cbcvebase.
CVE-2006-1255
published 2006-03-19

CVE-2006-1255: Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application…

PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.15%
99.2th percentile
Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.

Affected

1 ranges
VendorProductVersion rangeFixed in
mercurmercur_messaging<= 2005_5.0_sp3

Detection & IOCsextracted from sources · hover to see the quote

port143
commanda001 LOGIN <overflow_payload>
commanda001 LIST <overflow_payload>
command<tag> select <overflow_payload>
registry0x7c2ec68b
registry0x77dc15c0
other0x01883A50 (CALL EBX in MCRFAX.DLL)
port4444
otheregg tag: AGOU (0x41474f55)
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
bytes
\x54\x30\x30\x57\x54\x30\x30\x57 (egg tag w00tW00t)
bytes
\x81\xc4\x54\xf2\xff\xff (PrependEncoder stack adjustment)
  • Detect oversized IMAP LOGIN command strings targeting Mercur IMAP on port 143; a LOGIN argument exceeding ~228 bytes (payload space) is anomalous and indicative of exploitation.
  • Detect oversized IMAP SELECT command arguments (~251+ bytes) sent after successful authentication to Mercur IMAP service on port 143.
  • Detect oversized IMAP LIST command arguments sent after authentication; exploit sends ~1000+ byte LIST argument containing NOP sleds and shellcode.
  • Look for the egghunter tag bytes 0x54 0x30 0x30 0x57 (ASCII 'T00W') repeated twice in IMAP traffic as an indicator of egghunter-based exploitation of Mercur IMAP.
  • Detect the stack-adjustment prepend encoder sequence \x81\xc4\x54\xf2\xff\xff in IMAP LOGIN payloads, used by the Metasploit module for this CVE.
  • Monitor for outbound connections on port 4444 from the Mercur IMAP server process following receipt of a large IMAP command, indicating successful bind-shell payload execution.
  • The Metasploit module uses EXITFUNC=thread and targets Windows 2000 SP4 and Windows XP SP2; correlate RET addresses 0x7c2ec68b and 0x77dc15c0 appearing in IMAP stream data.
  • ·Payload space in the LOGIN overflow is very limited (228 bytes); the Metasploit module recommends reverse ordinal payloads and uses an egghunter to locate a larger second-stage payload delivered via the LIST command.
  • ·Bad characters for the LOGIN overflow payload are \x00 \x20 \x2c \x3a \x40 (null, space, comma, colon, at-sign); encoders must avoid these bytes.
  • ·The SELECT overflow exploit requires a valid authenticated session before sending the oversized SELECT argument; unauthenticated exploitation is not possible for the SELECT vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.