cbcvebase.
CVE-2004-2501
published 2004-12-31

CVE-2004-2501: Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via…

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.06%
96.1th percentile
Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.

Affected

2 ranges
VendorProductVersion rangeFixed in
mailenablemailenable_enterprise
mailenablemailenable_professional

Detection & IOCsextracted from sources · hover to see the quote

port143
port101
urlhttp://mailenable.com/hotfix/MEIMAPS-HF041125.zip
bytes
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
  • Detect oversized IMAP command strings (~8202+ bytes) sent to port 143 targeting MailEnable IMAP service; payload begins with 3 bytes '\x41\x41\x41' followed by shellcode and padding up to 8202 bytes total before the CALL EDI return address.
  • After successful exploitation, attacker connects to bind shell on TCP port 101 on the victim host; monitor for unexpected inbound/outbound connections on port 101.
  • XOR-encoded shellcode (key 0x88) is embedded in the oversized IMAP payload; the shellcode stub starts with \xEB\x0F and contains the decoded string 'hack' (\x68\x61\x63\x6B) as a loop terminator.
  • Exploit targets MailEnable Professional v1.52 and Enterprise v1.01 IMAP service (MEIMAP/MEAISP); alert on buffer overflows via long command strings or abrupt connection termination after large data send to port 143.
  • ·The CALL EDI return address (0x10018c7a in MEAISP.dll) is described as 'Universal' for Win2k/NT4 but was only confirmed tested on Win2k SP4 Pro English, Win2k SP4 Pro French, and Win2k SP4 Server English; it may not apply to other OS versions.
  • ·The exploit payload size is hardcoded at 8202 bytes total (3 NOP-sled bytes + shellcode + padding + 4-byte return address); detection signatures based on exact payload size may miss variants with different shellcode lengths.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.