CVE-2004-2677

qwikmail_smtp <= 0.3 - Remote Code Execution via Format String in SMTP Client Input

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2677. PoCs published by Carlos Barros.

AI-analyzed exploit summary This exploit targets a format string vulnerability in qwik-smtpd 0.3 on Fedora Core 2. It uses a two-stage attack to overwrite the GOT entry of exit() and execute shellcode, bypassing space character filtering by using 0x10 and decrementing it before the int 0x80 syscall.

Description

Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smtpd) 0.3 and earlier allows remote attackers to execute arbitrary code via format specifiers in the (1) clientRcptTo array, and the (2) Received and (3) messageID variables, possibly involving HELO and hostname arguments.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Carlos Barros · cremotelinux

https://www.exploit-db.com/exploits/620

View Code ZIP pw:eip

This exploit targets a format string vulnerability in qwik-smtpd 0.3 on Fedora Core 2. It uses a two-stage attack to overwrite the GOT entry of exit() and execute shellcode, bypassing space character filtering by using 0x10 and decrementing it before the int 0x80 syscall.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qwik-smtpd 0.3 on Fedora Core 2

No auth needed

Prerequisites: Network access to the SMTP service (port 25) · Valid email address on the target machine

MITRE ATT&CK