MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow

This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\*.raw.

Search Other Modules

Exploit Rank

• Great

Exploit Authors

• patrick < patrick [at] osisecurity.com.au >

Vulnerability References

• CVE-2003-1200
• OSVDB-3255
• BID-9317

Exploit Targets

• 0 - Universal MDaemon.exe (default)
• 1 - Debugging test

Exploit Development

• Source Code
• History

Similar Exploit Modules

• exploit/windows/http/adobe_robohelper_authbypass
• exploit/windows/http/altn_securitygateway
• exploit/windows/http/altn_webadmin
• exploit/windows/http/amlibweb_webquerydll_app
• exploit/windows/http/apache_chunked
• exploit/windows/http/apache_mod_rewrite_ldap
• exploit/windows/http/apache_modjk_overflow
• exploit/windows/http/badblue_ext_overflow
• exploit/windows/http/badblue_passthru
• exploit/windows/http/bea_weblogic_jsessionid

Exploit Usage Information

Exploit Module Options