cbcvebase.
CVE-2007-1373
published 2007-03-10

CVE-2007-1373: Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.69%
99.0th percentile
Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long LOGIN command. NOTE: this might be the same issue as CVE-2006-5961.

Affected

1 ranges
VendorProductVersion rangeFixed in
pmailmercury_mail_transport_system<= 4.01b

Detection & IOCsextracted from sources · hover to see the quote

port143
other0x75022ac4
other0x71aa32ad
commandA001 LOGIN <1008 spaces> {<rand>}\n
versionMercury/32 v4.01a or v4.01b
bytes
\xCC\x59\xFB\x77
bytes
\xED\x1E\x94\x7C
bytes
\x23\xde\xaf\x01
bytes
\xAB\x8B\xFB\x77
bytes
\x6A\xFA\xE8\x77
  • Detect oversized IMAP LOGIN commands (~1008+ spaces followed by a literal size specifier) targeting Mercury/32 IMAP on port 143; the exploit sends 'A001 LOGIN' padded with 1008 spaces then a literal continuation block.
  • Banner-match Mercury/32 IMAP banner for versions 4.01a or 4.01b to identify vulnerable hosts.
  • The exploit uses a two-stage IMAP literal send: first a LOGIN command with a literal size specifier, then a follow-up payload block; detect multi-packet IMAP LOGIN sequences with abnormally large literal sizes on port 143.
  • Total exploit buffer size is approximately 625 bytes for the C PoC exploit; monitor for IMAP LOGIN payloads of this exact size.
  • Bad characters for payload encoding are 0x00, 0x0a, 0x0d, and 0x20 (space/newline); shellcode in exploit traffic will avoid these bytes.
  • Post-exploitation shell-back connection expected on port 4444 from the victim host; monitor outbound TCP connections from Mercury/32 process to port 4444.
  • ·The Metasploit module sets EXITFUNC to 'thread', meaning the exploit spawns a thread for shellcode execution and may not crash the main Mercury/32 process, making crash-based detection unreliable.
  • ·Payload space is limited to 800 bytes with a stack adjustment of -3500; payloads larger than 800 bytes will not work with this exploit module.
  • ·The C exploit targets only Windows 2000 SP4, Windows XP SP1/SP2, and Windows 2003 SP0/SP1 with hardcoded return addresses; other OS versions require different RET addresses and are not covered.
  • ·The vulnerability may be the same as CVE-2006-5961; detections and patches should account for both CVE identifiers.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.