I came across such a trick in an Exchange book. Basically you go into IIS
6.0 Metabase Explorer utility and locate the SMTP virtual server you want to
change (\lm\Smtpsvc\1). Then you highlight the "1" folder and click edit,
new, String Record and give it a value of 36907. After creating that, you
highlight the newly created record, double click on it and enter the new
banner information. Then restart the SMTP virtual server.
I have never tried it, just read it.
-----Original Message-----
From: Thierry Haven [mailto:thierry.haven@xmcopartners.com]
Sent: Wednesday, February 23, 2005 11:27 AM
To: Thierry Haven
Cc: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] smtpsvc and undocumented registry values
Hi,
I've been hacking around smtpsvc.dll (Windows Server 2003) in order to hide
the Server version when a mail is relayed:
Original header:
"from [192.168.X.X] ([192.168.X.X]) by winserv2003 with Microsoft
SMTPSVC(6.0.3790.0); Wed, 23 Feb 2005 15:47:51 +0100"
I found that it is possible to remove this information by patching the code
directly in the DLL:
Modified header:
"from [192.168.X.X] ([192.168.X.X]) by winserv2003 with some server;
Wed, 23 Feb 2005 15:49:51 +0100"
... Assuming that smtpsvc.dll checks its own version at runtime by
retrieving information in the .rsrc section of the PE thanks to version.dll
calls. However I'd like to know if there is a better way to disable this
"feature" (maybe a key in the registry ?).
Next I'd like to ask about such undocumented registry values. Where to find
information about them ?
Best Regards,
_______________________________________
Thierry Haven - Xmco Partners
Security Consulting / Pentest
web : http://www.xmcopartners.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
