EDB-ID: 47554 CVE: N/A Author: Lance Biggerstaff Type: Remote Platform: Windows Date: 2019-10-29 Vulnerable App: MailCarrier 2.51 Exploit Details Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow Original Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Tested on: Windows 10 Note: Every version of Windows 10 has a different offset, and sometimes you need to run the exploit twice before you can pop a shell Exploit Code The exploit code is written in Python and attempts to exploit a buffer overflow in the POP3 USER command of MailCarrier 2.51. The code constructs a buffer with a specific length and content to overflow the buffer and execute arbitrary code. The buffer length is adjusted based on the source IP address length, and the exploit uses a JMP ESP instruction to redirect execution flow. Key Points Buffer length depends on the length of the source IP address. The exploit may need to be run twice to successfully pop a shell. The payload is constructed using byte sequences to form shellcode.