cbcvebase.
CVE-2009-3837
published 2009-11-02

CVE-2009-3837: Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message.

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.07%
98.1th percentile
Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message.

Affected

1 ranges
VendorProductVersion rangeFixed in
eureka-emaileureka_email

Detection & IOCsextracted from sources · hover to see the quote

port110
command-ERR <710 bytes junk><ret><egghunter><nops><junk>w00tw00t<bindshell>
otherJMP ESP @ 0x7E429353 (user32.dll, Win XP SP3 English)
otherJMP ESP @ 0x77D8AF0A (user32.dll, Win XP SP2 English)
otherJMP ESP @ 0x7C867877 (kernel32.dll)
otherJMP ESP @ 0x53934253 / 0x7e429353 (USER32.DLL XPSP3)
port4444
processEureka Mail.exe
bytes
\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
bytes
w00tw00t
  • Detect oversized POP3 ERR responses on port 110 exceeding 512 bytes, which trigger the wsprintfA stack buffer overflow in Eureka Mail.exe at offset 0x43bdf2.
  • Look for the egghunter tag 'w00tw00t' in POP3 ERR response payloads on port 110 as a strong indicator of exploitation attempt.
  • Flag POP3 ERR responses containing ~710+ bytes of padding followed by a return address, consistent with the known EIP overwrite offset of 714 bytes.
  • Monitor for rogue POP3 servers (port 110) sending excessively long ERR messages; the exploit requires the victim to manually check mail (Ctrl-M) to trigger the vulnerable code path.
  • Detect the PrependEncoder stack-adjustment stub bytes (\x81\xc4\xff\xef\xff\xff\x44) prepended to shellcode in POP3 ERR payloads.
  • BadChars for this exploit are null byte, LF, CR, and space (\x00\x0a\x0d\x20); shellcode in ERR payloads will not contain these bytes, which can help tune detection signatures.
  • ·The exploit is described as unreliable and only triggers when the victim manually checks mail via Ctrl-M; automated startup mail checks do not reach the vulnerable code path, limiting exploitation window.
  • ·The EIP overwrite offset varies depending on the length of the attacker's LHOST IP address string, making the exact offset dynamic across different attacker IPs.
  • ·Return addresses (JMP ESP gadgets) are hardcoded per OS/SP version; the exploit targets Win XP SP2 and SP3 English only.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.