CVE-2007-4607

Quiksoft EasyMail SMTP Object <6.0.1 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2007-4607. PoCs published by Metasploit, rgod, joeyrideout, including Metasploit module exploits/windows/browser/oracle_dc_submittoexpress.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Oracle Document Capture 10g via an ActiveX control (emsmtp.dll). It uses a heap spray technique to execute arbitrary shellcode when a long string is passed to the 'SubmitToExpress' method.

Description

Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16579

This exploit targets a stack buffer overflow in Oracle Document Capture 10g via an ActiveX control (emsmtp.dll). It uses a heap spray technique to execute arbitrary shellcode when a long string is passed to the 'SubmitToExpress' method.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Document Capture 10g (10.1.3.5.0)
No auth needed
Prerequisites: Victim must visit a malicious webpage · ActiveX control must be installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rgod · htmlremotewindows
https://www.exploit-db.com/exploits/4328

This exploit targets a buffer overflow in Quiksoft EasyMail SMTP Object (emsmtp.dll 6.0.1) via the SubmitToExpress method. It leverages SEH overwrite and a JMP ESP technique to execute shellcode that launches calc.exe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Postcast Server Pro 3.0.61 / Quiksoft EasyMail SMTP Object (emsmtp.dll 6.0.1)
No auth needed
Prerequisites: Target system with vulnerable emsmtp.dll 6.0.1 · Internet Explorer 6 on Windows XP SP2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by joeyrideout · poc
https://github.com/joeyrideout/CVE-2007-4607

This repository contains a Python 2.7.15 32-bit PoC for CVE-2007-4607, targeting a buffer overflow vulnerability in EasyMail SMTP's SubmitToExpress method. The exploit attempts to trigger the vulnerability by passing an excessively long string (>99999 chars) to the method.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: EasyMail SMTP (emsmtp.dll)
No auth needed
Prerequisites: Windows environment with regsvr32 access · 32-bit Python 2.7.15 · pywin32 library · emsmtp.dll registered via regsvr32
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb

This Metasploit module exploits a stack buffer overflow in Oracle Document Capture 10g's ActiveX control (emsmtp.dll) via the 'SubmitToExpress' method. It uses heap spraying and JavaScript obfuscation to deliver a payload, achieving remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Document Capture 10g (10.1.3.5.0)
No auth needed
Prerequisites: Victim must visit a malicious webpage · ActiveX control must be enabled in Internet Explorer
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Various Sources x_refsource_misc
https://community.ivanti.com/docs/DOC-50988
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25467
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/281977
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24199
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26639
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/38335
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36307
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4328
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-04/0220.html

Scores

EPSS 0.5638
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (2)
gate_comm_software/postcast_server_pro 3.0.61
quicksoft/easymail_objects
Published Aug 31, 2007
Tracked Since Feb 18, 2026