-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathnullsec-worldmail.txt
95 lines (54 loc) · 1.67 KB
/
nullsec-worldmail.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
===============================================================================
| |
____ _ __
___ __ __/ / /__ ___ ______ ______(_) /___ __
/ _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
/_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
/___/ team
PUBLIC SECURITY ADVISORY
| |
===============================================================================
TITLE
=====
WorldMail 3.0 IMAPD SEH overflow (egg hunter payload)
AUTHOR
======
TheXero
DATE
====
09-01-2012
VENDOR
======
Qualcomm
AFFECTED PRODUCT
================
WorldMail 3.0 IMAPD
AFFECTED PLATFORMS
==================
Windows
VULNERABILITY CLASS
===================
Unauthenticated remote Structured Exception Handler - Code execution
DESCRIPTION
===========
By sending an overly long 'a001 LIST' request via an unauthenticated session to
the listening WorldMail 3 IMAP daemon it is possible to crash the service by
overwriting SEH.
PROOF OF CONCEPT
================
[+] http://www.nullsecurity.net/tools/exploit/wm-imapd.py
IMPACT
======
Remote code execution.
THREAT LEVEL
============
Critical
STATUS
======
Not fixed.
DISCLAIMER
==========
nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!
Copyright (c) 2011 - nullsecurity.net