CVE-2006-1255

Mercur Messaging 5.0 SP3 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2006-1255. PoCs published by Metasploit, muts, Jacopo Cervini, including Metasploit module exploits/windows/imap/mercur_imap_select_overflow.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack-based buffer overflow in Mercur v5.0 IMAP server via a malformed SELECT command. It targets specific Windows versions with predefined return addresses to achieve remote code execution.

Description

Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.

Exploits (8)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16476

This is a Metasploit module exploiting a stack-based buffer overflow in Mercur v5.0 IMAP server via a malformed SELECT command. It targets specific Windows versions with predefined return addresses to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercur v5.0 IMAP SP3
Auth required
Prerequisites: Network access to the IMAP server · Valid IMAP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16481

This is a Metasploit module exploiting a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3 via a malformed LOGIN command. It uses an egghunter to locate and execute the payload, targeting specific return addresses for Windows 2000 and XP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atrium Mercur IMAP 5.0 SP3
No auth needed
Prerequisites: Network access to the IMAP service (port 143) · Target system running vulnerable Mercur IMAP version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by muts · pythonremotewindows
https://www.exploit-db.com/exploits/3540

This exploit targets a buffer overflow vulnerability in Mercur Messaging 2005 SP3 IMAP service. It uses an egghunter technique to locate and execute a bind shell payload, providing remote code execution on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercur Messaging 2005 SP3 IMAP service
Auth required
Prerequisites: Network access to the IMAP service (port 143) · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jacopo Cervini · perlremotewindows
https://www.exploit-db.com/exploits/3133

This exploit targets a buffer overflow vulnerability in the IMAP service (CVE-2006-1255) to achieve remote code execution. It sends a crafted SELECT command with NOP sleds, assembly instructions, and shellcode to spawn a bind shell on port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IMAP service (likely Merak Mail Server)
Auth required
Prerequisites: Network access to the target IMAP service · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jacopo Cervini · perlremotewindows
https://www.exploit-db.com/exploits/2345

This Perl script exploits a buffer overflow vulnerability in Sami FTP Server 2.0.2 via a malformed LOGIN command. It includes shellcode for a bind shell on port 4444 and supports multiple return addresses for different Windows versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sami FTP Server 2.0.2
No auth needed
Prerequisites: Network access to the target FTP server · Perl environment to run the script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by pLL · cremotewindows
https://www.exploit-db.com/exploits/1592

This exploit targets a buffer overflow vulnerability in Atrium Mercur IMAP 5.0 SP3. It sends a crafted IMAP command with a malicious payload to achieve remote code execution, establishing a reverse shell to a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atrium Mercur IMAP 5.0 SP3
Auth required
Prerequisites: network access to the target IMAP server · valid IMAP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/mercur_imap_select_overflow.rb

This Metasploit module exploits a stack-based buffer overflow in Mercur v5.0 IMAP server by sending a maliciously crafted SELECT command. The exploit targets specific return addresses for Windows 2000 variants and delivers a payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mercur v5.0 IMAP SP3
Auth required
Prerequisites: Network access to the IMAP server · Valid IMAP credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/mercur_login.rb

This Metasploit module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3 via a malformed LOGIN command. It uses an egghunter to locate the payload in memory and achieves remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atrium Mercur IMAP 5.0 SP3
No auth needed
Prerequisites: Network access to the target IMAP service (port 143) · Vulnerable version of Atrium Mercur IMAP
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/0977
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23950
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25290
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2006/Mar/1111
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2006/Mar/1167
Exploit, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19267
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17138

Scores

EPSS 0.6815
EPSS Percentile 99.2%

Details

Status published
Products (1)
mercur/mercur_messaging < 2005_5.0_sp3
Published Mar 19, 2006
Tracked Since Feb 18, 2026