cbcvebase.
CVE-2011-4040
published 2011-11-21

CVE-2011-4040: Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.68%
99.2th percentile
Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.

Affected

1 ranges
VendorProductVersion rangeFixed in
njstarnjstar_communicator

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.njstar.com/download/njcom.exe
bytes
\x8d\x44\x24\x80\xff\xe0\x90\x90
  • The MiniSMTP server listens on TCP port 25 and is vulnerable to a stack buffer overflow triggered by a crafted packet. The overflow offset is 247 bytes before the return address.
  • The MiniSMTP application continues to run in the background even after the NJStar Communicator GUI is shut down, meaning the attack surface persists after apparent application closure.
  • The Metasploit exploit uses an egg-hunter technique with the tag 'w00t'; network traffic containing this egg tag pattern on port 25 is a strong indicator of exploitation attempts.
  • The ASLR-bypass exploit sends four sequential SMTP packets with specific padding lengths (275, 271, 263, 171+22 bytes) and ROP gadget return addresses from the application's own module (0x41122d, 0x41122b) to bypass ASLR on Windows 7.
  • The exploit uses EXITFUNC=thread, meaning the spawned shell runs in a thread context; process-level monitoring may not catch process creation directly from the SMTP server process.
  • The shellcode in the ASLR-bypass exploit launches calc.exe (bytes 0x63 0x61 0x6C 0x63 / 'calc' and 0x2E 0x65 0x78 0x65 / '.exe') as a proof-of-concept; production payloads would substitute this shellcode at the same offset.
  • ·The Metasploit module targets Windows XP SP1/SP2/SP3 and Windows Server 2003 SP0 using hardcoded JMP ESP addresses in kernel32.dll, ntdll.dll, and user32.dll. These addresses are version-specific and will not work on patched or different OS builds.
  • ·The ASLR-bypass exploit targets Windows 7 Ultimate and uses ROP gadgets from the application's own non-ASLR module at fixed addresses (0x41122d, 0x41122b). This only works if the NJStar module is not ASLR-enabled.
  • ·The null byte (0x00) is a bad character for the payload; any shellcode or payload used must avoid null bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.