CVE-2004-0297

Ipswitch IMail - Buffer Overflow via LDAP Message with Large Tag Length

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-0297. PoCs published by Metasploit, Johnny Cyberpunk, hdm, including Metasploit module exploits/windows/ldap/imail_thc.

AI-analyzed exploit summary This is a Metasploit module exploiting a buffer overflow in the IMail LDAP service (CVE-2004-0297). It crafts a malicious LDAP packet with a long string of NOP sleds and a payload to achieve remote code execution on vulnerable Windows 2000 systems.

Description

Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16824

This is a Metasploit module exploiting a buffer overflow in the IMail LDAP service (CVE-2004-0297). It crafts a malicious LDAP packet with a long string of NOP sleds and a payload to achieve remote code execution on vulnerable Windows 2000 systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IMail LDAP Service (versions 6.x, 7.x, 8.x)
No auth needed
Prerequisites: Network access to the LDAP service (port 389) · Vulnerable version of IMail LDAP Service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Johnny Cyberpunk · cremotewindows
https://www.exploit-db.com/exploits/157

This exploit targets a buffer overflow vulnerability in Imail LDAP service (CVE-2004-0297) to achieve remote code execution. It crafts a malicious LDAP packet with shellcode and connects to the target on port 389, then attempts to establish a reverse shell on port 31337.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Imail LDAP service versions 6, 7, and 8
No auth needed
Prerequisites: Network access to the target's LDAP port (389) · Target must be running a vulnerable version of Imail LDAP service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ldap/imail_thc.rb

This Metasploit module exploits a buffer overflow in the IMail LDAP service (CVE-2004-0297) by sending a maliciously crafted LDAP request to trigger remote code execution. It targets Windows 2000 systems running IMail versions 7.10 and 8.5.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IMail LDAP Service (versions 7.10, 8.x)
No auth needed
Prerequisites: Network access to the target's LDAP service (port 389)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/972334
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9682
Various Sources third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=74
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15243
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3984

Scores

EPSS 0.6813
EPSS Percentile 99.2%

Details

Status published
Products (2)
ipswitch/imail 8.0.3
ipswitch/imail 8.0.5
Published Nov 23, 2004
Tracked Since Feb 18, 2026