Rosiello Security's exploit for MDaemon

[Angelo Rosiello <angelo.rosiello () katamail com>]

                            © Rosiello Security

                          http://www.rosiello.org


Bug found by hat-squad security. 
Background by securiteam.com

MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides 
full security, includes seamless web access to your email via WorldClient, remote administration, and much 
more!".FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields 
of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will 
be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a 
malformed CGI request to FORM2RAW.exe.

According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the 
email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable 
this behavior you can set the FromCheck=No in FORM2RAW.INI file". 

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will 
cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes 


ADVISORY: http://www.rosiello.org/en/read_bugs.php?17
EXPLOIT: http://www.rosiello.org/archivio/mdaemon-exploit.c

The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1. 
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 
EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668