cbcvebase.
CVE-2005-1348
published 2005-05-02

CVE-2005-1348: Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.62%
99.4th percentile
Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a long HTTP Authorization header.

Affected

3 ranges
VendorProductVersion rangeFixed in
mailenablemailenable
mailenablemailenable_enterprise<= 1.04
mailenablemailenable_professional<= 1.54

Detection & IOCsextracted from sources · hover to see the quote

port8080
other0x006c36b7 (Return address for MEHTTPS.exe Universal target)
processMEHTTPS.exe
commandGET / HTTP/1.0\r\nAuthorization: <NOP sled + shellcode + RET>\r\n\r\n
bytes
\x6c\x36\xb7 (RET address for Win2003, MEHTTPS.exe)
bytes
\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b... (win32_adduser shellcode, USER=hack PASS=hack)
  • Detect oversized HTTP Authorization header sent to port 8080 targeting MailEnable HTTPMail service (MEHTTPS.exe); a large/binary Authorization header value is the exploit trigger.
  • Fingerprint vulnerable MailEnable service by checking HTTP response banner for 'MailEnable' string; Metasploit check method uses this to confirm exposure.
  • Payload bad characters are \x0d and \x0a (CR/LF); any Authorization header containing binary data other than these bytes should be treated as suspicious on MailEnable HTTP ports.
  • Monitor for creation of unexpected local user accounts (e.g., username 'hack') following inbound requests to MailEnable's HTTPMail port, as the exploit shellcode runs win32_adduser.
  • ·The hardcoded RET address (0x006c36b7) in both the standalone exploit and Metasploit module targets MEHTTPS.exe on Windows Server 2003 only; different OS/patch levels will require different return addresses.
  • ·Affected versions are MailEnable Enterprise Edition prior to 1.0.5 and MailEnable Professional prior to 1.55; versions at or above these thresholds are not vulnerable.
  • ·Exploit payload space is limited to 512 bytes, constraining the usable shellcode size for detection rule tuning.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.