (Imap.dll pop pop ret SEH handler)
  • Detect oversized POP3 UIDL response lines: a UIDL response containing more than ~1072 alphanumeric characters on a single line is anomalous and indicative of this exploit.
  • Detect oversized POP3 Date headers: a Date header exceeding 132 bytes in a POP3 message delivery context is anomalous and indicative of this exploit.
  • Monitor for POP3 servers (port 110) sending responses with SEH overwrite patterns: look for the byte sequence 0x909006EB (JMP 6 nop sled stub) followed by 0x10014E39 in POP3 traffic.
  • The exploit payload bad characters are null byte, LF, space, and CR — encoded payload will be alphanumeric mixed; detect long alphanumeric-only strings in POP3 UIDL or Date fields as a sign of AlphanumMixed encoding.
  • Flag rogue POP3 servers (acting as listener on port 110) that send bind-shell shellcode; post-exploitation bind shell on port 55555 may indicate successful exploitation.
  • ·The SEH return address 0x10014E39 is specific to Imap.dll as shipped with POP Peeper v3.4 on Windows XP; this gadget address will differ on other OS versions or DLL builds.
  • ·The UIDL overflow requires 1072 bytes of padding before the SEH payload, while the Date overflow requires only 132 bytes — these offsets are specific to POP Peeper v3.4.0.0.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.