cbcvebase.
CVE-2007-4440
published 2007-08-21

CVE-2007-4440: Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute…

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.51%
99.1th percentile
Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute arbitrary code via a long AUTH CRAM-MD5 string. NOTE: this might overlap CVE-2006-5961.

Affected

1 ranges
VendorProductVersion rangeFixed in
pmailmercury_mail_transport_system<= 4.51

Detection & IOCsextracted from sources · hover to see the quote

port1154
commandAUTH CRAM-MD5
registry0x258d0d1e
pathmercury.exe
bytes
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45\x3c
  • Detect exploitation attempts by monitoring SMTP traffic for an AUTH CRAM-MD5 command followed by an abnormally long base64-encoded string on port 25.
  • The PoC sends a base64-encoded payload of 'QUFB' repeated 10000 times; alert on AUTH CRAM-MD5 responses followed by extremely long base64 strings (e.g., >1000 chars).
  • The Metasploit exploit uses a buffer of 204 bytes of random uppercase alpha + return address + payload padded to 1075 bytes, all base64-encoded; flag AUTH CRAM-MD5 responses with base64 payloads exceeding ~1500 bytes.
  • Post-exploitation: monitor for unexpected outbound bind shell connections on TCP port 1154 from the Mercury Mail server process.
  • The exploit targets the return address 0x258d0d1e in ter32.dll; use memory integrity or module load monitoring to detect ROP/ret2lib abuse of this address in Mercury Mail.
  • The exploit payload bad characters are null byte, LF, CR, space, and percent sign; payloads containing these in the AUTH CRAM-MD5 argument are likely not this exploit variant.
  • ·The vulnerability is pre-authentication; no valid credentials are required to trigger the overflow, meaning network-level SMTP access alone is sufficient for exploitation.
  • ·The Metasploit module targets only Mercury Mail Transport System 4.51 with the specific ret address in ter32.dll; other versions may require different offsets.
  • ·The CVE notes possible overlap with CVE-2006-5961, so detections may fire on both vulnerabilities if targeting the same AUTH CRAM-MD5 overflow vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.