Eudora Pro Buffer Overflow testing in progress - help needed.

[zoa_chien () INAME COM (Zoa_Chien)]

I had a quick look at this nice bug in Eudora that caused many vuln-dev
subscribers to crash.

tested version: 4.2.0.5

If you mail someone a file that has an extension with over 213 chars in it,
eudora will crash.

You could test it with this filename,
  _.aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrr
_.aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrss
ssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLL
LLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUWWWWXXXXYYYYZZZZ1111222233334444555566
66777788889999aaAAbbBB

the 3334 are the first bytes that overwrite the EIP.

Leaving us very little space to execute some arbitrary code.
(unless it's possible to send files from non microsoft OS'es that contain
even more chars in the extension, that could give us some more room.

Just a thought: i guess Eudora first downloads into RAM, and then saves it.
This means what is in the attached file should be in ram... maybe you can
just link to that in memory and put the executable code in the file itself
instead of in the extension. (it might be difficult to find the correct
address).

If it's not possible to exploit... at least it's a nice DoS.

For those who want to check this out: some guidelines for your convenience:
        - Unclick leave mail on server.
        - send yourself such a mail
        - "restore" eudora by deleting the /spool directory in your eudora directory.

Enjoy.
PS: does anyone have some tutorial on "buffer overflow testing with Softice" ?
Anyone willing to post detailed analysis on this ? like that Solar eclipse
text on Wordpad some time ago ?
thnx.! (i don't have the time nor the knowledge to do so.)