cbcvebase.
CVE-2004-0297
published 2004-11-23

CVE-2004-0297: Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.13%
99.2th percentile
Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length.

Affected

2 ranges
VendorProductVersion rangeFixed in
ipswitchimail
ipswitchimail

Detection & IOCsextracted from sources · hover to see the quote

filenameiLDAP.exe
port389
port31337
bytes
\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20
bytes
\xeb\x06\x4a\x43
  • Detect exploit trigger: malformed LDAP bind request with oversized tag length field (0xff 0xff 0xff 0xff) sent to TCP/389. The exploit packet begins with the fixed header bytes 30 82 0a 3d 02 01 01 60 82 01 36 02 ff ff ff ff 20.
  • Total exploit buffer sent is 2650 bytes to TCP/389 in a single send(); anomalously large LDAP bind request should be flagged.
  • Post-exploitation reverse shell connects back on TCP/31337; monitor for iLDAP.exe spawning outbound connections or a shell listener on port 31337.
  • The Metasploit module targets imail_thc; look for the module path windows/ldap/imail_thc in IDS/SIEM logs or Metasploit handler traffic on TCP/389.
  • The short-jump NOP sled marker bytes eb 06 appear at fixed offsets (77 and 85) within the exploit buffer; use a byte-pattern signature on LDAP traffic for this sequence following the header.
  • ·The Metasploit module payload bad characters exclude null bytes, newlines, carriage returns, and spaces; payloads containing these bytes will not function correctly against this target.
  • ·The exploit has two different buffer offsets depending on IMail version: 60 bytes of padding for IMail 6/7 and 68 bytes for IMail 8; incorrect version selection will cause the exploit to fail.
  • ·Payload space is limited to 1024 bytes in the Metasploit module; staged or large payloads may not fit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.