cbcvebase.
CVE-2004-1211
published 2005-01-10

CVE-2004-1211: Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and…

PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.46%
99.4th percentile
Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
david_harrismercury
david_harrismercury_32

Detection & IOCsextracted from sources · hover to see the quote

port143
command0001 CHECK AAAA...(x512)
commandA001 SELECT <buffer of 260 A's + RET + NOP sled + shellcode>
commandAUTH CRAM-MD5
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74\x3f\x7c
  • Flag IMAP CHECK command payloads of 512 or more repeated bytes ('A' x 512) sent to port 143 as a DoS/overflow attempt against Mercury/32.
  • Flag IMAP SELECT command arguments exceeding 260 bytes followed by a 4-byte little-endian RET address and NOP sled pattern on port 143.
  • After exploitation, watch for outbound TCP connections from the Mercury/32 IMAP server process to attacker-controlled port 1981 (bind-shell callback) or inbound connections to port 4444 (bind shell).
  • The Metasploit module targets the RENAME command specifically; monitor for IMAP RENAME arguments exceeding normal mailbox name lengths on port 143.
  • Detect SMTP AUTH CRAM-MD5 base64-encoded payloads of anomalous length (>1300 bytes) sent to Mercury/32 SMTP service — exploit DOC 7 delivers the overflow via the SMTP AUTH exchange.
  • ·The overflow offset for the SELECT command exploit is 260 bytes before EIP overwrite; the RET address 0x782f28f7 is environment-specific and must be adjusted per target OS/DLL.
  • ·The SMTP exploit (DOC 7) targets Mercury/32 SMTP versions 3.32 through 4.51 with different RET addresses per target; the universal target uses TER32.dll at 0x258d0d1e (jmp esp).
  • ·The EIP overwrite offset for the SMTP AUTH CRAM-MD5 vector is at byte 204 within a 1300-byte buffer; shellcode is placed immediately after the 4-byte NOP sled following EIP.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.