[12590] in bugtraq
NetCPlus SmartServer3 POP 3.51.1 EXPLOIT
daemon@ATHENA.MIT.EDU (Ussr Labs)
Mon Nov 15 01:53:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NCBBKFKDOLAGKIAPMILPCELKCAAA.labs@ussrback.com>
Date: Mon, 15 Nov 1999 01:12:59 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To: BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
NetCPlus SmartServer3 POP 3.51.1 EXPLOIT
Problem:
The POP server that is part of the NetcPlus SmartServer3 email server has an
unchecked buffer that could allow an attacker to execute code on the server.
If the USER command is followed by an argument of over 800 characters, the
input buffer will be overflowed, and data from the argument will be passed
to the system to be executed at the privelege level of the SmartServ
program.
reference
advisory: BV-006: SmartServer3 Remote Buffer Overflow Technical Advisory
(Bindview)
Exploit:
The exploit will spawn a command prompt on port 666, and Re-Load the Service
of SmartServer3 POP 3.51.1, cuz we dont want stop the service. :)
Published by: Bindview
Credit:
Released November 11, 1999 in a Bindview security advisory.
To get binary for 3.51.1 Remote exploit go to
http://www.ussrback.com/ss351exp/SS351EXP.EXE
To get source code for 3.51.1 Remote exploit go to
http://www.ussrback.com/ss351exp/SS351EXP.ZIP
This has been tested on the NT version with a default installation
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
http://www.USSRBACK.COM
