cbcvebase.
CVE-2005-4411
published 2005-12-20

CVE-2005-4411: Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.66%
99.1th percentile
Buffer overflow in Mercury Mail Transport System 4.01b allows remote attackers to execute arbitrary code via a long request to TCP port 105.

Affected

1 ranges
VendorProductVersion rangeFixed in
david_harrismercury_mail_transport_system

Detection & IOCsextracted from sources · hover to see the quote

port105/tcp
otherret=0x0041f283 (Mercury Mail Transport System 4.01b Win2k SP4/WinXP SP2)
otherret=0x71aa32ad (Windows XP Pro SP0/SP1 English)
otherret=0x75022ac4 (Windows 2000 Pro English ALL)
commandsploit = rand_text_alphanumeric(224) + payload + \xeb\x06 + nops(2) + ret + [0xe8, -450].pack('CV') + \r\n
bytes
\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\xC2\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes
41 x 408 + shellcode + \x90\x90\xeb\x04 + ret + JJJJKKKKLLLLMMMMNNNNOOOOPPPP\xe9\x87\xfe\xff\xff
  • Detect oversized requests to TCP port 105 (Mercury PH Server); a buffer overflow is triggered by sending a payload of ~408+ bytes to this port.
  • Look for the exploit's characteristic padding pattern: 408 'A' bytes followed by shellcode and the byte sequence \x90\x90\xeb\x04 on TCP port 105.
  • The Metasploit module uses 224 bytes of alphanumeric padding before the payload on TCP port 105; alert on large single-line requests to port 105 containing this structure.
  • Bad characters for this exploit are null byte, space, LF, and CR (\x00\x20\x0a\x0d); payloads on port 105 avoiding these bytes are suspicious.
  • The exploit targets the Mercury/32 PH Server Module (stack-based buffer overflow); monitor for unexpected process spawning or network callbacks from the Mercury/32 process after connections on port 105.
  • ·The Metasploit module sets EXITFUNC to 'thread', meaning the exploit uses a thread exit stub; process-level crash detection may not fire on successful exploitation.
  • ·The Metasploit module requires a StackAdjustment of -3500, indicating the payload requires significant stack manipulation; standard stack-pivot detections may need tuning for this offset.
  • ·The standalone exploit (EDB-1375) XOR-encodes the callback IP and port with 0xC2 before embedding them in the shellcode; static shellcode signatures must account for this encoding.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.