module
Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow
| Disclosed | Created |
|---|---|
| 2006-05-21 | 2018-05-30 |
Disclosed
2006-05-21
Created
2018-05-30
Description
This exploit takes advantage of a stack based overflow. Once the stack
corruption has occurred it is possible to overwrite a pointer which is
later used for a memcpy. This gives us a write anything anywhere condition
similar to a format string vulnerability.
NOTE: The popsubfolders option is a non-default setting.
I chose to overwrite the GOT with my shellcode and return to it. This
defeats the VA random patch and possibly other stack protection features.
Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with
a version containing the vulnerable code, it is not exploitable due to the
use of the FORTIFY_SOURCE compiler enhancement.
corruption has occurred it is possible to overwrite a pointer which is
later used for a memcpy. This gives us a write anything anywhere condition
similar to a format string vulnerability.
NOTE: The popsubfolders option is a non-default setting.
I chose to overwrite the GOT with my shellcode and return to it. This
defeats the VA random patch and possibly other stack protection features.
Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with
a version containing the vulnerable code, it is not exploitable due to the
use of the FORTIFY_SOURCE compiler enhancement.
Authors
bannedit bannedit@metasploit.com
jduck jduck@metasploit.com
jduck jduck@metasploit.com
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.